Government Risk Management
Government departments and agencies face an ever-increasing amount of pressure to improve transparency in their processes. As part of this, risk management becomes a key point of focus for the public eye. In the face of an emerging threat or crisis, the public will seek verification that government departments took the necessary steps to reduce risk and promote business continuity. Despite the complexity of the risk management required, many must struggle to mitigate risk at a price their frugal employers are willing to pay for.
With privacy and security at the forefront of government challenges, what steps are being taken to mitigate risks? Today we’re looking at the top 5 risks in government and highlighting the importance of communicating risk appetite and tolerance across an organization.
First, aging IT systems are a major security risk the plagues the federal government. It’s simply understanding that old systems don’t have the capabilities to protect against threats that weren’t around when they were created. Technology is constantly advancing, and yet government technology is at a crawl, requiring a lot of resources to keep systems running. A 2016 report from the Government Accountability Office shows that 75% of the total IT budget was spent on operations and maintenance.
Not only is their use of outdated technology using up the majority of their resources, but it is also leaving them vulnerable to modern threats and attacks. Several servers used at homeland security, for example, reportedly used Windows Server 2003 for nearly 3 years after it was no longer supported.
In 2018, Hawaii residents received a false missile alert that gained a lot of media attention. While the missile crisis sparked some debate on whether it was truly an accident or not, the incident offered insight into the software. Initial reports claim the alert was sent on accident due to the aging technology not making a clear distinction between the real and practice alert. Reports also say the command’s operations center didn’t have access to the alert system during the event, resulting in a 38-minute period before another alert was released.
Cyber security deserves its own category in every industry, let’s be honest. When discussing government risk in cyber security though, we have well-warranted cause of concern. Government agencies store a lot of valuable data, and a lot of it is about the public: driver’s license information, social security numbers, health care information, financial data, etc. It makes sense they would be a large target for today’s more sophisticated cyber attacks. Is the government prepared though?
In 2015, the Office of Personal Management announced two separate cybersecurity incidents, resulting in the loss of over 25 million individuals’ information such as social security numbers. Again in 2016, hackers breached a data retrieval tool at the IRS, allowing them to steal 30 million dollars and access the personal information of 100,000 students. Another incident occurs in 2018 when the Chinese government hacked Navy computers, stealing 614 gigabytes of sensitive information related to undersea warfare. These incidents are largely worrying, and a report by Netwrix shows that only 14% of government organizations consider themselves properly protected against cyber attacks.
Government employees present a large risk to security that is often overlooked. Processes that leave room for human error are numerous in any organization, often due to issues in training and poor work habits. This is often a result of poor work culture. We find too often that risk management and compliance is simply a task to check off and not an ongoing dialogue of ensuring proper education.
A 2014 report states that only 27% of U.S. federal government workers are engaged in their jobs. In addition to costing an estimated $18 billion a year in productivity, this raises red flags for government risk. Employees who are not engaged in their work or put effort towards following work policies are likely to cause issues with compliance and result in work disruptions, legal fees, and workers comp claims. In 2016, government entities reported that human error was the cause of 57% of security incidents and 14% of system downtime.
Infrastructure risk is the potential failure of organizational structures and facilities, and the loss of their services. As the Department of Homeland Security says, “The nation’s critical infrastructure provides the essential services that underpin American Society.” These assets are necessary for both physical and economic security, as well as public safety. In 2018 President Trump signed the Cybersecurity and Infrastructure Security Agency Act of 2018, which established the Cybersecurity and Infrastructure Security Agency (CISA). Field assessments are performed by CISA to identify vulnerabilities within the nation’s critical infrastructure.
CISA reportedly works to identify the most critical risks to U.S. infrastructure across 16 sectors, utilizing resources and collaboration from the National Risk Management Center (NRMC), which is housed within the organization. We put our faith in departments such as these, who protect against the unimaginable. Whether physical or cyber in nature, an attack on the U.S. power grid or industrial control systems is a threat that could cause potentially catastrophic results. How quickly could we rebound from the loss of power?
How We Help
As a part of a total risk management process, government agencies need to properly plan for all types of risks, not only the aforementioned categories. Utilizing a risk management platform is key to ensuring all risks are minimized or eliminated. RiskWatch provides an easy way to measure and mitigate risks and compliance gaps by streamlining the assessment distribution and collection process. Our software helps to understand different risks and their potential impact, as well as ensuring compliance with state and federal standards, guidelines, and best practices.