Local Government Cybersecurity: It’s (Really) Bad, but You Can Save It

 

local government cybersecurity
Local government cybersecurity is currently highly insecure, but the situation can be improved

Local government cybersecurity is in bad shape, and many local governments are being attacked at an escalating rate as a consequence.

Atlanta’s municipal government was crippled by a ransomware attack.

Baltimore’s 911 dispatch system was hacked by an unknown person or group.

The city of Allentown, Pennsylvania was attacked by malware known as Emotet.

And More than 2,000 Windows-based computers at CDOT offices in Colorado were brought down by a virus known as SamSam.

What do all these attacks have in common?

They all involve local governments and they all happened earlier this year.

Your local government could be next.

To help you prevent a potential attack, we’ll show you why local government cybersecurity is in such poor condition, the top threats local governments face, and a few surefire local government IT solutions you can implement immediately.

How Bad is State and Local Government Cybersecurity?

Really, really bad.

At least, according to the Cybersecurity 2016 Survey conducted by the International City/County Management Association (ICMA), in partnership with the University of Maryland, Baltimore County (UMBC).

Here’s what they found:

  • 44% of all respondents said they experience cyberattacks on a daily basis
  • 39.9% of local governments DO NOT catalog and count attacks
  • 66.4% of local governments use an informal system of cybersecurity management, as opposed to a formal system
  • 62.4% of local governments have NO IDEA whether they’re being breached or not
  • 51.3% of local governments say they’re not practicing better cybersecurity because they receive no end-user training whatsoever

These are dismal findings and point to a worrying lack of proactive steps being taken to protect vital information and infrastructure in local governments across the nation.

The most disturbing data-point is the non-existence of cybersecurity training for end-users since end-users are most likely to fall prey to a hacker’s traps and tricks.

Without a formal system of cybersecurity, a record of attacks, and proper cybersecurity training, you’re exposing your agency to a variety of serious cyberthreats.

What are the Greatest Cybersecurity Threats to Local Governments?

We recently listed cybersecurity predictions for 2018 that don’t look good, but we didn’t focus specifically on cyberthreats.

So we looked at what others predict as the greatest cyberthreats to local government. Here are a few we found from OneNeck IT Solutions:

Denial of Service Attack (DDoS)

A DDoS attack is a cyberthreat that attempts to shut down a system or make it inoperable by flooding it with traffic from multiple sources.

Hackers build networks of infected computers, called botnets, by spreading malicious software to machines – allowing them to control those infected computers remotely to carry out a DDoS attack.

This is a favorite attack used against governments. Even the NSA website was brought down by a DDoS attack.

Social Engineering

Social engineering is a catch-all term that refers to various methods of manipulation used against end-users to install malicious malware or steal data.

Phishing is one of the most common forms of social engineering. It relies on fake emails embedded with malicious links that install malware when clicked or fake websites that steal your login information after you’ve entered it.

All forms of social engineering attempt to trick you into giving the hackers control over your machine or access to information they can use to extort your agency.

Advanced Persistent Threats (APT)

APT is a set of continuous computer hacking processes that use stealth tactics to infiltrate your network and remain undetected for as long as it takes to gain access to privileged information and steal sensitive data.

APT attacks may initially use phishing or any other social engineering scam to create one or multiple backdoor entry points, allowing other hackers to worm their way into your network, slowly chipping away at the rest of your IT security layer until they’re discovered or achieve their objective.

How to Improve Government IT Security

The sad state of local government cybersecurity combined with the dangerous cyberthreats they face paints a grim picture for the future, but all is not lost.

There are numerous steps local governments can take to improve IT security across their organization.

Here are some of the most important steps you can take today and into the future:

Perform a Security Assessment

How do you know if your local government is secure?

By inspecting and testing your entire IT infrastructure to identify and secure weaknesses externally and internally.

By knowing your vulnerabilities, you can direct your limited resources to fix the weakest links in your cybersecurity chain.

Work Together with Other Governments

Governments from the federal to the state and local level are under attack from cybercriminals. To beat them, governments need to join forces to share knowledge and resources.

Intergovernmental cooperation strengthens your cybersecurity position by learning from the successes and failures of other governments’ IT security policies while gaining access to experts you may not have in your agency.

Outsource IT Security

Speaking of IT security experts, they’re not always kept in-house. And in many cases, IT experts who are trained to handle the looming threats of today (while anticipating the threats of the future) are difficult to find in the public sector.

