The treasure trove of customer data and financial information that government generates, stores and processes on a daily basis makes it a rich target for hackers. The purpose of this study is to understand the steps government agencies are taking to mitigate digital fraud risks and protect customer data. In the context of this study, customers are individuals who receive and use services from federal, state and local governmental agencies.
Digital services enable government to conveniently deliver information and services to customers anytime, anywhere and on any platform or device. However, such convenience needs to be supported by a strong security posture.
Sponsored by TransUnion, Ponemon Institute surveyed 594 IT and IT security practitioners who work in the federal, state and local/municipal government organizations (click for full study). All respondents are familiar with their agency’s efforts to prevent and detect fraud and are aware of their agency’s information security vulnerabilities and threats. In addition to studying the state of security in government agencies, the research reveals respondents’ awareness of the extreme dissatisfaction customers have with the security and convenience of agencies’ websites.
A key finding is that government agencies are not making the necessary investment in security technologies to protect customer data and make online access to accounts convenient. Only 43 percent of respondents say their agency has the security technologies necessary to provide customers with both a secure and convenient online experience when accessing their accounts. Another fraud risk is that only 37 percent of respondents say their agency makes it as easy as possible for customers to notify them if they believe their account has been compromised.
Following is a summary of digital fraud risks revealed in this research and the solutions needed to protect customer data and improve the online experience.
Similar to the commercial sector, government agencies are having multiple data breaches involving the loss or theft of customers’ personal information. These data breaches are most often caused by employee carelessness (64 percent of respondents). This indicates the need for regular training and awareness programs and enforceable privacy and security policies. An important part of this training should be to prevent phishing and social engineering attacks. The other top root causes are hackers (56 percent of respondents) and lost or stolen devices (52 percent of respondents).
Without having the necessary security technologies and in-house expertise most agencies find it impossible or very difficult to detect attacks. The most difficult types of attacks to detect are social engineering (66 percent of respondents), credential stuffing (60 percent of respondents) and knowing the real customer from a criminal imposter using stolen credentials (60 percent of respondents).
ATOs are on the rise and respondents believe mobile phones are most vulnerable to attacks. Mobile phones are ubiquitous, and 62 percent of respondents say they are the most vulnerable to ATO fraud. Further, not only are ATO attacks increasing, the severity of these attacks is also on the rise according to 59 percent of respondents.
Most agencies’ senior leadership are not prioritizing the ATO risk. Barriers to managing the risk of ATO fraud is that only 41 percent of respondents say senior leadership makes it a priority to prevent ATOs and only 38 percent of respondents say their agency regularly assesses the ability of its IT systems to prevent and detect fraud. As a consequence, only 37 percent of respondents say most ATO attacks are quickly detected and remediated and only 28 percent of respondents say their agency has a comprehensive view of its customers’ accounts.
To address the increase in account takeover attacks, agencies should consider a layered fraud management solution based on risk-based identity and device authentication. On average in the past two years, agencies have experienced 18 ATOs. More than half (53 percent) of respondents say they have significantly increased (19 percent) or increased (34 percent). Sixty-five percent of respondents say their agencies use two-factor authentication to reduce ATOs.
Polices for the prevention and detection of fraud are not reviewed as frequently as they should be. The threat landscape is constantly evolving but only 25 percent of respondents say these policies are reviewed monthly (12 percent) or quarterly (13 percent).
Accountability for managing fraud risks is dispersed throughout the organization. A possible reason for not prioritizing the digital fraud risks is that no single function emerges as most accountable. Twenty-one percent of respondents say it is in compliance/legal. Only 19 percent of respondents say the IT security leader is most accountable.
Without the necessary security technologies and support from senior leadership, it is difficult for agencies to be effective in protecting customers’ personal information.
Fifty percent say they are very effective or effective in reducing customer fraud, which means many agencies (50 percent of respondents) are not effective. Only 41 percent of respondents say their agencies are very effective in protecting customers’ personal information and only 38 percent are very effective in detecting and preventing account takeover fraud.
Customers are frustrated with the security and convenience of government websites. Only 27 percent of respondents say customers are satisfied with the convenience and 26 percent of respondents say customers are satisfied with the security of the website. As discussed previously, only 37 percent of respondents believe it is easy for customers to notify agencies if they believe their account has been compromised.
Artificial intelligence (AI) and improvements in identity authentication are considered important to improving the customer experience. Sixty-five percent of respondents say AI decision-making tools/technologies and interconnected devices will improve the ability to track customers’ status in order to improve the security and convenience when accessing online accounts. Sixty-one percent of respondents say improvement in identity authentication will improve the state of access governance and, therefore, improve customers’ user experience.