Three key steps for protecting citizen data – and easing compliance and encryption

Amid growing concerns from the general public around data privacy, city and state governments are experiencing increased pressure from citizens around how their personal data is being protected. For IT directors managing smaller cities, to teams managing major state departments, there are a few key steps to ensure that your citizen data remains protected.

While traditional compliance measures are typically cumbersome and time intensive, investing in the right infrastructure can take the pain out of this process by addressing data privacy concerns with built-in capabilities. This in turn drives down costs and frees up IT to tackle other projects by removing layers of complexity – while addressing the most important concern – earning trust and creating peace of mind for citizens.

Ask the right questions around encryption

Having a conversation about security can be daunting. However, the following questions can help guide productive discussions with your CIO to get you on a path to creating change.

• How much data are we encrypting, and where is it? Are we encrypting everything? How safe are we really from cyberattacks?
• How are we prioritizing which data to encrypt?
• Who is responsible for encryption strategy? Who needs to be involved? Are we protected from insider threats?
• What are our costs of data encryption? Are we satisfied that this is an efficient spend? More importantly, is our encryption effective?
• What roadblocks keep you from encrypting fully?

Bring in the right LOB counterparts to go beyond required compliance regulations 

Once you’re aligned with your CIO on the key questions above, it’s time to get to work. When you understand what is currently being encrypted, you can plan a roadmap for how to fully encrypt your citizen data. You may have already gone through an exercise to address new state or federal regulations, but your strategy shouldn’t stop there. Compliance is just the first stepping stone to creating and future-proofing your infrastructure. This means going beyond just your IT or security teams and ensuring you are thinking about security from an end-to-end perspective. After all, the data you encrypt likely spans multiple departments, from Taxation and Finance to Voter, Property, and Vital Records. Leaders of these departments and agencies will likely want a say in how their data is encrypted and managed. Are these stakeholders being accounted for? And are they communicating with each other about data encryption?

While encryption takes time, money and IT resources, if you’re only encrypting the most sensitive data, you’re pinning a target on your back for cyber attackers. When citizen data is at stake, the public sector faces serious consequences when protection is overlooked. Not only is the cost of a data breach up 6.4 percent over the previous year to $3.86 million – your organization is at risk to erode government trust even further.

Consider pervasive encryption

When developing your security strategy, pervasive encryption should be an integral part of meeting regulatory compliance and demands from citizens in light of cybersecurity concerns. With pervasive encryption, you’re creating an end-to-end protected environment, rendering data useless for any potential breaches.

In 2017, almost 300 million government data records were breached, surpassing the previous year’s record of 200 million. For the first time, direct hacking wasn’t the primary vector used to gain access to data. The majority of data was exposed through accidental leaks and misconfigured cloud services and portals.

A pervasive encryption strategy enables governments to encrypt data at the database, data set, or disk level and ensure the processing of the data is protected as well. Any unauthorized users – even internal administrators – are unable to access your sensitive citizen data. Best of all, a true pervasive encryption strategy offers the same level of protection both on-premise or in the cloud, without the burden on your IT staff. Protecting your most important data should be done automatically to ensures compliance with regulations now and to come.

For governments with tight budgets and high scrutiny, developing and implementing a strategy to keep citizen data secure can be stressful. Government CIOs and IT departments should evaluate the best way to tackle data protection with a goal of achieving pervasive encryption across their departments and agency business processes. The good news is, we’ve come a long way regarding tools and services to make this process easier – the first step is just getting started.

Mike Young is the IBM Z Government Industry Offering Manager for IBM Systems.