It’s no secret public sector organizations face an array of challenges in securing networks. From budget constraints to enforcing a security structure, organizations struggle to keep up with evolving threats. According to the recent SolarWinds® Public Sector Security Report, only four in ten public sector respondents are confident in their team’s ability to take on today’s threats.
The survey polled various IT decision-makers from public sector agencies and educational institutions to determine the challenges IT professionals are facing in terms of operations and security. “The findings validated the beliefs of many in the public sector,” said Brandon Shopp, vice president of product strategy for security, compliance, and tools at SolarWinds. “Untrained users continue to be an issue across the board, an ongoing trend for some time that has still not been resolved,” he said. “There are also clear differences in the responses of higher ed, education, federal, and state government.”
Shopp said the report emphasized the public sector doesn’t have the budget to be fully equipped. According to the survey, 27% of respondents feel budget is the biggest challenge to the organization followed by complex internal environments (16%) and a lack of manpower (10%).
To overcome budget constraints, “organizations need to focus on the basics,” said Shopp. The basics like patching and endpoint protection still need work, but solutions can help. “These solutions can be expensive and sophisticated,” he explained. However, with the right partner, these products can be much more affordable and allow teams to focus on “the key critical areas and give a solid cyber foundation.”
“You shouldn’t have to trade off being secure for a budget,” Shopp added. “You need to make sure to take a step back to implementation, and decided what the biggest threats are, how can you solve these, and what are the results if you don’t.”
And for the public sector, the biggest threats are insiders. 52% of respondents listed insider threats as the largest security challenge followed by hacking and foreign governments. For organizations to reduce insider threats, training and education must be a top priority. Shopp explained tools designed to test your teams’ posture are important, such as phishing tests to uncover weak spots in your organization.
“The greatest challenge is always protecting data from malware and attacks from both internal and external users,” said one respondent, a director in state government.
One way organizations can help ensure a secure structure is to have an IT team to focus on risks. However, only half of organizations have separate IT departments. “Security is everyone’s job but holding the team accountable is lacking. Until there are real individual accountability regimens in place, the network will remain at risk,” said a federal civilian respondent.
It’s important for teams to have a common goal but also important to have the tools and manpower to keep the organization secure. “Sharing information on bandwidth, access, and threats ensures that the entire organization has a common goal and operates like one team,” said Shopp.
As public sector organizations implement a cyber policy, many are exploring a zero-trust architecture. Nearly one-third of respondents report having a formal strategy in place and actively implementing a zero-trust approach. A larger portion of state and local participants are not using zero trust due to cost concerns.
“Our organization operates in denial with a preference for reactionary behavior instead of operating proactively. Government agencies tend to view IT spending as throwing money into a black hole until something occurs,” explained a state government participant.
With a zero-trust approach, there’s a barrier between your typical ushers and a secure environment, explained Shopp. “IT teams, in general, are typically understaffed with human actions,” he said. With zero trust, you don’t trust anyone, and they need a specific entry in.
Completing the IT puzzle for the public sector is a mix of training, policy, and partnership. “You need to make sure you have training and testing, make sure it is having the effect that you expect it to have,” Shopp said. “Make sure you have some strategy, maybe zero-trust, to accordion off valuable information.”
“Public sector organizations continue to struggle with the same challenges. Budget constraints, insider threats, and an overworked IT team lead to a less than ideal security posture. Organizations must focus on reducing risk profiles and adding value to the organization with best practices and a valued IT partner that can alleviate pain points for your IT team,” he concluded.
Interested in learning more? Read the report.