4 Ways to Evaluate and Procure Safe Software Solutions [for Government]

Alongside the healthcare industry, government agencies are one of the largest targets for cybersecurity attacks. In fact, malware attacks on public agencies have increased dramatically since 2016. As the need for digital infrastructure becomes increasingly more important to deliver effective public services, IT departments and those engaging in procurement are often on the frontlines, working hard to ensure that the goods and services used by their respective organizations don’t have any glaring holes in security and privacy. While it is fundamental to follow an agency-wide strategy for the procurement of secure, safe software, there are simple steps that agencies can take to determine whether a digital tool is optimized for privacy and security. In this article, we outline 4 ways that public officials can bolster their strategies, and evaluate whether a software solution may be safe to procure.

Governments represent one of the largest targets for cyberattacks primarily due to the fact that public agencies cannot afford to be paralyzed and have sensitive data leaked. With the primary job of not only delivering efficient public services but also safeguarding public information, being under ransom poses a disproportionately high risk for government agencies.

When guarding against possible attacks, government agencies have a large surface to secure. This includes a large employee base and an expanding array of data collection infrastructure and digital tools, all of which can act as potential access points for cyberattacks. In addition, many agencies must cope with cost constraints, outdated technology, and inadequate defence. Although these vulnerabilities aren’t apparent within every agency, the majority suffer from one or more of these vulnerabilities, making cyberattacks inherently difficult to defend against.

In the span of three short months, the ongoing COVID-19 pandemic has required many organizations, including governments, to adapt to a fully remote and digital work environment. The result is not only strain on infrastructure, but an accelerated need to provide services for an increasingly digital society. This significant demand for digital services has taken governments from historically long technology refresh cycles, to unparalleled acceleration of adopting new technology and refreshing the old.

As the role of software and digital tools becomes increasingly critical to serve and understand the nuanced needs of our communities, IT and procurement departments face the challenging task to select secure, effective, and safe software solutions. Below are 4 actions that procurement and IT departments can take when evaluating digital service providers:

1. Understand the full risk of integrating software products with government infrastructure.

The integration of third-party software into agency IT infrastructure is one of the biggest entry points for malware. Establishing whether software vendors are tying into agency infrastructure via APIs (application programming interfaces) or other means, and whether there is the possibility of these services housing “sensitive” data is crucial. Vendors that check either of these boxes present risks which should be further evaluated.

2. Use security and privacy certifications as a framework to guide procurement.

Third-party certifications are an effective way for agencies to verify whether the technology they are acquiring meets specific privacy and security controls and standards. Certifications act as standardized risk management frameworks; well known standards include those from the International Standards Organization (ISO), the National Institute of Standards and Technology (NIST), and the Open Web Application Security Project (OWASP).

TIP: Ask your prospective vendors if they have specific certifications and proof of audit that can attest to their internal controls and standards for protecting privacy and securing their systems. Some agencies even require that vendors obtain specific certifications before they are permitted to provide services. 

3. Conduct privacy impact assessments (PIAs) to ensure privacy controls are in-place.

While there is no standard for privacy thresholds in the United States or Canada yet, the last several years have seen the rise of PIAs where private companies must go through an assessment of their operations and products before they are cleared for use by a purchasing agency. Similar to third-party certifications, PIAs provide the purchasing agency with assurance that the technology meets specified privacy controls.

4. Require conformance to legislative and regulatory standards.

In addition to regional and national regulations, international leading privacy and protection laws can be used as benchmarks. The most common being the European Union’s General Data Protection Regulation (the ‘GDPR’) and the California Consumer Privacy Act (the ‘CCPA’), and the Canadian Personal Information Protection and Electronic Documents Act (the ‘PIPEDA’).

TIP: There are many resources available to become more literate in data privacy legislation. The bottom line is these pieces of legislation are designed to protect consumers, and companies who do not comply will be held accountable according to the law. 

Malware attacks on government agencies continue to make global headlines. With COVID-19 accelerating the need for digital infrastructure and online-oriented services, the risk of cyberattacks has been magnified even further. The tips illustrated above present agencies with concrete actions that can be taken to mitigate some of this risk and procure secure, privacy-compliant, safe software.

Interested to learn more? At UrbanLogiq we take proactive steps to ensure that the benefits of our software does not come at the expense of the privacy and security of public agencies and their citizens. To learn more about how UrbanLogiq handles privacy and security, you can visit our website or email us at security@urbanlogiq.com.