For state and local government websites, hacking, ransomware and other attack vectors are a constant threat.
In September, Montgomery County, Ala., paid out thousands in bitcoin after a ransomware attack took its systems offline. And in June, a slew of website hacking events disrupted local government websites in Washington, Ohio, Brookhaven, N.Y., and Howard County, Maryland.
While in most cases citizen data is not compromised by such attacks, tight budgets leave government websites particularly vulnerable to cyberthreats, often making them “low-hanging fruit” for hackers, says Karen Scarfone of Scarfone Cybersecurity.
“A local government site might not be monitored around the clock. It might not have the IT resources that larger organizations would have,” says Scarfone, adding that from a staffing perspective, local government IT teams may also be lacking the resources necessary to peer-evaluate work, allowing for more cybersecurity vulnerabilities.
Scarfone advises on four best practices that agencies can take to ensure that their websites remain secure against the possibility of attack.
1. Keep Apps and Patches Up-to-Date
For a start, IT teams should ensure the apps that websites are using are the latest possible versions.
“Whether it’s the operating systems on the web server, the web server software or the app code that may be running on that web server, keep all those up-to-date,” says Scarfone.
2. Consider Outsourcing Security
With government IT teams stretched, outsourcing some of the security work to vendors could make a true difference in ensuring that government websites are able to defend against attack, as well as provide agencies with a “bigger bang for their buck,” Scarfone says.
“There are several providers out there that offer external website security for very reasonable rates,” says Scarfone. “In many cases it would be much more cost-effective for local government agencies to use a vendor service, especially if their site is being used to take payments for the public, to access taxpayer information, or anything that involves sensitive information, it would be particularly important for them to look at outsourcing.”
3. Use Third-Party App Solutions
While creating an internal app may not seem like much of a hassle, maintaining security for the app throughout the development and lifecycle could become cumbersome in the future, Scarfone adds.
She notes that it may make more sense for agencies to use a cloud-based app platform to develop and maintain apps instead.
“It is probably going to be more secure than anything a government IT team would be able to put together,” she says.
But in securing a vendor, it’s also important to ensure the company is on the same page as the IT team as far as responsibilities and agency needs.
“Ensure that you have clear contracts with the vendor and a good mutual understanding about who is responsible for what,” says Scarfone, noting that even if an agency chooses a “super deluxe” outsourcing package, the in-house IT team will still have some responsibilities.
“It’s really important that you talk to prospective providers,” Scarfone says. “Get recommendations from other agencies about what’s worked well for them and have clear agreements in place about how quickly they will respond to an issue, how the vendor will handle issues or work on weekends, holidays, times when you don’t have staff available.”
4. Tap Technology to Protect Citizen Data
Technology, of course, is a key component to defending and recovering data that may be compromised in an attack.
“There’s whole classes of web-specific controls that you could deploy either on a web server or on an appliance that sits in front of a web server,” says Scarfone, pointing to web firewalls and filtering technologies. “Even if your apps are being hosted in the cloud, cloud providers often offer those services as well.”
These technologies will look for attacks coming in to a web server and defend against them. But if external security fails, it’s also important to have technology in place to recover lost data.
“You may want to use data loss prevention technologies to make sure that nobody is stealing your taxpayer information from your server,” says Scarfone.