New approaches for managing risk in the public sector
The public sector’s ever-evolving risk landscape
The risks faced by local governments and other public sector organizations are changing fast — and multiplying faster. Cybersecurity threats from both domestic and foreign actors are on the rise, including ransomware attacks that disrupt organizations’ ability to serve the public. At the same time, more and more sensitive data is being collected, stored, and shared every day. The move to adopt new technologies such as cloud-based services can also lead to unexpected risks related to controls and configurations. Because of these issues, new regulations and legislation have been enacted to protect citizens’ data rights, creating a web of new requirements to navigate.
The move to adopt new technologies such as cloud-based services can also lead to unexpected risks related to controls and configurations.
Many public sector organizations want to improve their governance, risk management, and internal controls to protect constituents, but a number of obstacles pose a challenge. Budget constraints often force decision-makers to choose between proactive risk mitigation and investments that appeal to citizens and stakeholders. It’s hard to compete with the private sector for the talent and expertise needed, compounding staff shortages. And institutional resistance to change can make it difficult to embrace new processes and controls, even when adopting new technologies. As a result, governments and education organizations are left vulnerable to cyberattacks, fraud, and other frontline threats.
Manage risk through careful planning and new technologies
You can overcome challenges and achieve risk management goals with careful planning and modern technologies such as cloud-based services. The first step is to conduct a thorough assessment of technology-related risk across the organization. Ask yourself:
- What technologies do we use? Are they up to date and properly configured?
- What policies and documented internal controls are in place to govern access and use? Are any missing?
- What risks are posed by vendors and other third parties — and how do they manage and mitigate their own risk?
The first step is to conduct a thorough assessment of technology-related risk across the organization.
This assessment must extend beyond processes to people as well. Do you have the right people in the right roles, performing the right tasks? At a minimum, we recommend you conduct this assessment annually. Larger entities — a densely populated county or a large school district or state university, for example — may wish to perform some aspects of the assessment more frequently, such as a network security test.
It’s important to remember that this regular assessment simply captures a point in time and identifies risks requiring attention at that time. Subsequent assessments should track how these prior risks have been remediated or resolved. Each assessment forms the basis for developing a risk mitigation action plan to help you define what actions you’ll take, monitor performance, and continuously improve. This doesn’t mean you need to do everything at once, though. Realistically, risk mitigation planning involves prioritizing the gaps to be addressed, based on their severity and potential impact.
You can also mitigate risks through the capabilities of new technologies themselves — as long as those features are understood and taken advantage of during implementation. For example, a cloud-based tool could replace multiple manual accounts payable processes with one best-practice process that streamlines and automates much of the work, from invoice processing to electronic payments. Adopting the cloud-based process not only improves efficiency, but it also reduces the risk of error or fraud.
Zero-based trust: A growing trend
Embracing the cloud and other new technologies can also help you take advantage of an emerging trend: zero-based trust.
Zero-based trust is an IT security model that requires strict identity verification for every person and device trying to access network resources, whether inside or outside the network perimeter. The model is designed to protect remote workers and secure data and infrastructure from end to end. Most prominent technology vendors are now including zero-based trust concepts and protocols in their architecture, which makes it easier for governments and organizations to adopt them. Zero-based trust can significantly reduce the risks of unauthorized access to systems and data.
Risk is changing — and with it, risk management
The public sector’s risk landscape is evolving rapidly, but public sector organizations can adapt and take action now to understand, manage, and mitigate the risks they face.