The government is subject to strict security standards that should keep data safe. Health departments must abide by HIPAA best practices, and criminal justice departments are subject to even stricter CJIS compliance and data encryption rules requiring weekly audits and precisely defined controls, down to the required length for passwords.
And yet, government cyber security breaches keep happening. A study by the Identity Theft Resource Center, found 63 government and military breaches in 2015 — though it’s likely that when you include undetected breaches the number is higher. Although government cyber security incidents only accounted for 8.1% of breaches, they compromised 34,222,763 records — 19% of the total.
The Office of Personnel Management breach was particularly damaging. Hackers infiltrated the department’s encrypted cloud stealing extensive background investigations of federal employees for foreign governments. This data could compromise US intelligence employees and their families for decades to come. With all the effort put into legislating government cyber security, why do breaches keep happening?
Government cyber security is complicated and under-valued.
One of the biggest problems is the sheer complexity of government information infrastructure. A county government has to transmit, process and receive a huge range of information, working with citizens, other government organizations, civic groups, corporate partners and others. County governments can have hundreds of staff, divided between many departments and these workers manage services including:
- Law enforcement
- Court service
- Senior living
County governments also need to securely transmit data to other government institutions, including the treasurer and sheriff’s offices. And that’s not even a complete list.
These relationships are also governed by different government cyber security laws. Besides federal rules like HIPAA and CJIS, there are city, state and national laws governing privacy and encrypted cloud security, and often interstate and international regulations as well.
None of this infrastructure is adequately supported.
Government cyber security initiatives are typically underfunded and often vaguely defined, and organizations rarely have the expertise to run a secure, encrypted cloud. Legislative bodies rarely take the situation seriously until a breach, leaving administrators to fend for themselves. However, one of the biggest problems stems from the nature of the cloud itself.
Government cyber security needs better encrypted cloud storage. Cloud data can’t be walled off or locked up in a secure room the way that a filing cabinet can. When your employees send confidential emails or access information on a cloud file storage service, that information has to travel across the open Internet. Without adequate file encryption, malicious third parties can intercept, steal or even sabotage the data.
Data-centric encryption greatly reduces the risks of a security breach by protecting data at the file level. Unlike point-to-point encryption, which protects files as they move from one server to the next, data-centric encryption is attached to each individual file and protects it along its entire journey. Even if a hacker intercepts a file, they won’t be able to decipher it. However, encryption only works if you can get everyone to use it consistently; often, that’s easier said than done.
Usability is key to the security of your encrypted cloud.
Security tools are meant to support your workflow, not vice versa. Yet often, government cyber security programs choose solutions like secure client portals that are slow and complicated to use, and don’t work with the cloud productivity apps and other programs governmental organizations depend on.
It’s almost impossible to get citizens or other government organizations to use the same portal, forcing users to send unencrypted email. It’s a patchwork system where files are only protected part of the time.
Virtru Encryption as a Service is designed around the idea that convenience is a security feature, not a luxury. Virtru cloud encryption installs in minutes as a browser plugin, providing file, email and attachment encryption. Using Virtru is just as easy, with one-click encryption, and top-notch resources and customer support. And, because Virtru allows users to send encrypted files to recipients who haven’t installed it, you can protect data you send to citizens, business partners and other government agencies.
The encrypted cloud needs to be backed up by access control.
Encryption depends on keys — random strings of bits used to scramble and unscramble data (here’s more information about the encryption basics, if you’re curious). Key access controls data access, so good encryption key management is crucial in any encrypted cloud. Most modern encrypted cloud solutions automatically manage keys, preventing users from sharing, exposing or losing them.
Government cyber security deals with a lot of sensitive data like HIPAA PHI or information subject to CJIS compliance standards, requiring organizations to restrict access as much as possible. For example, healthcare workers shouldn’t be able to access CJIS records and police should only be given access to PHI in very specific situations.
Virtru provides granular access control, allowing organizations to ensure each user only can access the data they need. For high security applications, Virtru also offers Hardware-backed Encrypted Key Management (HEKM). Organizations are able to use all Virtru features, while storing their own encryption keys in Hardware Security Modules, retaining total control over their encrypted cloud.
Government cyber security needs to anticipate user error.
No program can completely prevent people from taking unnecessary risks or breaking compliance. However, good preparation and the right tools can stop a stray click or forgotten rule from compromising encrypted cloud data.
Virtru Data Loss Prevention (DLP) (available in both Outlook and Gmail) watches over emails, with customizable rules to control how users share and protect data. Virtru DLP scans emails for sensitive information like social security numbers, email addresses, domains and other data that could compromise confidentiality. When users try to send a non-compliant email, DLP can take a range of actions, including:
- Warning the user
- Automatically encrypting
- Forwarding the message to a supervisor
- Stripping attachments
- Adding a disclaimer
Virtru DLP comes with a range of rules designed for specific needs like CJIS and HIPAA compliance, and takes only a few minutes to configure. Its warnings train users in compliance while securing email, lowering the risk of data breaches both inside and outside of the encrypted cloud.
Virtru Pro also empowers organizations to quickly remediate breaches. If a file or email is sent to the wrong address, users can use the revoke function to remove future access to it — even after the user has read it. They can then use read receipts to see who has accessed it. If no one has accessed the breached message yet, read receipts prevents the triggering of HIPAA breach notification, saving the organization from big fines, bad press and increased regulatory scrutiny.
Virtru’s currently working with a number of county governments to implement email and file encryption. If you’re interested in reading more about this, we’ve got some case studies for our work with Columbia County, New York, as well as Pitkin County, Colorado.
Virtru allowed both counties to implement email and file encryption, along with Data Loss Prevention controls to prevent accidental exposure of sensitive information. Pitkin County emphasized the ease with which HHS and residents could communicate. Their IT team received “zero negative feedback” according to customer support manager, Nate Kneifel, and the software fostered trust between the county and community.
Columbia County valued Virtru’s ability to provide both HIPAA compliance and CJIS compliance, with powerful DLP controls allowing domain-specific encryption. Virtru provided broader government cyber security protection than other products they considered, with less inconvenience. According to Columbia CTO, Richard Juliano, “Virtru is incredibly easy to implement county-wide. That, plus its other functionality, makes it seamless for us to train our users.”
Virtru is a complete government email encryption solution. Whether you’re securing a single department or an entire state or county government, Virtru offers powerful, easy-to-use protection. Contact us to learn more about how Virtru can keep your cloud safe, secure and compliant.