RiskTech Forum

SAS: How Can State Governments Battle Cybercrime?

Posted: 1 October 2015  |  Author: Jen Dunham  |  Source: SAS

Any business or agency that’s connected to the Internet can be a target for cyber criminals. But state governments are a particularly large bull’s eye because of the breadth of information they compile on their constituents – from birth certificates and marriage licenses, to tax records and motor vehicle data. That information is a far more valuable commodity than payment card information

When I received notifications from Target and Neiman Marcus about their data breaches, my card issuer proactively replaced my card rendering that particular hacked information useless. The retailers each offered credit monitoring services that would alert me to any new accounts being opened under my identity. So, I feel fairly secure that I will have some early warning in the payment card arena.

But what if the state where I live were to have a data breach? That’s a much trickier scenario. You see, if a hacker were to get my state tax records, they would have all of my personally identifiable information (PII) – name, address, social security number – and they’d have the PII of my children and spouse. And those bad actors could use this data in far more creative (and harmful ways) than selling my credit card on the street.

Worse than stealing payment information?

With the information in my tax records, fraudsters can file false tax returns under my name, make claims under state unemployment insurance or exploit other social services where I live. They can also expose my four children by opening credit accounts in their names, which are often overlooked and not commonly monitored. Criminals could apply for social services under my dependents identifications, defrauding the government in similar ways they do now with “legitimate” information they stole from the cyber domain.

The state would have a long, arduous task of cleaning it all up and would surely lose citizen trust for a time. What can they do? Experts recommend a holistic security program that spans IT, privacy, and fraud as an industry best practice. They are finding that although traditional cyber personnel are well versed in articulating technical needs, they often fall short of translating them into business needs and risk, which makes an enterprise approach to security a necessity.

Aligning security across a state can also help with shortcomings in funding, where states often struggle with a fraction of the security budget of their federal government, financial institution, and retail counterparts. By moving the security conversation higher within the state – outside of the IT environment alone – security can be addressed early on and holistically.