Governments — federal, state and local — are increasingly attractive targets for cybercriminals. Investments in technology and automation to boost productivity and better serve constituents have the unfortunate side effect of increasing the attack surface. Hackers armed with powerful, inexpensive tools are evolving sophisticated methods to take advantage.
For state and local governments that have small or nonexistent security staffs, limited budget and expanding amounts of sensitive information to protect, working smarter is the name of the game.
Why the Public Sector Needs Smarter Cybersecurity
For the third year in a row, public sector organizations hold the dubious honor of being among the top three targets for data breaches. Many of the attackers are nation-state actors engaged in espionage, seeking to access sensitive information, disrupt voting systems and wreak havoc, perhaps by bringing down parts of the electrical grid.
While the threats grow stronger every day, state and local governments are ill-equipped to keep pace. Low budgets, lack of expertise and general nonchalance regarding security work weaken defenses. Stolen credentials make it easy for hackers, masquerading as legitimate users, to access systems and data. Any user — even senior management — can easily be tricked into giving up valuable information. And known vulnerabilities provide open doors into systems. Valuable information plus easy access equals an alluring target.
Fertilizing the Ground to Grow Stronger Cyberdefenses
The first step in solving any problem is acknowledging it, but it’s here that many organizations fall down. How many local and state officials know whether their systems have been hacked? As the adage goes, there are only two types of companies: those that know they’ve been compromised, and those that don’t know. In today’s world, that certainly applies to state and local government.
If attacks are inevitable, it makes sense to go beyond table stakes (anti-virus systems and user authentication via password) and shore up the weakest link, which is the organization’s people. Hacking into accounts, using stolen credentials, tricking users into giving up sensitive information — all of these are common methods to gain access. It’s obvious that everyone, at every level of an organization, is part of the problem and should be part of the solution.
Here are some concrete steps that any organization, regardless of staffing and budget, can and should take to make sure the most obvious security weaknesses are addressed.
MORE FROM STATETECH: Find out how managed security services help state and local agencies boost cybersecurity.
Arm Users with Cybersecurity Knowledge and Tools
To enlist employees as a first line of defense, arm them with knowledge and tools. This means ensuring they can spot attempted attacks.
The most common attack is phishing, where an email entices the recipient to click on a link to a malicious website or open an email attachment, thus installing malware. Sophisticated attacks called spear phishing target individuals based on information easily obtained through social media.
The public sector has the second-highest click rate for phishing attacks, so it is paramount to teach employees how to spot a phish and raise their overall level of security awareness. Tools such as Cofense’s PhishMe and KnowBe4’s Security Awareness Training use simulated attacks to test susceptibility and provide a way for users to report suspected phishing. These tools have been shown to reduce the click rate by 90 percent in 12 months.
Usernames and passwords have also become a problem. The average user has more than 130 individual accounts for which he or she needs to use strong passwords, and change them frequently. It’s a daunting task, and many people use the same credentials to access multiple sites — for work, banking, social media and other uses. If one of these sites is breached, hackers can use the credentials to gain access to multiple other sites.
Authentication management solutions such as Symantec’s Integrated Cyber Defense Platform can reduce the reliance on passwords and protect sensitive applications, data and systems. They include multifactor authentication, using biometric or security tokens to make it easy for users to do their job without memorizing hundreds of password combinations. (Savvy managers should also encourage their employees to use a password manager for their nonwork credentials.)
MORE FROM STATECH: Follow these three tips for developing an asset management program.
Keep Software Up to Date with Patch Management Tools
There are practices and activities that can go a long way toward further reducing the attack surface, without breaking the budget.
One of the most important security practices is keeping users’ browsers and operating systems up to date to avoid ransomware and other attacks that exploit vulnerabilities. The same goes for updating software and applications. Unfortunately, the average time to patch a critical vulnerability is 30 days; meanwhile, the hacker is busy exploiting known weak spots.
Vulnerability management systems, such as Tenable.io Vulnerability Management, study the assets on a network and report on which ones have known vulnerabilities. Patch management systems, such as SolarWinds Patch Manager, can then prioritize and automate patching of the most important weaknesses.
Breaches are a matter of when, not if. Government organizations should ensure their systems can detect and recover from a breach and continue to provide services. Yet many small organizations don’t even have an in-house IT staff. It’s time to consider ways to centralize IT networks at the local, county or state level. Organizations that share the same standards and systems for data storage and network operation will be better able to withstand an eventual attack.
These simple steps can move state and local governments out of the category of low-hanging fruit, and encourage hackers to look elsewhere