A Guide to State Government Cybersecurity
The sheer volume of data held by government entities continues to grow exponentially. Like every public or private organization, states must balance the need for security and protection of its citizens’ personal data with ease-of-use and convenience of its services.
Cybercriminals are taking note.
Last November, Louisiana Gov. John Bel Edwards declared a state of emergency following a cybersecurity attack on state government servers.
The state was forced to activate its cybersecurity response team following a ransomware shutdown that caused an outage of state websites and emails, affecting many services citizens rely on. The cyber team decided to take what it deemed “extreme emergency protective measures,” including completely halting all server traffic.
The emergency declaration allowed several of the state’s agencies, including the Office of Motor Vehicles, Department of Transportation and Development and the Department of Revenue, to waive fees and fines resulting from citizens not being able to meet filing deadlines and the like.
The attempted malware may not have gained a ransom for cybercriminals, but it brought the state’s ability to serve its citizens to a screeching halt. And these type of attacks are happening more often than we may realize.
Certain facets of state governments make them some of the most attractive targets for cybercriminals.
Lack of Budget
Traditionally, states aren’t making appropriate investments in cybersecurity.
A National Association of Chief Information Officers/Deloitte cybersecurity survey found that a lack of budget has been the number one concern of state-level chief information security officers (CISOs) every year since 2010. The majority of states spend only 1 to 2 percent of their IT budgets on cybersecurity, and nearly half of states do not have a cybersecurity budget that is separate from their IT budget.
In contrast, federal-level agencies and private sector organizations generally spend between 5 and 20 percent of their IT budgets on cybersecurity.
Of course, state governments are aware that cybersecurity is a pervasive security issue. But the sheer volume and variety of attack techniques nor requires consistent investment — both in personnel and in resources — to stay ahead of the bad actors.
Large Attack Surface
Local and state governments usually exist in federated structures, meaning data flows from centralized sites but individual departments still retain autonomy.
While these structures lead to operating efficiency, one weak link easily compounds into something more vulnerable.
Federated structures also create challenges in standardizing and enforcing policies, such as employee phishing awareness and training programs. Yet human error remains the most exploited vulnerability in technological environments.
Legacy systems that have not been updated, due to budget constraints or employee reluctance, may also stand out as weak link in infrastructure. And criticality of these systems make them ever more attractive to cybercrooks.
Lengthy Supplier and Third-Party Lists
Inbound email attacks continuously evolve in sophistication.
Vendor email compromise is becoming a way for cybercriminals to gain access to local governments. Attackers start by hacking into a suppliers email, then silently sit and read through all the messages that come through the vendor’s inbox. Eventually, they will join legitimate email threads and attempt to divert government funds to private bank accounts.
Even if a state government has the technologies and systems to protect their own attack surface, it can still become the victim of a cybersecurity attack because an external vendor’s account was taken over by cybercriminals.
Taking into account the sheer volume of third-party vendors that governments must interact with, this creates a sobering reality for state IT workers.
Traditional mass-produced phishing attacks are often flagged by traditional security products, but the new categories escape detection.
Email attacks like those coming from third-parties manage language and intent better than ever, successfully tricking users into being sure that the email they’re replying to is legitimate.
Instead of sending attachments that can be analyzed, scanned and deemed malicious, today’s attackers prefer to play a waiting game, sending multiple messages with no real purpose except to gain the recipient’s confidence. Then the attack comes their way.
In today’s IT environment, visual scrutiny and phishing awareness cannot fully protect us. States must partner to embrace a more holistic approach to analyzing email content, context, and metadata.
Lingering Media Coverage
Research suggests that state governments are less likely to pay ransom after being affected by cyberattacks than private sector organizations. However, government attacks receive more media coverage more quickly than other compromises — perhaps because they affect private citizens.
The excessive media attention turns into a brutal cycle, with more attackers now focused on vulnerable government systems, which leads to more attempted attacks.
Link to Cyber Insurance
State governments have had limited IT budgets and aging legacy systems for decades, and ransomware itself is not new, so what has changed?
The recent increase in cyber insurance may play some role.
That growth has been driven by two factors. First, transferring cyber risk to an insurer can be a cost-effective strategy in today’s IT world. Second, the market is proving a lucrative one for insurers. While other areas of insurance are flat, cyber insurance remains a profitable, if uncertain, segment. Loss ratios are half of traditional property and casualty policies.
More cyber insurance policies paying out more ransoms is part of the issue, along with poor defenses and the criticality of services. By attacking states, cybercriminals are successfully requiring more money more often.
For example, in the second quarter of 2019, governments that chose to pay ransoms ended up paying 10 times more than their commercial counterparts.
(Graphic reflecting stat that when they choose to pay governments pay 10x more than private sector companies in ransomware attacks)
This appears to create a dynamic where the most vulnerable government organizations are paying more than better-protected ones, thanks to cybersecurity insurance policies.
A Checklist for Cybersecurity
Control the Human Element
Creating a security-conscious workforce is critical, as the majority of attacks can still be attributed to human error.
