By Lisa Carroll, Public Sector Lead, Microsoft Canada
Our “Ask the Expert” series features notable public sector leadership voices to share insights about how their organizations are embracing new technology to improve their operations and become future-ready. In this installment, we’re featuring the Government of Alberta.
Three years ago, the Government of Alberta had almost no presence in the cloud, but with the onset of the pandemic, they were compelled to drive a rapid digital transformation initiative in order to enable remote work and meet the needs of their citizens. This technological transformation came with no shortage of security concerns – driven, in part, by both increased understanding of the modern cybersecurity landscape and by persistent media coverage of cyberattacks not just in Canada, but worldwide. Additionally, transitioning to the cloud requires a change in attitude and culture which can be one of the most challenging parts of implementing a new cybersecurity plan.
To share more, about how they transformed a legacy system into a digital environment servicing over 30,000 users, we’re joined by Martin Dinel, Assistant Deputy Minister and Chief Information Security Officer for the Cybersecurity Services division of Service Alberta.
What was your team’s top priority as you embarked on this digital transformation project?
As we modernized our systems and processes, security was top-of-mind. We evolved our digital security strategy from a reactive posture, to a more proactive one, which means identifying the threats ahead of time. To achieve this, a key proactive measure the team took was implementing multifactor authentication. Because hackers don’t break in – they sign in. By enabling multifactor authentication for employees, behaviour analysis fraud detection systems, and other automated tools, we are able protect user identities proactively, to help mitigate evolving security threats.
Another measure the team took was focusing on rebuilding the organization’s cyber hygiene which is one of the most overlooked parts of a cyber strategy. Cyber hygiene is all about training your teams to think proactively about cybersecurity. Its also important for us to regularly conduct activities like backups, training, patch management and online discretion regularly. These actions all help to maintain the health and security of users, devices, networks and data. By treating cybersecurity practices as a routine, we have been able to mitigate online breaches.
What role did your internal culture play in the success of this project?
One of our cybersecurity strategy’s pillars is to increase information security awareness. Not only did we train our technical cybersecurity team with the new technology, but we also provided ongoing training to all employees to recognize and respond to cyber threats to keep our organization more secure. Ensuring that all employees understand how their actions can put the organization at risk, know how to spot threats and who to report them to is all part of our larger cybersecurity plan. Our employees now recognize that cybersecurity is everyone’s responsibility and understand that they each have a role to play in keeping our data and their own personal data safe.
So, while it is crucial to stay focused on the technical basics of good cyber hygiene, there is also the human resources side of things. When all users are aware of the impact their actions could have on the entire organization, we are in a better posture to protect against rising sophisticated threats.
To create this internal culture, the GoA has made annual cybersecurity training mandatory, using short and regularly updated content for all staff across the organization. Cybersecurity Services also performs annual social engineering tests (such as phishing tests) to gauge the success of the training program and to provide insights into which components of the program must be improved upon.
Digital transformation is an ongoing process, but looking back on the last two years, what is something you consider to be a big win?
Our team has worked persistently to put our operations in competitive, modern standing through the implementation of this new technology. Alberta’s standard practice is now digital by default, with 95% of our new solutions implemented securely in the cloud.
The undisputed benefits for us like scalability, speed, flexibility, and cost saving helps us meet the urgent need for digital citizen services and to support a hybrid work model for a workforce that until two years ago worked entirely “in office.” The cloud is vital to building a resilient and robust operation, but we can’t build modern digital infrastructure without a secure foundation.
Since upgrading using Microsoft Security tools, we have stopped at least 1,000 attacks each month. It’s an incredible feat to have the technology and talent that can efficiently identify threats and protect Alberta’s citizens as we continue this transformation and look to expand our public-facing digital platforms.