That’s why many local governments choose to outsource their IT services.

Plus, since the lack of appropriate funding is often pointed to as one of the biggest reasons why robust cybersecurity in local governments is lacking, it makes sense to hire a private company that will cost far less than hiring in-house staff.

Enable User Access Management

User access management, also called privileged access management (PAM) is a method of controlling what information each team member can access.

Since end-users are typically the weakest cybersecurity links in your organization, and hackers rely on tricking them to gain access to more privileged information, it logically follows that you should restrict end-users’ access to sensitive information whenever possible.

Most people in most positions only need a specific set of data to do their jobs.

Therefore, they should be restricted from accessing any information outside of that core data set to protect your agency from infiltration in the case that an end-user falls victim to a phishing attack, for example.

Adopt the NIST Framework

The NIST Framework provides a common language and systematic methodology for managing cybersecurity risks.

The latest version of the NIST framework was released on April 16, 2018.

According to Secretary of Commerce Wilbur Ross, “The voluntary NIST Cybersecurity Framework should be every company’s first line of defense. Adopting version 1.1 is a must do for all CEO’s.”

But it’s not just made for the private sector. The NIST Framework has been successfully adopted by federal, State, and local governments.

According to NIST Director Walter G. Copan, “The release of the Cybersecurity Framework Version 1.1 is a significant advance that truly reflects the success of the public-private model for addressing cybersecurity challenges.”

Establish a Cybersecurity Culture

Every employee in your agency should be hyper-vigilant against impending cyberthreats.

It’s not just managers, commissioners, and elected executives who have to worry about these threats. In fact, it’s their job to instill a cybersecurity awareness culture from the top-down.

In the same way that you can create a culture of continuous learning in your agency, you should attempt to create a culture of continuous cybersecurity learning and training in your agency.

Train Your Employees

We’ve been harping heavily on the vulnerability of end-users, which is why the most important cybersecurity tip we can offer you is to train your employees.

There’s no high-tech substitute for smart, safe, and knowledgeable employees. They are your last line of defense against threats.

A hacker can send out all the phishing emails he wants, bypassing all your internet and email security systems. But if none of your employees fall for the scam, your data will remain safe.

So what’s the best way to train your employees in cybersecurity?

Find and use high-quality cybersecurity training resources.

But where can you find cybersecurity training made specifically for local governments?

Right here at Enterprise Training. Below are just a few of the many guides we have available for you.

  • Cyber Threat!: How to Manage the Growing Risk of Cyber Attacks reveals the extent of the cybersecurity problem, and provides a plan to change course and better manage and protect critical information.
  • Cyber Security Culture: Counteracting Cyber Threats through Organizational Learning and Training provides in-depth research to assist managers in forming policies that prevent cyber intrusions, put robust security systems and procedures in place, and arrange appropriate training interventions.
  • The Information Systems Security Officers Guide: Establishing and Managing a Cyber Security Program Third Edition provides information on how to combat the ever-changing myriad of threats security professionals face by presenting practical advice on establishing, managing, and evaluating a successful information protection program in a corporation or government agency.

And here’s a sample video from one of our cybersecurity courses:

If you want these guides and even more cybersecurity training, then contact us below to get started with a free 14-day trial of Enterprise Training.

Experience the proven, easy-to-use, and cost-effective benefits of online training by scheduling your free online training consultation today!

Schedule Free Consultation

 

6 Cybersecurity Predictions for 2018 That Don’t Look Good

 

cybersecurity predictions 2018
Our cybersecurity predictions for 2018 see old threats and new threats rising up

Cybercrime is escalating, and no one is safe.

The costs of data breaches will reach $2.1 trillion globally by 2019, according to Juniper Research.

That’s 4x the estimated cost of data breaches in 2015.

Major corporations like Equifax have been breached while major city Governments like Atlanta were shut down and extorted earlier this year.

Unfortunately, things will get worse before they get better.

Below we list our cybersecurity predictions for 2018 and beyond.

Our hope is that this list will help you identify and guard against increasing cyberattacks.

Top Cybersecurity Predictions for 2018

Simple Password Logins Are Increasingly Risky

81% of hacking-related breaches leveraged either stolen and/or weak passwords, according to the 2017 Data Breach Investigations Report from Verizon.

This trend is predicted to continue if companies and governments don’t use stronger logins such as multi-factor authentication or risk-based authentication.

