By Paul Christman

Every year in April, all working Americans share highly sensitive personal information including social security numbers and financial data with federal and state governments as they file taxes, trusting these government entities to keep their information safe. This year, with limited budgets, CIOs are challenged to protect against security threats looking to find the weakest link in security.

While citizens may assume their information is safe by the time they receive their tax return, tax data breaches can occur later in the year. In 2012, a breach compromised approximately 3.6 million Social Security numbers in the state of South Carolina due to a phishing attack that took place in the fall.

In order to ensure citizens’ personal information stays safe from threats, it is necessary to take a holistic approach to security, protecting information from external and internal threats. A complete approach to end-to-end security should include the following elements:

1. Go beyond user names and passwords with two-factor authentication – Relying on user names and passwords alone puts government at risk for security breaches. Often, cyber criminals use phishing attacks to gain access to government systems and the data they store. Two-factor authentication requires a physical component of security, which would not be available to a cyber criminal. This can include a keyfob, card or even a smartphone. Using a mobile device as the second factor, authorized users will receive a number or pattern to confirm they are who they claim to be. With the upsurge of mobile adoption, state and local organizations need to consider offering two-factor authentication through smart devices.
    
2. Manage and monitor privileged accounts – Breaches of privileged accounts can pose a significant challenge to security, allowing individuals broad access to information. Privileged Account Management (PAM) tools combat this by only providing individuals with the information they need, when they need it. PAM best practices include applying a least privileged level of access, allowing users access to sensitive information only during a restricted period of time and limiting their range of actions while using sensitive data. It is also important to maintain a record of users’ actions while logged in, providing an audit trail if the account is hacked or data is misused.
    
3. Maintain strong perimeter control and protection – Next generation firewalls and deep packet inspections can dig deep into government networks to identify malware and phishing attacks. Continuous monitoring of these networks is the first line of defense to identify and combat threats before they can access the sensitive information stored on state and local networks.
    
4. Consult outside experts for security assessments – A realistic risk assessment can serve as a wake up call for organizations that have security gaps. State and local government departments are often surprised to discover where vulnerabilities may lie. Occasionally organizations may even find there is currently a breach in progress on their systems that they were unaware was occurring. A risk assessment can allow IT departments to move towards a more proactive security posture.

While there is no single approach to security for every department, it is vital that IT administrators dealing with citizen’s social security, financial and health data make the most of the tools available to them, taking a multi-level approach to keeping information safe.

Paul Christman is responsible for Dell Software’s public sector division, covering the U.S. federal government, state and local governments, and higher education in all 50 states. In this role, he oversees business and channel development, product and marketing functions and systems consulting.