The public sector has the second-highest click rate for phishing attacks, so it is paramount to teach employees how to spot a phish and raise their overall level of security awareness. Tools such as Cofense’s PhishMe and KnowBe4’s Security Awareness Training use simulated attacks to test susceptibility and provide a way for users to report suspected phishing. These tools have been shown to reduce the click rate by 90 percent in 12 months.
Usernames and passwords have also become a problem. The average user has more than 130 individual accounts for which he or she needs to use strong passwords, and change them frequently. It’s a daunting task, and many people use the same credentials to access multiple sites — for work, banking, social media and other uses. If one of these sites is breached, hackers can use the credentials to gain access to multiple other sites.
Authentication management solutions such as Symantec’s Integrated Cyber Defense Platform can reduce the reliance on passwords and protect sensitive applications, data and systems. They include multifactor authentication, using biometric or security tokens to make it easy for users to do their job without memorizing hundreds of password combinations. (Savvy managers should also encourage their employees to use a password manager for their nonwork credentials.)
MORE FROM STATECH: Follow these three tips for developing an asset management program.
Keep Software Up to Date with Patch Management Tools
There are practices and activities that can go a long way toward further reducing the attack surface, without breaking the budget.
One of the most important security practices is keeping users’ browsers and operating systems up to date to avoid ransomware and other attacks that exploit vulnerabilities. The same goes for updating software and applications. Unfortunately, the average time to patch a critical vulnerability is 30 days; meanwhile, the hacker is busy exploiting known weak spots.
Vulnerability management systems, such as Tenable.io Vulnerability Management, study the assets on a network and report on which ones have known vulnerabilities. Patch management systems, such as SolarWinds Patch Manager, can then prioritize and automate patching of the most important weaknesses.
Breaches are a matter of when, not if. Government organizations should ensure their systems can detect and recover from a breach and continue to provide services. Yet many small organizations don’t even have an in-house IT staff. It’s time to consider ways to centralize IT networks at the local, county or state level. Organizations that share the same standards and systems for data storage and network operation will be better able to withstand an eventual attack.
These simple steps can move state and local governments out of the category of low-hanging fruit, and encourage hackers to look elsewhere