Cyberattackers Will Rely on AI to Hack Your Data

Why do the work yourself when a computer can do it for you?

That’s exactly what many hackers thought as they began implementing AI-powered cyberattacks.

Here are a few ways hackers can execute attacks using AI:

  • Phishing, spam, and fraud using chatbots
  • AI-powered password hacking
  • AI attacks on AI cybersecurity software

Attacks on IoT Devices Will Rise

It’s only getting easier for hackers to infiltrate the Internet of Things. That’s partly driven by the increasing prevalence of IoT devices.

More than half of major new business processes and systems will incorporate some element of the Internet of Things by 2020, according to Gartner, Inc. This applies to government agencies as well.

The most common method used to hack an IoT device is a botnet – a collection of compromised IoT devices, such as cameras, routers, DVRs, wearables and other embedded technologies, infected with malware.

IoT botnets spread fast, attempting to infect as many devices as possible, potentially compromising hundreds of thousands of machines.

The infamous Reaper botnet infected a million networks alone.

Carefully choosing what IoT devices you use and don’t use is one of the few ways to minimize these types of attacks until security for these devices becomes more robust and effective.

Cyber-Hijacking Will Become More Commonplace

As more transportation systems operate automatically (without safeguarding their software), hackers will be able to hijack their systems remotely and demand a ransom before relinquishing control.

Charlie Miller and Chris Valasek demonstrated their “zero-day exploit” on a Jeep Grand Cherokee back in 2015 – software that lets hackers send commands through the Jeep’s system to its dashboard functions, steering, brakes, and transmission, all from a laptop that may be across the country.

The rise of self-driving cars in the next few years will make this issue even more urgent.

GDPR Will Force Companies and Governments Globally to Strengthen Security or Face Stiff Fines

The General Data Protection Regulation (GDPR) will come into effect on May 25, 2018 and will mark a new era of mandatory cybersecurity compliance in the EU and across the world.

The GDPR was “designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”

While the GDPR can be seen as a big step in the right direction, it does scare many businesses and governments globally who are far away from complying with these new regulations.

Some U.S. based companies will fall under the jurisdiction of GDPR if they operate in other countries or target customers in other countries.

And if companies or governments under the jurisdiction of the GDPR don’t report a breach to a regulator within 72 hours, they could face fines of 2-4 percent of global revenue.

State-Sponsored Cyberattacks Will Increase

As cyberattacks become cheaper and easier than traditional warfare, hostile Governments will naturally use them more and more to exploit their rivals’ vulnerabilities.

According to The Hill, “A suspected North Korean hacking campaign has expanded to targets in 17 different countries, including the U.S., pilfering information on critical infrastructure, telecommunications and entertainment organizations, researchers say.

Cybersecurity firm McAfee released new research on the hacking campaign this week, calling it Operation GhostSecret and describing the attackers as having “significant capabilities” to develop and use multiple cyber tools and rapidly expand operations across the globe.”

That’s just one example in a string of examples of States initiating cyberattacks on other States.

Governments must ensure that their networks are isolated from the internet, their systems are extensively checked regularly, and their employees are trained to identify and prevent cyberattacks.

What Can You Do to Guard Against These Cybersecurity Threats in 2018?

Knowing your enemy is only half the battle.

The second half is knowing how to prevent them from attacking you and knowing what to do if you are attacked.

We’ve compiled a few critical resources to help you train your employees and protect your agency against cybercriminals.

  • Cyber Threat!: How to Manage the Growing Risk of Cyber Attacks reveals the extent of the cybersecurity problem, and provides a plan to change course and better manage and protect critical information.
  • Cyber Security Culture: Counteracting Cyber Threats through Organizational Learning and Training provides in-depth research to assist managers in forming policies that prevent cyber intrusions, put robust security systems and procedures in place, and arrange appropriate training interventions.
  • The Information Systems Security Officers Guide: Establishing and Managing a Cyber Security Program Third Edition provides information on how to combat the ever-changing myriad of threats security professionals face by presenting practical advice on establishing, managing, and evaluating a successful information protection program in a corporation or government agency.

And here’s a sample video from one of our cybersecurity courses:

If you want to discover powerful tools, tactics, and strategies for protecting your organization against cyberattacks, then you need to get these critical guides.

How do you get them?

By contacting us directly and getting a free 14-day trial of Enterprise Training below.

Experience the proven, easy-to-use, and cost-effective benefits of online training by scheduling your free online training consultation today!

Schedule Free Consultation