BLOG POST

Municipalities Need to Prepare for Data Breaches

Municipal governments may not consider themselves a likely target for cyberattacks compared to larger government organizations. However, cities and towns often are very vulnerable, while also storing an enormous amount of sensitive data that needs to be protected.

The largest issue for municipalities is generally that key decision-makers lack understanding about the likelihood of a breach and the full scope of the sensitive information stored in their systems. This doesn’t just increase the likelihood of data loss but can also lead to other issues, such as organizational inefficiency and the ability to respond to Freedom of Information requests.

Two grey and one turquoise person icons grouped in front of a turquoise town hall icon.

 

Government and Compliance

Over the last several years, there have been high-profile information breaches at all levels of government. Here are just a few examples:

Blog Municipalities 2016Public Services and Procurement Canada improperly exposed the personal information of up to 70,000 federal employees due to a combination of system vulnerabilities and user error.

2017 Blog Post MunicipalitiesThe federal government agreed to a settlement after improper handling of data resulted in a leak of the personal information of over 583,000 student loan recipients.

2018 information breachNova Scotia’s provincial government had a breach involving its FOIPOP system that allowed widespread access to confidential personal information, with over 7,000 documents accessed before being detected. The provincial government was criticized by oversight bodies for “poor overall project management” and a “serious failure of due diligence.”

2021 Blog MuncipalitiesThe Regional Municipality of Durham suffered a ransomware attack following a breach that revealed citizens’ personal health information. This was attributed to using outdated software with known security vulnerabilities.

No level of government is immune to data breaches. As the list above illustrates, there are a broad range of factors that contribute to this issue, including malicious attacks, employees not following processes, misconfigured or outdated software, and lack of oversight.

As these incidents continue to make headlines, the public has become more aware of the vulnerability of their data and the impact of government breaches. This may well lead to policy changes in the near future, as many advocates feel that the Privacy Act is not strong enough.

Like any level of government, municipalities need to protect against these kinds of data breaches. This can only be achieved by having technical staff work closely with content owners to understand requirements and educating all employees to follow compliance standards.

iStock-1322517295 (2)

Mitigate Compliance & Privacy Risks Workshop

Detect, investigate, and act on malicious and inadvertent activities in your organization is critical to ensuring trust, creating a safe workplace and protecting company assets.

The Mitigate Compliance & Privacy Risks Workshop gives you the insights you need to understand insider risk in your organization.

EXPLORE THE WORKSHOP

The Risk of Dark Data for Municipal Governments

Municipalities need to understand what kinds of sensitive data they are managing, including where that data is stored, how it is transmitted, and the measures that are necessary to keep that data protected.

However, one major issue is that governments — like many other modern organizations — have collected mountains of data that they are often not even aware they have. This data, which is often invisible to and ignored by organizations that collect it, is sometimes called dark data.

Mountains of Data Can Become Dark Data is written under a drawing of mountain tops.

Dark data can be information that is collected intentionally but never analyzed or dealt with, or it can be information that is collected through automated software processes that aren’t being actively managed. It can also simply be locally saved copies of information that individuals keep for convenience. The risk comes with the fact that dark data often contains personal identifying details, confidential data, and other regulated or sensitive information.

If an organization isn’t aware of the existence of this data, it becomes a risk — IT departments won’t create the proper safeguards around it — and it will also be outside any regulatory processes that have been put into place for compliance.

This risk becomes even more acute when we begin to look at the kinds of data collected by governments. Tax and property data, bill payments, permit applications, and other municipal records are in many cases generating large amounts of dark data that are vulnerable to data breaches — and the mere existence of this data exposes municipalities to liability.

Conducting a data audit on municipal government information systems often reveals highly sensitive data that has been insecurely stored, sometimes for many years. Simply put, it is impossible for a government to manage and protect information if the people in charge of those processes aren’t aware of all the information they have. That’s why it’s critical for government organizations to have a strong data security foundation and a game plan for dealing with all data that is collected.

A businessman stacks blocks reading R I S K underneath a glowing caution sign.

 

Developing Processes to Secure Government Data

As your municipality moves towards better data security, your first step needs to be an internal one: begin with discussions to understand the type of information you have, where it is stored, and possible risks you face. Bulletproof can help facilitate these discussions and provide your government with a step-by-step roadmap to secure your data.

As your municipality takes stock and works towards more secure data management, an Information Management Assessment will help you understand the current state of your data security. Bulletproof’s Information Management Assessment will document your current behaviours and technology, identify potential concerns, and provide a detailed roadmap.

Once your municipality has an Information Management foundation in place, processes must be developed to ensure that data is protected and processes are being followed. There are a number of common vulnerabilities in data systems and data can be stolen by malicious actors or leaked by misconfigured systems.

Human error is also an important factor that needs to be accounted for. Emails containing sensitive information being sent by accident, or sensitive data being improperly removed through the use of thumb drives or uploaded to external sites are common pitfalls for organizations of all types.

Bulletproof’s Deploying Information Protection engagement provides municipalities with an Information Protection strategy and roadmap to better control information and protect data through encryption in the case of loss or theft.

We can help your municipal government organization achieve data security and maintain compliance and peace of mind. Contact a Bulletproof expert today to get started.

Illustration of a process with four numbered steps.

 

A black, silver, and green badge reads Bulletproof 365C Compliance

It's Your Duty to Protect Your Data. Now You Can Manage Compliance with Confidence.

With the exponential volumes of sensitive data being collected, used, and stored by organizations, properly monitoring and managing how that information is accessed and by who, is often subject to legal compliance regulations. Companies may have compliance tools, but ensuring they are properly configured, monitored, and aligned with company policy and government-mandated compliance regulations can overload an already busy IT team.

Bulletproof 365 Compliance is a compliance-focused managed information protection service that wraps around your existing Microsoft 365 infrastructure, enabling advanced Microsoft tools to optimize information protection, mitigate internal risks from improper data leaks, and ensure that your data never leaves your control.

GET SOLUTION OVERVIEW

CoSJ eBook Icon

Cyberattacks have increased by 400% compared to pre-pandemic times. Is Your business prepared?

Cybersecurity is no longer simply an issue for your IT team. It’s time for other members of your organization to start sitting at the cybersecurity decision-making table. This eBook can help you understand modern cyberthreats and their potential impact on your business.

GET YOUR COPY

eBook What Business Leaders need to know about cybersecurity in 2022 Icon

The Cybercrime Economy is Growing. Learn How You Can Protect Yourself. 

In today’s cybercrime gig economy, bad actors can purchase everything they need to bring your business to a standstill for less than $100. Our new eBook, What Business Leaders Need to Know About Cybersecurity in 2022, shares insights into today’s cybersecurity landscape and actionable tips for how you can protect your business.  

GET YOUR COPY

Why Bulletproof?

BULLETPROOF CREDENTIALS

MSFT Gold Partner Logo_White (1)

“Bulletproof is doing an exceptional job of listening to their customers and then going above and beyond to provide them with services to unlock all the value of their Microsoft Security investment. They are able to see the value of our Microsoft security platform and have built a managed SOC service that is driving significant customer value, allowing their customers to remain focused on their business.”

-Julie Jeffries, Modern Work & Security PMM Manager, Microsoft Canada

Call Us

1.866.328.5538