May 17 2021

Employee Vulnerability to Social Engineering Remains a Key Threat to Government

How can agencies protect users from continuing spear-phishing attacks?

In 2018, Dmitri Alperovitch, co-founder and at that time CTO at CrowdStrike, warned that the U.S. government was “exceptionally vulnerable” to cyberattacks. Key vulnerabilities he highlighted included an archaic and slow procurement process, poor threat detection and investigation, and institutional preference for offense instead of defense in intelligence work related to cyber adversaries.

Unfortunately, though it’s now 2021, not much has changed. If anything, the ongoing digitization of government databases, disruption caused by the coronavirus pandemic and the recent rise in remote work have further increased government agencies’ attack surfaces, making the situation even more perilous from a cybersecurity point of view.

Case in point: Last year, government organizations accounted for 12.5 percent of data breaches analyzed by Tenable in its 2020 Threat Landscape Retrospective, the third-most-targeted economic sector, after healthcare and education. It’s important to note that the vast majority of data breaches are caused by social engineering and phishing attacks.

What makes government organizations such an attractive target for cybercriminals? On one hand, government agencies collect and maintain a swath of personally identifiable information as well as critical national security secrets. On the other, many agencies — whether they’re local, regional or state entities — still struggle with cybersecurity basics, which leaves personal and classified information vulnerable to theft.

The U.S. Government Accountability Office issued about 3,000 recommendations in the past decade on how government agencies could improve their network’s security, almost 20 percent of which were never fully heeded and 75 of which fell under “highest priority” recommendations.

Social Engineering Is a Growing Threat

While in the past, cyberattacks tended to rely on botnets that automatically sniffed out security vulnerabilities, today the more “sophisticated” hack is actually less sophisticated.

Known as social engineering, this type of attack is on the rise and involves targeting people, either by collecting personal information from online sources to establish fake credentials or fooling agents of the state into simply handing over needed intelligence.

Social engineering attacks come in many different forms, the oldest of which is probably phishing. However, phishing itself encompasses various types of attacks.

Spear-phishing is arguably the most powerful and dangerous of them all. Unlike standard phishing attacks that rely on sending generic messages to a large volume of people in the hopes that at least some of them will disclose personal information or click on a malicious link, a spear-phishing attack is highly personalized — and therefore more likely to succeed.

RELATED: Why phishing and identity attacks pose a threat to remote government workers.

Employees’ Personally Identifiable Information Spurs Phishing

Although software-based defenses against cyberthreats have evolved significantly in recent years, threat actors have also increased their focus on exposing the human threat vector within government organizations.


The percentage of data breaches in 2020 that affected government organizations

Source: Tenable, “2020 Threat Landscape Retrospective”

As a result, the most dangerous attacks today are often launched through advanced social engineering and phishing scams. An example of this evolution can be seen by looking at the rising threat created by spear-phishing attacks.

Carefully crafted to get a single individual to respond, spear-phishing emails are now so convincing they can fool experts. In 2017, for example, a U.K.-based prankster successfully spear-phished both the first family and the White House staff. One of the victims was former Homeland Security Advisor Tom Bossert, who, thinking he was talking to the president’s son-in-law and adviser, Jared Kushner, shared his personal email address without even being asked to do so.

The vast abundance of personal information available on just about anyone online makes spear-phishers’ job much easier. With over 230 data brokers selling details on 99 percent of all adult Americans, and easy access available to social media accounts, it is not difficult for a malicious actor to find out a government employee’s email address, phone number and even hobbies and interests.

MORE FROM STATETECH: Find out why ransomware awareness is up but training lags.

Why Governments Are Vulnerable to Social Engineering Attacks

Several factors make government agencies particularly vulnerable to social engineering attacks. The use of outdated legacy systems is one of them. Government IT is antiquated and tends to involve data-transfer standards that are years behind the norm in the private sector.

When data moves from one government agency to another or between various different agencies or bureaucracies, it often has to be “manually” transferred via less secure methods like portable temporary storage or email.

For cybercriminals, this creates a golden opportunity for very simple methods of theft. Social engineering attacks, rather than boutique malware, have become the primary methods for threat actors targeting government departments.

