No Match Found
Charles Eckert, Partner, Cybersecurity, Privacy and Financial Crime, PwC Canada
Milos Petrovic, Partner, Managed Services Consulting, PwC Canada
Government and public-sector entities are under pressure to digitally transform how they deliver services. And they’re responding with new applications and initiatives that help them operate more efficiently and improve citizens’ access to services.
But moving in-person activities online without appropriate safeguards exposes organizations and citizens to new cyber threats. And our research shows that the risks incurred by these bold moves often go unaddressed.
Only 33% of Canadian respondents to our 2023 Digital Trust Insights survey say they’ve fully mitigated the cybersecurity risks associated with the increased digitization of client delivery mechanisms over the past year. It’s a scenario we’ve seen in government organizations, many of which find themselves in the sights of cyber criminals.
The stakes for government and public-sector organizations are high. Financial losses, leaked personal information and disruptions to critical services carry severe consequences on their own. But data breaches and cyber-related downtime also erode citizens’ trust, impairing your organization’s ability to deliver on its purpose.
Organizations inadvertently introduce vulnerabilities to new technology projects when cyber risks aren’t addressed in the early stages of development. And our 26th Annual Global CEO Survey shows that headline-grabbing issues such as inflation and geopolitical conflict can push organizational leaders to view cybersecurity as a medium-term risk, rather than an immediate one. While 18% of Canadian respondents say they’re highly or extremely exposed to cyber risks over the next five years, that figure falls to 11% over a shorter one-year time horizon.
We’ve seen organizations overlook cybersecurity when making important technology investments for several common reasons:
While government and public-sector entities commonly engage these experts, they can be hindered by the same talent constraints affecting organizations in other sectors.
Answering risk assessment questions with too much optimism can give a project a lower-than-warranted risk profile. Additionally, government organizations generally aren’t subject to the same cyber risk requirements as companies in regulated industries such as financial services. This means that even where standards and guidance exist, many public-sector entities don’t have the same compliance maturity as organizations in regulated industries.
Project teams can typically only use the cybersecurity tools that are available to the broader enterprise. This limits what cyber safeguards can be embedded in new digital initiatives. Even when a transformation project spurs the need to invest in new capabilities, it often becomes a bolt-on solution that’s more cumbersome to manage—not to mention more expensive—than safeguards integrated at the onset of a new initiative. In some cases, organizations have access to more cybersecurity tools under their existing licences than they realize. When properly configured, these tools strengthen the security of new digital initiatives while increasing the return on an organization’s existing cyber investments.
Understanding your organization’s potential blind spots can help you develop an up-front plan to integrate cyber safeguards into each development stage of new initiatives.
How can government and public-sector organizations introduce new digital services while keeping citizens’ information and their own operations secure? Mapping out the cybersecurity considerations for each stage of your transformation plan helps keep security in mind from the start:
With cyber threats and costs escalating, sometimes the right move is working with an external organization to augment your cyber capabilities, modernize security operations, manage talent constraints and increase speed to market. We’re seeing a trend toward the use of outcome-based delivery models that align managed security services more closely to defined business objectives.
Integrating cyber defences into new digital initiatives from the start lets you proactively manage emerging threats, reducing the need to continuously react in haste. And lining up operational capabilities to manage and address risks helps avoid the burden of perpetually assigning employees to monitor applications after they go live. In short, it sustains your organization’s ability to provide secure digital services to citizens.
Improving citizen experiences while becoming more cyber-secure enhances the resilience of the critical public services your organization delivers. It also promotes the resilience of individual citizens by helping them securely obtain information, conduct transactions and engage government entities to address their needs—building trust between citizens and the important public institutions they rely on.