- Establish a password policy that includes routine password changes, strong password selection and train employee to never write them down or reuse them.
- Implement data usage controls that can block risky actions like uploading information to the web, sending email messages to unauthorized email addresses and saving data to external drives.
- Monitor IT processes for complexity. Avoid encourage users to look for shortcuts. Keep easy use in mind when updating processes.
- Implement ongoing training and education, keeping up with the latest sophistications in attacks.
- Implement best-in-class procedures, such as two-factor authentication and password managers.
Document and manage hardware and software
Employees are naturally drawn to the latest devices and useful downloads. To effectively protect your environment, you have to know what’s included.
- Take inventory and document all devices that could access your IT network, including personal ones.
- Automatically install software updates and security patches on all computers, using inventory tools to keep record.
- Detect and expel any unauthorized devices from the network or any devices running unauthorized software.
Protect private data
Focus on safeguarding sensitive data and also protecting data that is critical to continuity. Create maps of data and systems, and limit access only to those employees who are required to have it.
- Restrict access to those who need it to perform their jobs.
- Follow the same protocol for physical access.
- Monitor all user access to the network, record authentication errors and unauthorized access.
- Restrict administrative privileges and carefully manage those who have them.
Understand Emerging Threats
Protecting state government networks is complex because of the long list of services they offer. Stay educated and aware on how threats are changing and anticipate the updates needed to stay current.
- Prioritize your budget to stay current with sophisticated threats and focus on contingency plans for responding.
- Regularly research and consult with well-informed cybersecurity intelligence.
- Join information sharing and analysis centers to take part in sharing information and jointly protecting networks and data. Specialized centers have been developed for public sector environments.
Implement 24×7 Real-Time Visibility
Your IT team must have cybersecurity operations that respond to threats and risky activity immediately.
- Manage and identify vulnerabilities and monitor and detect threats.
- Prioritize what needs updating and patching in a methodical fashion based on severity of risk.
- Create a detailed documented response plan that goes beyond prevention.
Analyze Audit Logs
Without maintaining and monitoring audit logs, potential attacks could be overlooked, welcoming additional intruders and potential technological disasters.
- Look beyond what’s required for audit purposes. The bad guys do.
- Record and examine log activity, then analyze the resulting log information.
- Continuously monitor for threats, creating an audit trail when an incident occurs.
- Conduct regular risk assessments to find weak links in your environment.
- Be ready to report. Use managed vulnerability assessment services to understand your risk profile and IT security posture.
Ransomware continues to be the fastest-growing threat for state governments. Housing a second set of your data ensures continuity of services and enables recovery in the event of a system failure or natural disaster.
- Consider could and physical backup solutions, accounting for the frequency of data changes in your backup schedule.
- Keep processes flexible and secure to provide quick access to data. Provide a recovery solution that allows applications to return online seamlessly.
Consider Added Complexities of COVID-19 Response
Along with the standard checklist for cybersecurity, the global pandemic of COVID-19 has added additional complexities to how we think about cybersecurity.
Because of safety concerns, many state workers are now working remotely, outside the traditional network that IT protects. We must take into account some special considerations as we dodge enhanced attacks.
It’s critical to consider the increase in cyberthreats for remote workers. Here are some additional tips to consider:
- Security must be a team effort. That’s especially true now when individuals must consider up their personal security posture as they work from home.
- Leverage VPNs as much as possible, if your network can handle it. It its not possible for everyone, determine what other secure connection options like remote desktops are available.
- Constantly remind users to never trust anything until you verify the source, including apps on mobile devices, ads, maps and browser plugin downloads.
- Use two-factor authentication for everything.
- Utilize encryption for sensitive communications and document sharing.
- Encourage better password management. Usernames and passwords are even easier to steal now as employees work from home networks.
- Security training is more critical than ever. Use the routines that would be followed in the office to continue educating work-from-home employees, including regular reminders on how to spot scams and fake websites.
- Be prepared for changes in employee behaviors as they change workspaces, including printing more sensitive documents than usual, saving data on home machines or sharing computers without logging off work sites. Present guidelines on how to best prepare employees to handle sensitive issues at home.
- Set up and monitor secure channels and procedures for third parties and supply chains.
- Create an emergency plan that assumes the team is out of the office. Ensure your IT staff can easily and effectively collaborate in an emergency.
Partnering For Complete Security Services
More than ever, consider linking arms with the experts to keep bad guys at bay. Advantage Technologies offers cybersecurity management, along with network design and monitoring and full-service technical support.
It all starts with an onsite technology assessment. We send one of our professional technology consultants to evaluate your specific needs and develop your custom security solution.
Schedule your confidential assessment online or call us at 877-723-8832 to see how we can help improve cybersecurity for your organization.
Advantage Industries is a Managed Security Service Provider (MSSP) providing practical networking and software solutions, as well as web site and application creation services. For nearly two decades, Advantage has worked collaboratively with hundreds of clients in understanding complex business processes, identifying needs, and providing recommendations tied with sound technology solutions custom-tailored to their business.