How critical access management protects government entities from cyber threats

Every 11 seconds, a company falls victim to a ransomware attack. Compromised protected personal data resulted in 1.8 HIPAA privacy violations per day in 2020. The cost of cyber attacks globally in 2021, according to Cybersecurity Ventures, is expected to cost $20 billion. Those numbers add up to a big problem for government entities, which are more online than ever, connected to more third-parties than ever, and are a major target for cyber attacks.

Headlines are highlighting what's to come

Just pick up the paper, and you’ll see that cyber threats aren’t going away anytime soon. The Russian hackers behind the SolarWinds attack — the one that saw 18,000 customers (including a variety of government organizations) download an affected version of their software — are ramping back up. According to Microsoft researchers, the group has targeted over 140 companies since May, with 14 successful breaches. Many of those companies are government agencies and government-adjacent think tanks. In addition, the Ukrainian group, FIN7, just recently set up a fake company to recruit software engineers who would unwittingly be participating in hacks and ransomware schemes. Even a 10% success rate for the Russian hackers is too high, and the Ukrainians' scheme is wholly concerning. With cyber criminals taking more deceitful measures than ever, government entities need to be on guard.

Third parties remain a major risk for government entities

One of the most vulnerable attack vectors is third-party access points. Fifty-one percent of breaches, in fact, are from a third party. You can’t trust who you don’t know, and third parties are opaque and not part of an organization’s internal HR system. A single third party may have access to many aspects of an organization, so if they are hacked, and the access point into your organization is insecure, it’s a recipe for disaster. Take the SolarWinds hack, for example. The company was a third-party vendor to multiple government agencies, including the Treasury Department, Homeland Security and the State Department. That singular third-party incident could’ve wreaked havoc on huge national government agencies if more recipients had opened the suspicious email. The total damages of that hack are still being understood over a year later, according to the New York Times. Of course, this isn’t even including all the state and local government agencies that use SolarWinds as well. Those smaller agencies are even more vulnerable due to smaller staffing, budget and educational resources. The vast third-party connections a single government organization has operates as a technology supply chain. As soon as a hacker gets in, the possibilities are limitless. As these headlines show, the hackers are getting smarter, and government entities, like any organization, are more at risk.

How critical access management can protect against cyber threats

The biggest vulnerability for an organization is the point of access. Government entities are particularly vulnerable here because they have a vast number of access points connected to a multitude of third parties and internal systems. Protecting those access points, and the assets beyond them, is the best way to stop cyber criminals in their tracks. Critical access management, or the management and security of high-risk identities, assets and privileges, can help complex government entities stay safe. Just protecting the parameter is no longer an option, especially with lateral movement being shown as a key factor in hacks (60 percent of hacks involve lateral movement), so focusing on those three aspects of access is the key to safety.

Best practices of access governance, access control, and access monitoring

Critical access management is three-pronged, and applying best practices of each (especially for a government organization’s vast third-party access points), is the most thorough way to stay protected. Access Governance: The systems and processes put in place to ensure access policy is adhered to as closely as possible. Access Control: The mechanisms to reduce risk, increase visibility and increase friction when it comes to granting or allowing the access rights and privileges. Access Monitoring: Proactively or reactively observing and analyzing what happened while a user was in a session. Each prong protects an organization differently. Access governance helps an organization implement best practices such as least privilege access when defining access policies, linking HR systems and access rights, and conducting regular user access reviews, which will strengthen any access policy. Access control can prevent access creep — a major risk — as well as set limits to prevent how users can access critical points or assets. Access monitoring mitigates insider threats by observing sessions, and can help an organization debrief and develop better policies after an attack occurs. It depends on the organization and their needs on how to best implement these three prongs, but the more security and checkpoints, the better. A bank vault doesn’t just have a keypad to protect it — it has multi-factor authentication, video cameras installed above it and can only be accessed by certain people at certain times. The same should apply to internal systems, networks or databases within a government organization. And with cyber crime estimated to cost the world trillions of dollars by 2025, the price of doing nothing is just too high. This article originally ran on GovTech.