State and local government agencies need to up the ante on security. Of the 603 publicly disclosed cases of breaches of government and military networks since 2005, most of the cases involved state and local agencies, according to The Privacy Rights Clearinghouse Chronology of Data Breaches. 

The South Carolina Department of Revenue made national headlines when last October its data system was found to have exposed 3.6 million social security numbers and 387,000 stolen credit card numbers. With a black market value for social security and credit card numbers at roughly $3 apiece, the breach potentially could have netted the hackers $12 million.

The breach is “a good example of how fragmented our state data-security system is,” said House Majority Leader Bruce Bannister from Greenville, S.C., according to USA Today.  

Organizations often chase the latest technology but forget that security needs to come first. Companies and government organizations can cost-effectively manage security with a layered approach that includes conducting risk assessments, managing mobile devices, applying encryption and endpoint controls, implementing data center and network security controls, and implementing continuous monitoring.

A first step toward this goal is gaining visibility into where data resides and what risks the organization faces. Developing an effective and efficient defense against attacks, from both insiders and outsiders, also requires that the organization be aware of where their device endpoints are.

A lot of the necessary security enhancements should come in the form of comprehensive changes, including cyber-security awareness training and security enforcement policies. In many cases, a top-down approach is the only way to effect change. The burden lies at the top. After the South Carolina Department of Revenue breach, its director, Jim Etter, resigned.