Email "Phishing" attacks on employees are the surest way for hackers to gain entry to a government's network. With staff training, it doesn't have to be.
Phishing attacks account for more than 90 percent of data breaches.
Go ahead and read that again... The jaw-dropping statistic from Verizon’s Data Breach Digest includes so-called “social-engineering” efforts designed to trick individuals into unknowingly granting access to a malicious actor by doing something as simple and innocent as changing their password when prompted by an email.
One of, if not the most common ways to launch a cyber attack is via a Phishing campaign. Coming in the form of a seemingly innocuous email, which ultimately contains links or documents with embedded malware, all it takes is one click for nefarious code to be installed on a network. For local governments which employ hundreds if not thousands of employees, Phishing is the perfect tool for hackers to gain access to critical records and operations. This means that while government employees are the preferred target of cyber criminals, the same employees also represent the first line of defense against an attack.
Regardless of motivation or method, all hackers want the same thing: to find a point of entry to gain system access. Once inside hackers look for things like event logs, registry keys, network config files and the main prize—admin credentials. With admin credentials, nearly anything in the system can be installed, uninstalled, opened, closed, altered, edited, copied, imported, exported, deleted, encrypted, or held ransom. And it only takes a few minutes.
According to Forbes, municipalities are low-hanging “cyberfruit”, tempting targets for a host of reasons. Governments store and process vast amounts of personal and sensitive data digitally. Driver’s licenses, criminal records, property taxes, business registrations, real estate transactions—all digital data. That data is dollars to cyber attackers, either for their own use or for resale to others.
Local governments are also tempting because of physical technology weaknesses. Just take a look at the often decades old computer system infrastructure many governments still utilize, both hardware and operating systems. Moreover, these “legacy systems”—an almost Orwellian euphemism for “outdated and poorly maintained”—carry with them equally dated IT architecture and security protections. The processes and procedures might be well-suited for whatever was installed decades ago, but are hopelessly obsolete relative to the state of current technologies.
While there may not be a universal cure-all, there are well-established frameworks to follow in order to vastly enhance local governments’ security posture. One of the most comprehensive is the National Institutes of Standards and Technology Cybersecurity Framework. The best practices of the NIST and other cybersecurity professionals can be applied by any municipality, large or small, to be more proactive and better defended. In fact, GovPilot offers local governments cybersecurity advisory services which adhere to the NIST framework.
For the many local governments across the U.S. playing catch-up when it comes to cybersecurity and IT infrastructure upgrades, it is critical to keep in mind a concept that one IT security professional explained in a recent interview with Forbes, “My IT security team has 40,000 people. Everyone who works here is an IT security guard.” Correspondingly, ongoing security awareness and well-designed and regularly implemented training for staff is an essential part of that awareness. If 90% of data breaches are initiated through phishing attacks, it is paramount that the targets of those attacks - employees - are properly and regularly trained to spot potentially malicious emails and links, and are prepared to act when they do. Our own staff here at GovPilot regularly conduct security awareness training, and it is something we offer to local governments as part of our cybersecurity advisory services.
After all, comprehensive employee training can halt a cyber attack before it begins, and that is worth its weight in gold… or Bitcoin… whatever it is that ransomware criminals hold governments hostage for these days.