A 2018 survey showed that most states spend less than 3% of their IT budgets on cybersecurity. However, the mass pivot to remote work presented a combination of circumstances that highlighted how essential IT and security services are to state and local government functions.
The global health crisis caused the demand for online services to skyrocket. In some states, online unemployment applications surged by up to 3000% between January and March, and organizations transitioned to online collaboration platforms. It also spurred the faster deployment of resources like robotic process automation (RPA) ChatBots that functioned as the first line of engagement for many citizen services during lockdown. And while all of these features made governments more efficient in a crisis, they also opened them to more risk.
A recent threat report revealed that cybercriminals adapted to the remote working shift by targeting the home office environment with attacks, which prompted the need for advanced cybersecurity solutions.
While governments recognized IT and cybersecurity as critical elements during the recent pivot to remote telework and the expansion of digital services, in most cases, these departments only received the resources required to get the job done in the short-term. A looming budget deficit in state and local governments will heighten competition for resources in cash-strapped jurisdictions. This threatens the new-found alignment between senior leadership and IT departments, because when resources get scarce, support elements historically take extra cuts as organizations move to preserve their core mission functions.
While the private sector typically leads in the implementation of digital transformation technologies, the current crisis presents an opportunity for government to leverage lessons learned from the private sector’s experience and more effectively implement transformational technologies. Governments should also consider changes to their organizational practices to foster a stronger partnership between IT and security. Both IT and security should weigh in to frame programmatic options and shape the art of the possible for digital transformation within government.
Such collaboration between IT and security departments is imperative for shaping secure and cost-effective solutions for delivering government services—whether agencies return to the office setting or continue to work remotely.
Enhanced Security Measures are Vital to Continue Remote Work
As government offices evaluate continued large-scale remote work versus returning to the office setting, either option will require smart investment in technologies that cultivate a secure, digital business model. When procuring new technology, agencies should focus less on point products and more on flexible, integrated solutions that will increase productivity and generate a higher ROI from increasingly scarce resources.
As agencies evaluate the operational performance and security of their current remote telework capabilities and prepare to make any necessary changes, they should consider security-driven networking solutions. These solutions integrate security and networking to simplify management and maintain network agility while protecting the expanding digital edge surface. Government offices can adopt these integrated solutions to ensure that their network infrastructure remains efficient and allows long term flexibility without sacrificing performance. Agencies that decide to continue remote work should revisit endpoint security since they typically lack visibility and operational control of the remote user environment due to personal devices and non-employee users on these less-secure home networks. Even when the employee uses a government-issued computing device, this uncontrolled local IT environment can potentially introduce threats that could compromise government networks or data.
Multi-factor authentication (MFA) and virtual private networks (VPN) provide basic identity access management. Agencies should consider adding or strengthening endpoint detection and response (EDR) tools and web application firewalls to detect advanced threats and stop breaches and ransomware damage in real-time. Inspection of content is vital to ensure that threats are not entering the network in encrypted traffic. Security staff should check with network engineers to confirm that they did not turn off SSL inspection during the pivot to remote telework because of the latencies or performance bottlenecks it can introduce. And if they did, that capacity is being added to resume the inspection and mitigation of potential threats as part of ‘the new normal’ operating posture.
Additionally, agencies can apply simple zero-trust security principles to segment network architecture and continuously validate and monitor user and device access. This allows security administrators to give the least privilege necessary for a remote user to accomplish the task at hand, establish patterns of access on shared network resources, and permit cross-segment access only when and where it is needed. Agencies with more sensitive data can add more dynamic zero-trust access solutions for more comprehensive visibility and access control.
Returning to Work: Footprint, Function and Infrastructure
As agencies contemplate a return to the office, many find themselves re-examining their future office environment: the size, number, location and function of physical offices, and their existing IT infrastructure. Some organizations are consolidating the number of physical offices and moving away from dedicated office spaces assigned to specific employees in favor of ‘hoteling’ arrangements where employees use whatever desk is available. At the same time, other organizations have decided to reduce their offices’ size but increase their number and geographic distribution so that remote workers can more readily access them when needed. Some are also changing office functions from routine workplaces to places for collaboration or provision of services that cannot exist in the remote user environment.
Some organizations that were among the early returners to the office environment found that their existing networks didn’t have the bandwidth to support the collaboration platforms employees used to engage with remote colleagues or conduct socially-distanced in-house staff meetings.
This need for additional bandwidth coupled with the consolidation of locations can require changing an organization’s existing network topology away from fixed network infrastructure and dedicated bandwidth. This prospective change creates an opportunity for government IT administrators to deploy new networking solutions like SD-Branch or SD-WAN, improving performance and providing secure, centralized IT management for distributed networks while reducing overall costs.
Many organizations also learned that paying for dedicated phone lines on empty desks is not sustainable or cost-efficient, especially if they are contemplating a hoteling office environment. Replacing desktop phones with office-issued cell phones has cost and flexibility advantages. However, it also brings new challenges: deciding whether employees will be required to have a separate government-issued device and phone number for official use or use a single device for both work and personal purposes. Agencies must also contend with the associated policies on generating and retaining official records from such devices.
With no clear end in sight to the COVID-19 pandemic, state and local government offices are also considering hybrid work environments where some employees work remotely and some work on-site, or where most or all employees alternate between remote and on-site presence. The private sector is already exploring hiring employees who are not physically proximate to any office, expecting that they will travel periodically for face-to-face interaction with their colleagues. Such an option might be equally compelling for governments that face a shortage of talent and labor when they are limited to hiring solely from their locality.
In short, the pivot to remote telework has brought significant operational and resource challenges to state and local governments. Still, it also presents the opportunity to accelerate government IT transformation to a more efficient, flexible and secure operating posture as part of the post-COVID “new normal.”