Governments still struggling to secure data. Zero-trust, passkeys could help

A digital data breach at the National Social Security Fund (CNPS) of Cameroon has resulted in the leak of citizens’ personal data, financial documents, details of over 1.5 million beneficiaries, and other information related to social security services. Cybercriminal group “The Space Bears” claimed responsibility for the breach.

The group demanded a ransom from CNPS and threatened to sell the data on the dark web if payment was not made by September 22, 2024, Digital Business Africa reports. Although CNPS has not officially acknowledged the breach, reports indicate that the group has already begun selling the data. About 25 GB of data is offered for $3,000, while a smaller 10 GB set is priced at $1,000.

The National Social Security Fund is the country’s public social security organization. It protects employees and their families in the event of occupational risks, retirement, disability, and death. The fund also offers benefits, including family allowances, old age pensions, disability pensions, and work injury compensation.

To mitigate potential risks, public organizations should implement various security measures, such as establishing an incident response plan, conducting comprehensive investigations, and enhancing cybersecurity protocols, Digital Business Africa says.

Zero-trust strategies and passkeys offer path forward

Meanwhile in the U.S., government agencies continue to work towards the zero-trust goal set for them by the executive branch.

The United States government issued an executive order in 2021 and a follow-up executive memorandum in 2022 to mandate that federal agencies adopt a zero-trust architecture by the end of FY 2024 to mitigate cyber threats.

Recognizing the digital threats to critical infrastructure in sectors such as healthcare, finance, defense, and public services, the U.S. federal government aims to ensure data privacy and protection against unauthorized access to sensitive information by implementing zero trust.

The memorandum outlines key components of the zero-trust architecture, including enterprise-managed accounts, device monitoring, security posture assessment for each device, system isolation, and encrypted traffic.

Furthermore, the framework emphasizes secure access to enterprise applications, collaboration between security and data teams, and robust digital identity and access control systems.

As the deadline nears, a report from NextGov indicates that many federal agencies are actively working to implement a zero-trust framework to meet the requirement. Twenty-four different agencies are around 90 percent of the way through their transition, according to Federal CIO Clare Martorana.

States like California have also taken steps, GovTech notes, such as issuing Technology Letter 23-01 in early 2024, mandating all state agencies to implement a zero-trust architecture in alignment with NIST 800-207.

In a recent Biometric Update webinar, the FIDO Alliance, which sets passkey standards, highlighted the use of passkeys to safeguard the public sector.

“What passkeys do is take the burden off of the user to have to identify those sorts of attacks because path keys simply cannot be given away to a nefarious person,” says Megan Shamas, chief marketing officer of FIDO Alliance.

Don’t forget insider threats

When discussing cyber threats to public institutions, it’s important to note that individuals within the organization can also pose a risk. This can occur through intentional malicious actions or unintentional errors that compromise sensitive data or systems, says Clyde Williamson of Protegrity.

According to a report by the Ponemon Sullivan Institute, the average cost of insider threats is approximately $16.2 million per organization. To mitigate these risks, organizations should implement cybersecurity strategies such as data encryption, tokenization, and segmentation to limit exposure if insiders access sensitive data, as reported by Security Brief Asia.

Additionally, advanced security measures like multi-factor authentication (MFA), network behavior analysis, and endpoint detection and response (EDR) can further protect against insider threats.

“Audit trails and tracking capabilities are two more features that will take your data protection and security to the next level,” says DeeDee Kato, vice president of Corporate Marketing at Foxit.

Article Topics

biometric authentication  |  cybersecurity  |  identity access management (IAM)  |  passkeys  |  passwordless authentication  |  zero trust