Public sector cybersecurity best practices

Businesses, established enterprises and public sector organizations have at least one thing in common: they are all prime targets for cybercriminals. With that in mind, understanding and implementing cybersecurity best practices is essential.

According to the most recent IBM Cost of a Data Breach report, each public sector incident costs $2.07 million on average.

By following these cybersecurity best practices, you can help equip your public sector organization to anticipate threats, neutralize attacks and recover in the event of a serious data breach.

The 13 must-know cybersecurity best practices

Cybersecurity practices are relative. The “best” practices for one organization might not be best for another. Organization size, industry, size of the value chain and other factors can all impact the level of risk an organization faces, as well as its resulting cybersecurity needs.

To help you identify the cybersecurity best practices you need to know, we’ve grouped the following recommendations into three categories (plus one best practice that every executive leadership team should consider):

• “Good” for organizations that have a less developed cybersecurity program
• “Better” for organizations that want to enhance their existing program
• “Best” for organizations that have a more mature risk management strategy

Good cybersecurity practices

1. Understand the risks

The first and most pivotal of all cybersecurity best practices is simply knowing what you’re up against. To that end, it’s good to understand common types of threats and where they come from: ‌

• First risk: malware — this is likely what comes to mind when you think of cybersecurity threats. Malware is an umbrella term for “malicious software,” including ransomware, spyware and viruses. Malware can find its way onto your network via malicious links in emails or on web pages.
• Second risk: phishing — phishing is a strategy that involves sending fraudulent communications — typically through email — from official-looking sources. These messages include copy that preys on emotions such as fear, greed and curiosity, tempting targets to click on malicious links or attachments. A successfully baited victim of a phishing attack may be tricked into giving away personal or confidential information and may expose their network to malware.
• Third risk: man-in-the-middle — also called eavesdropping, man-in-the-middle (MitM) attacks involve attackers inviting themselves to a two-party transaction. Once there, cybercriminals can easily intercept and steal valuable information. Common entry points include insecure networks and malware installed via phishing or other methods.
• Fourth risk: denial-of-service — according to the Cybersecurity & Infrastructure Security Agency (CISA), “a denial-of-service (DoS) attack occurs when legitimate users are unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor.”

These commonly involve a deluge of illegitimate traffic directed at a network, internet service provider (ISP), or cloud service provider. When this happens, legitimate traffic can slow to a halt as the servers work to handle the flood of false requests.

This is not an exhaustive list of all possible types of threats. While you should look out for all of them, the reality is that risks evolve. The more sophisticated threats are, the more sophisticated your risk management strategies need to be.

Cybercrime costs are expected to hit $8 trillion in 2023. Identifying the risks your organization faces is just the first step in making sure you don’t contribute to that sum.

2. Identify vulnerabilities

Simply knowing about threats won’t protect your organization, but taking a shotgun approach to cybersecurity won’t help you much, either. Identifying your organization’s most valuable digital assets and determining where your current cybersecurity measures need to be improved to shield them from malicious activity is essential.

‌One tool that can help with this is the National Institute of Standards and Technology Cybersecurity Framework, or NIST CSF. ‌ Developed initially to standardize infrastructure within a niche of organizations, it has expanded based on the IT community’s feedback. Today, the CSF includes guidance on self-assessment, planning guidelines and other updates in response to advancements in security threats. ‌

The NIST Cybersecurity Framework outlines five functions that represent critical steps in your approach to cybersecurity risk management:

1. ‌Function one: identify — outline cybersecurity risks that threaten all company assets, including personnel, systems and data
2. Function two: protect — establish systems to defend critical assets
3. Function three: detect — identify events that could threaten data security
4. Function four: respond — act to neutralize threats as they arise according to predetermined procedures
5. Function five: recover — plan a course of action to restore functionality in the event of a catastrophic incident

These functions are further broken down into categories and subcategories. This structure runs the gamut of cybersecurity best practices and objectives without overcomplicating the issue.

Beyond implementing this or another CSF, consider bringing in a contractor to perform an audit of your cybersecurity systems. This will provide an unbiased view of the policies, procedures and technologies you have in place in the form of actionable feedback that you can use to improve your cybersecurity measures.

Whatever standards you decide to abide by, compliance software empowers you to manage assessments, monitor compliance and track improvements. ‌

3. Practice basic cyber hygiene

All discussion of cybersecurity best practices centers around helping your organization employ basic cyber hygiene. The following are among the most vital elements of this practice: ‌

• Recommendation one: write explicit security policies — without written policies, conducting an audit or assessment is difficult and nearly impossible to implement consistent training. Having your policies written down makes your goals and procedures clear, reducing the risk that a misunderstanding of policy will put your organization at risk.
• Recommendation two: train everyone — we’ve discussed technical aspects of cybersecurity best practices, but the reality is that much of the responsibility lies in the hands of your people. The human element represents the most significant risk to your networks and systems, so it’s crucial to ensure that everyone knows how to do their part.
• Recommendation three: phish everyone — remember phishing? It doesn’t seem to be going away any time soon. Keep your systems safe by testing everyone after they get properly trained. Yes, that includes upper management and even board members. Consider using the phishing awareness quiz as an interactive part of your training.
• ‌Recommendation four: use multi-factor authentication — in many cases, a simple password — even one that’s hard to guess — is no longer enough. Multi-factor authentication (MFA) ensures that everyone is who they say they are when they attempt to log into a device or an application that touches your network.
• Recommendation five: no default passwords — default passwords for new user accounts tend to be easy to guess, even for a human brain, let alone a computer capable of blitzing your system with countless strings of letters and numbers. Stay on the safe side and avoid using simple passwords, no matter how convenient they may seem.

Better cybersecurity practices

4. Bring in the experts

Keeping in mind the importance of a robust cybersecurity system, your public sector IT team should include at least one expert on cybersecurity. Additionally, consider including a cybersecurity expert on your board.

Critical issues like cybersecurity can be challenging to reach the forefront where they belong when decision-makers don’t fully understand them. ‌ Finding the right person here can be tricky, and it’s not hard to see why.

Steve Durbin, managing director for the Information Security Forum, said, “The person must be a hybrid with strong communication skills, who understands how to operate at the board level, and have an understanding of the cyber space.” ‌

Durbin stresses the importance of finding a candidate with technical knowledge and leadership abilities. Take care when deciding who to put in this position, as their work will protect your organization from cyberattacks. ‌

5. Leverage managed services

As you begin your search for cybersecurity professionals, remember that you don’t have much time to waste. The risk of falling victim to a cyberattack continues to grow, and you need to be prepared as quickly as possible without taking shortcuts. For this reason, leveraging the expertise of a managed security services provider (MSSP) may be your best bet, at least for the time being. There are several advantages to taking this approach:

• Advantage one: lower costs — you can reduce costs without sacrificing quality here because working with an MSSP means you don’t have to spend time in training. Your security professionals will already be equipped with the most current knowledge on combating security threats.
• Advantage two: automatic detection and response — top-tier MSSPs come loaded with defenses, ensuring that, in the event of an attack, you have remote and on-site responses ready to go.
• Advantage three: scalability — rather than hiring and training more people as your organization scales, simply expand the reach of services from your provider. The best solutions are product-neutral, allowing you to change your applications or cloud services without taking on unnecessary security risks.
• Advantage four: reliability —the best MSSPs will have Service Level Agreements that include 24/7 support and guidelines for incident response times. This shifts much of the technical burden away from your organization, though you must be sure to work with a quality provider and understand what you’re getting.

6. Update software

There’s no doubt that your organization leverages several external applications in order to function. Sometimes the developers of those apps release updates with new features or user interface components, but more often, those regular updates contain security fixes. ‌

Cyber threats are constantly evolving, and software companies update their products accordingly. You don’t want to be caught using the old version of a program with a known security vulnerability.

After all, a single vulnerability in one of your programs could be just the access point that cybercriminals need to force access into your network. ‌Your hardware also plays a role in cybersecurity. Most computers and mobile devices reach a point when they can no longer run the latest version of their respective apps and operating systems.

When this happens, it’s time to let them go. Remember that the investment in upgrading your devices is far lower than the cost of a data breach.

7. Protect the home office

2020 completely changed how we work, pushing nearly everyone whose job allowed it into home offices. While the overall workforce was already seeing a gradual trend toward work-from-anywhere (WFA) policies, the sudden shift posed a staggering cybersecurity challenge.

Insufficiently secured home offices and data transfers over unsanctioned platforms (such as personal email and instant messaging) played a significant role in data breaches in 2021 and 2022. They will continue as hybrid working remains.

Organizations can combat this by investing the resources necessary to develop new cybersecurity best practices that shore up security for home networks and devices used and provide specific security training designed to encourage safe behavior.

Researchers at Bitdefender suggest that employees are likely to take shortcuts for convenience while working at home. During training, everyone needs to learn about steps they can take to help keep your organization’s assets secure, such as:

• Designating a safe, private workspace.
• Keeping confidential information away from other members of the household.
• Keeping children away from the computer during work hours.
• Closing all browsers and applications as well as disabling access to company materials when not working.

It’s also a good idea to start using a VPN for an additional layer of security. The free services are tempting, but it’s unlikely that they are as secure as enterprise solutions. Just be sure to do your due diligence when selecting a service provider; the last thing you need is for the solution you choose to be the cause of a data breach.

8. Perform regular backups

Even following all cybersecurity best practices cannot serve as a 100% guarantee that your data is safe. You should still be prepared in the event that any of your assets become compromised. Aside from being good practice in general, regularly backing up your data helps ensure that you can continue operations in the event of a virus or ransomware attack.

In fact, having a recent, uncorrupted backup is the only way to recover from ransomware attacks without paying the ransom. When searching for a solution, keep in mind that malware can go undetected for a long time before showing obvious symptoms. For this reason, work with a provider that offers the longest-possible version history that your budget allows.

