It’s no secret that cybersecurity is top of mind for public-sector CIOs, particularly with the public’s personal data at risk.
While technology is an important tool in combatting cyberthreats, firewalls and strategies like microsegmentation are only half the battle when it comes to preventing breaches and minimizing their impact.
“As much as you want to put firewalls in place and every other security policy in place, a human is still going to be your weakest point into your network,” said Valecia Stocchetti, CERT manager at the Multi-State Information Sharing and Analysis Center (MS-ISAC), speaking at the Public Technology Institute’s National Symposium on Cybersecurity & Local Government in Washington, D.C., on May 23.
She notes that staff that aren’t trained on phishing attacks can take down even the most sophisticated systems.
“One of the things that people don’t realize is that [a nasty malware infection] is just caused by a click of a button, and that’s it, one person and then one other weak security policy in place, where they don’t have SMB blocked from workstation to workstation, and then it’s a recipe for disaster.”
Even beyond regular staff, however, Stocchetti says that executives are often reluctant to shut down their network, which is usually necessary to prevent a spread of the infection.
“No one wants to pull the plug on their network and no one wants to be down for more than a few hours, but if you don’t do it right away you could be facing even more problems in the future,” Stocchetti added.
Constant Training Combats Human Error
How can agencies and departments work to inoculate themselves against viruses or shut down these cyberattacks before they spread to catastrophic levels?
“Education and training is a big part of it,” says Stocchetti.
This can include implementing internal phishing exercises that can help IT teams identify which staff might be vulnerable to phishing emails and to then educate these staff members on what an attack might look like and how to avoid it. Governments in Kansas City and Westland, Mich., have implemented phishing exercises like these to prepare employees for possible scams.
Stocchetti herself has fallen victim to an internal phishing exercise, noting that it can happen to even the most tech-savvy employees, and so government agencies should be prepared and keep education and training constant.
“As much as you can invest all those resources, we’re still human, we still have emotions, we still have our own brain and you can’t … control that, and that’s the scariest part,” said Stocchetti.