High volume and overly bureaucratic public processes are partly to blame here. Government agencies have simple, rigid procedures that are rarely scrutinized for vulnerability; if a request is made and it seems valid, it’s usually processed. Anyone with superficial knowledge of what boxes need to be ticked can easily spoof what appears to be a legitimate request and, in this way, trick public service workers into sharing critical access or information.

Systems that handle large volumes of data requests are uniquely vulnerable. Security Scorecard’s “2018 Government Cybersecurity Report” highlights court systems, municipal utilities, bill payment services, traffic control, voter registration data and unemployment offices as especially weak. You don’t have to look far to see real-world examples of hackers breaching these kinds of departments.

In early 2021, a breach of the Washington Employment Security Department exposed about 1.3 million people in that state, and in April, there was an attempted cyberattack on a Kentucky unemployment insurance site.

Rob Shavell
Systems that handle large volumes of data requests are uniquely vulnerable.”

Rob Shavell CEO, Abine/DeleteMe

Inadequate government employee cybersecurity training makes the above more likely to happen. A 2020 IBM Security study found that only 38 percent of local and state employees in IT, security, education and emergency services departments have been given any training in ransomware prevention, including on the threat of social engineering and on basic security hygiene in the workplace.

However, hackers don’t necessarily need to hack a government agency if they can breach a government contractor or spoof being a government contractor themselves. Government agencies deal with thousands of approved vendors daily, and the data exchanges between these groups are often subject to reduced security protocols.

Frequently, hacks result in data losses over extended periods of time. The SolarWinds hack is the most notorious example, but if you look at all the public sector hacks that took place within the past year, about half of them happened via third parties. For example, the breach that affected the Washington Employment Security Department earlier this year resulted from vulnerabilities in a file-transfer service sold by the third-party software vendor Accellion and used by the department. In another example, a hack of the enterprise building security startup Verkada exposed a handful of U.S. government agencies and prisons.

LEARN MORE: How do SIEM tools enhance government cybersecurity?

Adopting a Proactive Stance Against Phishing

To defend against cyberattacks, government entities need to adopt a proactive stance against phishing, which should include a combination of policies, controls and procedures.

Phishing attacks rely on human error. For this reason, the first line of defense for any government agency should be to create a culture of cybersecurity awareness. Agencies need to carry out ongoing cybersecurity training sessions that call employees’ attention to the current phishing techniques used by cybercriminals and teach them how to identify these attacks.

Simulated phishing campaigns can reinforce employee training, whereas red team cybersecurity exercises (as noted by GovTech Singapore) can help agencies assess their cyber vulnerabilities in the real world.

Strengthening an agency’s internal audit systems can also help expose potential pathways that a phishing attack could take to your organization. Similarly, data analytics, machine learning and artificial intelligence tools can help flag any irregularities that might signal an attack in progress.

For example, ML tools can examine communication patterns in an organization and detect and block spear-phishing attacks even if they don’t include malicious links or attachments.

Ultimately, the best way to reduce the likelihood of a spear-phishing attack is to prevent cybercriminals from accessing public servants’ personal information in the first place. With no access to sensitive data, threat actors will find it challenging to create emails that persuade employees to share personal information with them.

Although minimizing the digital footprint left by employees in the past isn’t easy, a good place to start is to ask staff to self-audit themselves on the internet. After searching for their names online, public servants may realize that their social media accounts are too revealing or that their personal information is listed on countless data broker sites.

While removing data from data broker sites is a tedious and at times complicated process, government agencies can take advantage of data broker removal services that automatically opt public servants out of such sites — and make sure they stay off them for good.

With social engineering attacks on the rise, it is clear that no industry is off-limits for threat actors. However, while government agencies are inherently vulnerable, there are nonetheless plenty of steps they can take to reduce the risk of falling prey to phishing attacks.

By cutting off ammunition for threat actors through employee personal information removal and deploying effective tools and training strategies, government departments can take back control of their cybersecurity.

EXPLORE: How does next-generation endpoint protection help secure agencies?

Andreus/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT