Security awareness

Security Awareness Checklist for State Government

August 29, 2018 by Susan Morrow

Security and government have always gone hand in hand. But as state government has digitized its services and embraced new technologies, cybersecurity incident prevention has become a growing issue.

State governments in the U.S. have to manage public services. In providing a modern 21st-century government, state governments now have to digitally transform their IT infrastructure. This includes offering digital platforms for citizen services, increasingly using Cloud and mobile computing and using data aggregation and analytics. This opens up the attack surface for cybercriminals who always look for ways to steal government and citizen data.

In 2016, the U.S government spent $28 billion on cybersecurity. This figure is likely to grow as attacks across all sectors, including government, also increase. And one of the issues that the government faces (that perhaps other sectors face less frequently) is targeted attacks by other state actors.

The Cybersecurity Scorecard, which looks at the how well each industry is performing in tackling cybersecurity threats, places government as the third-worst performer. State governments are more frequently requiring our personal citizen data to give us the service convenience we expect. They act as the guardians of citizen data while trying to ensure that their ever-constrained budgets can provide value for money. This can lead, and has lead, to government data breaches.

One way to keep on top of security incidents is to understand what you are up against and how to best mitigate the risks. Below is a checklist to help you work out where to focus your efforts in managing the cybersecurity issues in state government.

Governing Your Security Awareness

There are certain baseline requirements you can put in place to create a successful security awareness program in government. Here’s a checklist showing some of the most important:

1. Know Your Wider Government Community

State government can use the general government guidance on cybersecurity matters to kick-start a security awareness program. Initiatives such as the National Cybersecurity and Communications Integration Center (NCCIC) have been created to encourage and facilitate the sharing of cybersecurity intelligence across public and private sectors. The NCCIC uses the US-Cert National Cyber Awareness System NCAS) to issue alerts, bulletins and tips, as well as offer other resources. Sign up for these and keep up to date with cybersecurity threats as they break.

In particular, the NCAS Analysis Reports will give you a breakdown of any emerging threats so you can prepare for them. The latest details on threats will become part of your training program and inform what types of training packages you should implement.

2. Understand and Map Your Own Community

State government will often have a very complex set of data touchpoints. Your organization will need to manage both internally-generated, highly-sensitive data and externally-sourced citizen data. Keeping track of where data comes in, is processed and goes out gives you a better idea of your own organization’s personal threat landscape.

Work with individual departments to understand their business needs and what happens to data within that department. This will all map back into your tailored security awareness training program as it is developed.

3. Map and Classify Your Data

State governments handle arguably more data than most sectors. These data come in from multiple sources, including internal and external — aka citizens.

As data is aggregated and accumulated, it is easy to lose track of where it resides. This is a particular bugbear of shadow IT: your employees may well be using devices unknown to, and therefore uncontrolled by, your IT department. Carrying out a data-mapping exercise on a regular basis is a fundamental part of being security-aware.

During the mapping of these data, you will be able to classify it in accordance with government classification of data standards. These standards are based on levels which allows you to then differentiate between highly-sensitive and restricted data and data that is less sensitive. This will, in turn, allow you to modify your security in accordance with the classification level.

4. Recognize Where Regulations and Compliance Fit

There are a number of privacy and data protection regulations that government need to be aware of and work towards compliance with. Which regulations apply depends on the area of service your state government department works in. For example: if you are processing consumer payments, you will have to comply with financial regulations such as the Gramm-Leach-Bliley Act. General data protection regulations also differ by state, so you will need to know your own state’s approach to data protection and ensure you comply with the remit of that regulation.

5. Know Your Audience

State government has to work with a very wide demographic, including minors and vulnerable adults. As such, state government has a responsibility to ensure these groups are protected from cyberthreats that may target them. Part of being security-aware and creating an effective and comprehensive security awareness training program is understanding who will be affected by the cyberthreat.

State government security awareness training may well need to extend to your citizens. Ensure you add in security awareness for all. Check out the website of the Tennessee State Government (see Sources), which offers some excellent advice on security awareness for children and other vulnerable persons.

6. Be Safe, Not Sorry

Security awareness is knowing how a threat will emerge and what types of methods will be used to circumvent your security. For example: social engineering attacks against the public sector are increasing, and these sorts of threats can be the most difficult to detect and prevent.

Social engineering often begins with phishing emails. Hackers have become pretty adept at creating very convincing emails that people open and believe.

The UK’s National Cyber Security Centre, which provides research into the prevention of phishing, has found that a multi-layer approach to phishing is the best way to deal with the issue. The layers include:

  • The use of anti-phishing measures such as DMARC
  • Ensuring that your users can recognize a phishing email by using phishing simulation exercises
  • Applying anti-malware tools
  • Having procedures in place to deal with security incidents

By knowing what threats are likely to appear and how to counter them, you can help your department stay safe and prevent breaches from happening in the first place.

7. Be Cybersecurity Sign-Aware

Extending out from the phishing awareness campaigns, you will also need to have a general awareness of the types of scams and fraudulent activity that focuses on state government. Because state government has touchpoints in many aspects of consumer activity as well as internal operations, cybercriminals have lots of potential avenues to explore. Scams such as Business Email Compromise (BEC) and insider threats are two such potential concerns which your department, or the whole state government, might be targeted by.

Fortunately, US-CERT releases regular warnings and updates on issues such as BEC as they affect state government.

8. All for One and One for All

Security awareness training is an all-encompassing activity. You have to get all of your employees across the organization  to opt into the exercises.

Analysts with Gartner suggest employing a “Security Champion Program” to promote the long-term behavior changes needed to tackle the shifting threat landscape. The program advocates for collaboration and sets out rules of engagement. It also heavily promotes the ideals of rewarding good behavior, thereby creating a positive feedback loop.


State government has a lot on its plate. It has to digitally transform citizen services and manage big data in doing so. The cybercriminal has always had the government on the radar and the move into digital government services opens the door ever wider.

A program of security awareness training can help to give you the edge over the hacker and in doing so, not only protect your own internal organization but the wider audience of citizens, including those who are most vulnerable in society.



Top Digital Transformation Trends in Government, Futurum

Cyber Spending Database, Taxpayers for Common Sense

2017 U.S. State and Federal Government Cybersecurity Report, SecurityScorecard

National Cyber Awareness System, US-CERT

Security Awareness, Tennessee Department of Finance & Administration

Why phishing attacks are increasingly targeting the public sector (and what you can do about it), GCN

IC3 Warns of Business Email Compromise, US-CERT

National Cyber Security Centre (UK)

Posted: August 29, 2018
Susan Morrow
View Profile

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure. Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.