How to Improve Third-Party Access in the Public Sector

The public sector is constantly facing challenges that make it difficult to achieve a strong cybersecurity posture. On top of protecting confidential and sensitive information such as social security numbers, payment card information, driver’s license numbers, and passport numbers, cybersecurity protocol also has to help these organizations meet CJIS compliance requirements and, in some cases, industry regulations such as PCI and NERC. This proves to be a challenge when government entities and other organizations within the public sector are consistently underfunded, understaffed, and under-resourced.

Public Sector Cybersecurity Challenges

  • Budget constraints: Some government entities are large enough to have expansive budgets that can afford robust security systems. However, small cities and counties that are already operating with limited budgets have to make tradeoffs when it comes to investing in cybersecurity. Security becomes just one of several competing priorities within a limited IT budget.
  • Understaffed: Like most organizations, the public sector has fallen victim to the hiring gap. The IT talent pool is less attracted to the legacy systems and resource constraints in a government IT position than a modern private sector role. The lack of personnel makes securing user access—particularly third-party remote access—even more challenging for governments.
  • Limited resources: Between the lack of budget, employees, and updated technology, government organizations don’t have the resources needed to secure and control their systems, servers, and networks. This forces IT and security teams to fall into one of two extremes:
  • Try to manage internal and external user access securely, even though it’s extremely time and labor-intensive.
  • Succumb to poor cybersecurity practices such as shared credentials and open VPN/network access

The Ponemon Institute’s research on industry cybersecurity and third-party risk found that these limitations have real-world consequences. Nearly half (49%) of organizations in the public sector have experienced a data breach caused by a third party in the last 12 months. The contributing factors—lack of visibility, control, and prioritization—will only add to the challenges if public sector IT teams don’t make changes to their third-party access security.

Public Sector Needs Increased Visibility

Access visibility means an organization can see and access information about user access, such as levels of access, permissions, and user identities. When it comes to third-party access, visibility is even more difficult to keep up with since vendors fall outside of internal identity management systems.

The public sector is struggling to get enough access visibility to secure critical systems. Over half (55%) don’t have a comprehensive inventory of all third parties with network access, and only 27% have visibility into the level of access internal and external users are granted.

A majority (79%) ensure their third parties’ contact information is up to date. But 67% don’t know the type of network access their third parties have, and 53% of public sector organizations don’t know which third parties have access to their most sensitive data.

It begs the question: What’s more important? Accurate contact information or documenting and tracking third-party access? An updated email address isn’t going to limit the movement of an attacker who’s compromised the credentials of a third-party vendor.

Controlling Access to Public Sector Systems

Governments and the rest of the public sector are operating on legacy technology that isn’t equipped with the security controls needed to protect mission-critical systems from third-party threats.

Organizations don’t have control over third-party security or credentials. Most are at the whim of their third-party vendors’ security measures. 83% of public sector organizations are using vendor-supplied security parameters or default passwords, which is troubling considering 54% cited credential theft as the most common cyber incident experienced across organizations. And only 43% evaluate a third party’s security measures before doing business with them—another reason why relying on their security controls is risky and prone to an incident.

In general, the public sector isn’t confident in its effectiveness to control third-party network access. 65% aren’t confident their third parties would tell them about a breach, and over half don’t rate their organizations as highly effective in detecting or responding to third-party incidents.

They’re also not implementing access controls that could restrict third-party user access and reduce the risk of a bad actor compromising networks and systems:

  • 64% aren’t implementing least privileged access to vendor access
  • 63% don’t remove credentials when appropriate
  • 63% aren’t verifying a third party’s need for network access
  • 58% aren’t restricting network access
  • 48% aren’t monitoring the third-party users who have access to sensitive information

Third-Party Security Needs Prioritized

Only 39% of the public sector’s IT and security teams prioritize third-party remote access security. Most feel managing third-party permissions and remote access can be overwhelming and a drain on internal resources.

When public sector organizations don’t have the budget or headcount to manage third-party risk, it becomes a backburner issue. However, over half of public sector organizations feel third-party access is becoming their weakest attack surface.

It’s clear there’s an issue that needs to be addressed. Basic security protocols like access controls and credential management aren’t in place to secure the confidential information that the general public entrusts to these organizations. And with the number of third-party attacks increasing, networks and systems become more vulnerable and uncontrolled if IT and security teams don’t prioritize third-party threats.

How Public Sector Can Improve Third-Party Access Security

According to Gartner, 76% of municipal or district government and 74% of state or province governments plan to increase their investment in cybersecurity and information security this year. Most public sector participants in the Ponemon survey indicated that system complexity, effectiveness, and performance are key factors in improving cybersecurity. With heavier investments in security technology, these factors can and should be improved—if investments are made in the right areas.

Here’s what organizations in the public sector should consider when investing in cybersecurity:

  • Gain more visibility into third-party user access. Too many organizations don’t know who their third parties are, their access level, and why they are in their systems. Visibility allows you to identify all third-party users, put restrictions or limitations on their access rights, document their level of access, and track the reasons for their access. All of this is critical for managing third-party risk.
  • Implement access controls. Access controls are the only methods that can stop a bad actor from moving through your systems. Invest in tools that build out a Zero Trust framework, multi-factor authentication, credential management, access notifications, and time-based access schedules. And don’t underestimate the importance of the principle of least privilege. Your third parties should only be designated access to what they need and nothing more.
  • Adapt to perimeter-less defense strategies. Cloud adoption and automated workflows are becoming the new norm, which means critical assets and data are moving off-premise. This also means there’s going to be an inevitable increase in third-party software providers needing access to your systems. Third-party security is critical to keeping your off-premise assets secure. It’s no longer just about keeping bad actors out of the network “walls”. It’s about proactively evaluating all identities and access points, finding all areas of vulnerability, and patching all security gaps.
  • Find ways to react and respond efficiently and timely. Much of how society operates is reliant on the public sector—health systems, towns, cities, and education systems are all part of this industry. Minimizing impact and downtime is critical to protecting not just an organization’s systems, but the daily lives of the general public.

Policies are important, which is why so many orders and policies on cybersecurity were created in the last couple of year. But it’s the actual software, technology, and automation that will reduce risk and thwart threats. When this technology is integrated into day-to-day operations, public sector IT teams can more efficiently and effectively secure the critical systems that society depends on.