It’s also a good idea to follow best practices for your backup strategy, especially regarding the number of copies and frequency of backups. Some organizations — such as those dealing with a high volume of constantly changing data — will need to perform several backups daily. In contrast, others can get away with a single backup overnight or during periods of little activity.

Only you and your team can decide what’s necessary for your organization, which is why you need a high-ranking IT specialist.

Best Cybersecurity Practices

‌9. Implement a Common Controls Framework

Put simply, a common controls framework (CCF) reflects all the controls that different departments have in common. It considers overlapping industry standards and organizational needs to create a single, streamlined framework. Implementing a CCF can help you use a similar process across different instances, standardizing your cybersecurity practices.

A CCF is also a great foundation for improvement. Since you’ll have a central set of practices, it’s easier to analyze, assess and improve them as industry standards — and risks — evolve.

‌10. Manage third-party risk

Third parties add value to the organizations they partner with. They also introduce risk. Many organizations have incomplete third-party data, and they also give third parties a higher level of access than they need. Third parties may also work with vendors that introduce risks of their own.

Through bad intentions or even negligence, all of these things can expose organizations to cyber attacks. Organizations must have a thorough third-party risk management program in place, one that identifies and monitors the cybersecurity implications of working with third parties. This should include the following:

• Identify all third parties, as well as any subcontractors they work with.
• Create a risk profile for each third party.
• Categorize your third parties based on their level of risk, typically low, medium and high. This informs how you manage the relationship.
• Create a risk management framework that accounts for the third party’s level of risk. This should include important controls and plans for risk mitigation.
• Define roles and responsibilities so all parties know who should take action and when.
• Develop a plan for breaches based on the severity of a possible breach (e.g., a high-risk third-party partner would need a plan for a more serious breach than a low-risk partner).
• Implement ongoing monitoring to stay ahead of evolving third-party activities and the associated risks.

11. Monitor privileged users

High-level organizational authorization is necessary, though it poses a significant risk. Numerous data breach reports show that internal actors account for many of the data breaches that occur. You want to trust your teams and do your best to hire trustworthy people, but you should still implement cybersecurity best practices that help you keep an eye on them.

You don’t necessarily need someone sitting in a room watching your users’ every move in real time. Still, your security software or MSSP solution should be smart enough to recognize suspicious behavior with user activity monitoring before it becomes a problem. ‌ With that said, do take care in implementing this practice.

In an era with seemingly limitless surveillance technology, there’s no shortage of privacy concerns. Be transparent about your monitoring practices, including what you’re looking for, what data is collected and why.

Further, if there is an incident, keep the evidence presented in context. You want to differentiate between malice and mistakes, and making accusations is an excellent way to put even innocent people on edge.

Finally, when someone leaves the company, access should be revoked immediately to prevent them from using outdated credentials to wreak havoc on your network. ‌ ‌

12. Use zero trust architecture

It’ll take some work to implement, but one way to minimize risks from users with high clearance levels is to implement zero trust security. ‌Zero trust is a comprehensive approach to security that operates on the premise of “never trust, always verify.”

Rather than a particular technology or solution, it is a philosophy that combines the following security principles to protect your assets:

• Extensive authorization — authorize and authenticate based on all available data, including identity, location, service requested and more
• Least privileged access — only allow enough access for an authorized user to complete the task at hand and only grant access the moment it becomes necessary
• Assume breach — use micro-segmentation to break up access into smaller authorized “zones” so that no device has free reign to move about the network and data systems.

Additionally, zero trust architecture breaks down entities into six components — identities, devices, data, apps, infrastructure and network. Each of these components has its own security concerns, so each is handled separately according to your organization’s needs and the cybersecurity best practices you have in place.‌

A best practice for every organization

13. Educate your executive leadership

With growing pressure from stakeholders to hold executive leaders accountable for cybersecurity governance, education on cyber risk is paramount. Regardless of where an organization stands in its cyber risk maturity, a small amount of training can significantly impact the quality of conversations directors have with experts.

Better communication is a more constructive use of executive leaders' precious time. It can ultimately lead to an enhanced cybersecurity strategy that saves organizations reputationally and financially.

A cyber risk and strategy certification is a straightforward way of achieving this goal. Courses like this include insights from subject matter experts, interactive eLearning modules and an alumni network, facilitating ongoing engagement around cybersecurity.

Cybersecurity trends and best practices from 2020-2023

Cybersecurity best practices in 2022 weren’t the same as cybersecurity best practices in 2021. This isn’t news. But you might not know how cybersecurity has changed year-to-year, let alone over the past four years.

Below, we’ve charted some key trends in cybersecurity for 2020, 2021, 2022 and 2023 so you can see how risks evolve and whether or not your practices have kept up.

Cybersecurity Trends

Get certified to oversee cyber risk

As complex cyber risks continue to evolve at a rapid pace, it’s more important than ever for boards to hone their cybersecurity skills.

Enroll in the Diligent Cyber Risk & Strategy Certification course to access exclusive interactive learning modules that will help you implement cybersecurity best practices and improve your cyber risk oversight.