Oct 03 2019

Anti-Phishing Best Practices for State and Local Governments

IT leaders should enhance training, use least privilege security principles and plan for damage control if a phishing attack is successful.

Phishing remains the leading cause of data breaches. Bogus emails that con or coerce users into disclosing key personal data are responsible for the vast majority of successful cyberattacks across the public and private sectors.

While education has helped slow the rate of successful phishing attempts, there are still gaps where the misleading messages can get through. One thing to think about during National Cybersecurity Awareness Month, which kicked off Oct. 1: About 18 percent of those who clicked on test phishing links in 2018 were on mobile devices, according to Verizon’s “2019 Data Breach Investigations Report,” which says that mobile users can be more susceptible to phishing.

State government is not immune. Twenty-seven percent of state IT leaders view this kind of attack as the most prevalent threat to their systems, according to a 2018 survey by Deloitte and the National Association of State Chief Information Officers. Another 35 percent were most worried about ransomware, which can either be the result of a phishing attack (compromised credentials enable hackers to invade systems) or may be embedded within the actual phishing message. Taken together, this puts phishing front and center as a state concern.

“State government is a high-profile target for these kinds of attacks,” says Terrill Frantz, an associate professor leading the cybersecurity management and operations degree program at Harrisburg University of Science and Technology.

“People want to go where the money is. Or, if they are trying to make a point, then they want the bragging rights. That means state government will get a lot of attention from people looking to carry out these kinds of attacks,” he says. “More than just getting paid, through a ransomware attack, for example, people go after state government as a way to make a name for themselves.”

The Deloitte/NASCIO study points to a number of hurdles that keep states from effectively addressing phishing. These include a lack of sufficient cybersecurity budget, inadequate cyber staffing and the increasing sophistication of the cyber threat.

Despite these challenges, states have the means to address the phishing peril. With a combination of technical tools and sophisticated training, it is possible to significantly limit the chances of a successful attack.

SUBSCRIBE: Become an Insider and get curated cybersecurity news, tactics and analysis — for free.

Follow These Steps to Help Prevent Phishing Attacks

Make it easy. To effectively combat phishing, state workers need to be empowered to take direct and concrete action. Government employees are more apt to flag suspect emails when the process for doing so is simple and streamlined. For example, Illinois implemented a phishing alert button, which is embedded into all incoming emails. If an employee spots a suspect email, a simple click is all that is needed to alert a dedicated security monitoring team, triggering incident response for follow-up and monitoring.

Make it personal. “For the end user, there is no perceived consequence to getting this wrong,” Alex Grohmann, a director on the Information Systems Security Association’s international board. To convince employees of the urgency of phishing prevention, IT needs to make it personal. “This is not just about the company or the institution being at risk; these practices protect them as individuals. This is something that could happen to them personally. They can be compromised at home and there’s no IT department to ride in and save you. When they understand that there can be personal consequences in this, they will be more likely to use good hygiene.”

Set effective limits. Email filtering tools can help prevent phishing; for example, by rejecting messages that contain suspicious links. But there’s a downside. 

“You can only ratchet up those tools to a certain level before you start to impact business operations, before you start blocking legitimate emails that maybe are time sensitive,” Grohmann says. “So, you have to do an ongoing balancing act. If you are doing business with a particular vendor or partner, for instance, you can have the IT department set up a secure mailbox so those messages get through. It takes time and effort, but it may be necessary in order to set effective limits that don’t interrupt your operations.”

MORE FROM STATETECH: Find out how to combat the latets cybercrime trends. 

Employees Respond Best to Realistic Anti-Phishing Training

Despite all preventive measures, there’s a good chance some phishing act will succeed, so assume the worst. With this in mind, it makes sense to organize systems around damage control, with role-based controls and network architecture all geared toward limiting an intruder’s access. 

“Machines should be isolated in their own networks. People should have the least amount of access needed to do their jobs,” says Shane Chagpar, a solution designer and instructor with IT consultancy Kepner-Tregoe. “The person in marketing shouldn’t be able to view and edit reports from the financial side. Or they should only be able to view certain reports. You have to be granular in how you grant access.”

Phishing schemes are psychological in approach: The scammers know that people who are stressed, hurried or under pressure are more likely to respond to an urgent-sounding message. One key way to stop the clicks is to build a friendlier, less harried workplace. 

“Pressure and stresses lead to people clicking on emails,” says Daniel Norman, a research analyst with the Information Security Forum. “So, if you can reduce the stress and reduce the pressure, if you can create a more positive work environment, that is actually going to reduce the likelihood of people clicking on phishing emails.”

Anti-phishing awareness doesn’t come from a PowerPoint deck. It comes from hands-on, realistic exercises

“You might have a Bed Bath & Beyond coupon that looks very real. Or you put things in the email that make people mad: ‘Click here to see pictures of your spouse with someone else,’” says Bruce Beam, CIO of (ISC)2, a nonprofit membership association of certified cybersecurity professionals. “If people are going to learn, the training has to be realistic. It has to be convincing.”

solarseven/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.