Securing the next generation of digital government services

Contributors:
Charles Eckert, Partner, Cybersecurity, Privacy and Financial Crime, PwC Canada
Milos Petrovic, Partner, Managed Services Consulting, PwC Canada

Government and public-sector entities are under pressure to digitally transform how they deliver services. And they’re responding with new applications and initiatives that help them operate more efficiently and improve citizens’ access to services.

But moving in-person activities online without appropriate safeguards exposes organizations and citizens to new cyber threats. And our research shows that the risks incurred by these bold moves often go unaddressed.

Only 33% of Canadian respondents to our 2023 Digital Trust Insights survey say they’ve fully mitigated the cybersecurity risks associated with the increased digitization of client delivery mechanisms over the past year. It’s a scenario we’ve seen in government organizations, many of which find themselves in the sights of cyber criminals.

The stakes for government and public-sector organizations are high. Financial losses, leaked personal information and disruptions to critical services carry severe consequences on their own. But data breaches and cyber-related downtime also erode citizens’ trust, impairing your organization’s ability to deliver on its purpose.

Locating blind spots in cyber risk assessments

Organizations inadvertently introduce vulnerabilities to new technology projects when cyber risks aren’t addressed in the early stages of development. And our 26th Annual Global CEO Survey shows that headline-grabbing issues such as inflation and geopolitical conflict can push organizational leaders to view cybersecurity as a medium-term risk, rather than an immediate one. While 18% of Canadian respondents say they’re highly or extremely exposed to cyber risks over the next five years, that figure falls to 11% over a shorter one-year time horizon.

We’ve seen organizations overlook cybersecurity when making important technology investments for several common reasons:

Limited involvement of risk and cyber professionals
Downplaying inherent risks
Unrealized value from technologies

Limited involvement of risk and cyber professionals

While government and public-sector entities commonly engage these experts, they can be hindered by the same talent constraints affecting organizations in other sectors.

Downplaying inherent risks

Answering risk assessment questions with too much optimism can give a project a lower-than-warranted risk profile. Additionally, government organizations generally aren’t subject to the same cyber risk requirements as companies in regulated industries such as financial services. This means that even where standards and guidance exist, many public-sector entities don’t have the same compliance maturity as organizations in regulated industries.

Unrealized value from technologies

Project teams can typically only use the cybersecurity tools that are available to the broader enterprise. This limits what cyber safeguards can be embedded in new digital initiatives. Even when a transformation project spurs the need to invest in new capabilities, it often becomes a bolt-on solution that’s more cumbersome to manage—not to mention more expensive—than safeguards integrated at the onset of a new initiative. In some cases, organizations have access to more cybersecurity tools under their existing licences than they realize. When properly configured, these tools strengthen the security of new digital initiatives while increasing the return on an organization’s existing cyber investments.

Understanding your organization’s potential blind spots can help you develop an up-front plan to integrate cyber safeguards into each development stage of new initiatives.

Learn how our Digital Resilience Centre and Microsoft can help securely accelerate your transformation journey.

Keeping security in mind from the start

How can government and public-sector organizations introduce new digital services while keeping citizens’ information and their own operations secure? Mapping out the cybersecurity considerations for each stage of your transformation plan helps keep security in mind from the start:

Government and public-sector organizations are known for their thorough threat risk assessments, privacy impact assessments and data protection impact assessments. That’s a good first step. Understanding your inherent risks help you develop mitigation strategies and determine which security technologies to apply. But it’s important to be cognizant of how many security solutions you’ll deploy. Using multiple technologies can create a tangle of disparate software that makes it more difficult to understand and manage your security stack. Portfolio rationalization helps you move to a simpler but more secure footing.

What processes are in place to reduce your cyber risks? For government and public-sector entities introducing new digital services, identity and access management controls are particularly pertinent. For example, consider how quickly you can revoke an internal user’s access after they leave your organization. Or how you’re preventing a customer service employee from exploring the personal information in a citizen’s file without a legitimate reason.

Vulnerability assessments and penetration tests are important steps to validate the effectiveness of your controls. This process should also scrutinize your software supply chains and confirm the latest libraries are used in new applications. Our research suggests this is a frequently overlooked vulnerability: 70% of Canadian executives say they have a limited understanding at best of their software supply chain risks.

Developing plans to address operational cyber risks lets you line up resources and capabilities before a new digital service or application goes live. Do you have appropriate monitoring systems? Can you pinpoint and act on anomalies? Have you developed incident response plans and worked through different attack and breach scenarios?

With cyber threats and costs escalating, sometimes the right move is working with an external organization to augment your cyber capabilities, modernize security operations, manage talent constraints and increase speed to market. We’re seeing a trend toward the use of outcome-based delivery models that align managed security services more closely to defined business objectives.

Using cybersecurity to build trust and deliver sustained outcomes

Integrating cyber defences into new digital initiatives from the start lets you proactively manage emerging threats, reducing the need to continuously react in haste. And lining up operational capabilities to manage and address risks helps avoid the burden of perpetually assigning employees to monitor applications after they go live. In short, it sustains your organization’s ability to provide secure digital services to citizens.

Improving citizen experiences while becoming more cyber-secure enhances the resilience of the critical public services your organization delivers. It also promotes the resilience of individual citizens by helping them securely obtain information, conduct transactions and engage government entities to address their needs—building trust between citizens and the important public institutions they rely on.