Inadequate government employee cybersecurity training makes the above more likely to happen. A 2020 IBM Security study found that only 38 percent of local and state employees in IT, security, education and emergency services departments have been given any training in ransomware prevention, including on the threat of social engineering and on basic security hygiene in the workplace.
However, hackers don’t necessarily need to hack a government agency if they can breach a government contractor or spoof being a government contractor themselves. Government agencies deal with thousands of approved vendors daily, and the data exchanges between these groups are often subject to reduced security protocols.
Frequently, hacks result in data losses over extended periods of time. The SolarWinds hack is the most notorious example, but if you look at all the public sector hacks that took place within the past year, about half of them happened via third parties. For example, the breach that affected the Washington Employment Security Department earlier this year resulted from vulnerabilities in a file-transfer service sold by the third-party software vendor Accellion and used by the department. In another example, a hack of the enterprise building security startup Verkada exposed a handful of U.S. government agencies and prisons.
LEARN MORE: How do SIEM tools enhance government cybersecurity?
Adopting a Proactive Stance Against Phishing
To defend against cyberattacks, government entities need to adopt a proactive stance against phishing, which should include a combination of policies, controls and procedures.
Phishing attacks rely on human error. For this reason, the first line of defense for any government agency should be to create a culture of cybersecurity awareness. Agencies need to carry out ongoing cybersecurity training sessions that call employees’ attention to the current phishing techniques used by cybercriminals and teach them how to identify these attacks.
Simulated phishing campaigns can reinforce employee training, whereas red team cybersecurity exercises (as noted by GovTech Singapore) can help agencies assess their cyber vulnerabilities in the real world.
Strengthening an agency’s internal audit systems can also help expose potential pathways that a phishing attack could take to your organization. Similarly, data analytics, machine learning and artificial intelligence tools can help flag any irregularities that might signal an attack in progress.
For example, ML tools can examine communication patterns in an organization and detect and block spear-phishing attacks even if they don’t include malicious links or attachments.
Ultimately, the best way to reduce the likelihood of a spear-phishing attack is to prevent cybercriminals from accessing public servants’ personal information in the first place. With no access to sensitive data, threat actors will find it challenging to create emails that persuade employees to share personal information with them.
Although minimizing the digital footprint left by employees in the past isn’t easy, a good place to start is to ask staff to self-audit themselves on the internet. After searching for their names online, public servants may realize that their social media accounts are too revealing or that their personal information is listed on countless data broker sites.
While removing data from data broker sites is a tedious and at times complicated process, government agencies can take advantage of data broker removal services that automatically opt public servants out of such sites — and make sure they stay off them for good.
With social engineering attacks on the rise, it is clear that no industry is off-limits for threat actors. However, while government agencies are inherently vulnerable, there are nonetheless plenty of steps they can take to reduce the risk of falling prey to phishing attacks.
By cutting off ammunition for threat actors through employee personal information removal and deploying effective tools and training strategies, government departments can take back control of their cybersecurity.
EXPLORE: How does next-generation endpoint protection help secure agencies?