Cybercrime isn’t unique to certain sectors or industries. But some areas are more at risk, like local governments and municipalities. It makes sense, governments not only hold a lot of personal and valuable information on their systems, but government entities are interconnected and critical to the operations of a given area — from police forces to court hearings to basic administration and document processing. It’s a high– value target for hackers.
Just look at Costa Rica. In spring of 2022, Russian hacking group Conti attacked the Costa Rican government through a flurry of ransomware attacks. This was followed shortly by another ransomware attack on the social security administration, this time by another gang. Eventually, a state of emergency was declared after public health services were taken offline, and health centers were forced to close.
That’s a lot of real-world damage from a digital attack, and it highlights how tempting (and unsecure) of a target local governments are for cybercriminals.
Why Governments and Municipalities are at Risk for Cybercrime
Threat actors aren’t targeting local governments and government entities randomly. While cyber criminals can be sophisticated, they can also be lazy. With money as the main motivational factor, they will often go after low-hanging fruit. Unfortunately, that low-hanging fruit includes governments.
- Government entities operate with small budgets and lean staffing. It’s no secret that government entities are consistently dealing with stagnant, if not shrinking budgets. That means little money to invest in new cybersecurity solutions, and little money for services and training. In addition, governments often have small IT teams that are stretched thin, trying to do a lot with a little. While not limited to the government sector, in a recent report 50% of CISOs stated that cybersecurity staffing is their top barrier to having a strong cybersecurity program. That can leave these organizations with both a technology and skills gap that cyber criminals are eager to exploit.
- These organizations face aggressive threats. Hackers have been coming for local governments and municipalities, and they aren’t letting up. 75% of local governments in the U.S. are either attacked constantly or near constantly, and 93% of local governments report being attacked more frequently than in past years. Because of the lack of resources mentioned above, threat actors know that there are security gaps in government, and they are hammering them with attacks in an attempt to exploit these gaps. Phishing is a common technique for government attacks due to employee’s lack of training, and in addition, IT departments are often understaffed and suffer from alert fatigue.
- They have the data criminals want. And are willing to pay the ransom. Not only do government entities contain vast amounts of personal, valuable data that can easily be sold on the dark web, but their interconnectedness to other entities means they’re likely to pay ransoms to avoid prolonged downtime. The hackers can go in and take the data, or just wait for the ransom payment. Either way, it’s a win for them.
How Government Entities Can Improve Their Security Posture on a Budget
There are many steps organizations need to take to improve their security posture, including investing in software and staffing. But for government entities, throwing more money at the problem is probably not an option (and oftentimes more technology does not equal better security), but that doesn’t mean they have to just sit and wait to be attacked.
Here are five actions governments can take to immediately secure their systems and data:
1. Perform a data classification and mapping exercise, including interviewing line personnel to understand how and what type of data moves through your environment. This will help your organization gain visibility into your assets and how they are handled within your system.
2. Perform a system inventory and a high-level qualitative risk assessment. You can’t prevent a breach if you don’t know where your weaknesses are. This will help your organization understand what proactive steps (like software patching) will improve security.
3. Pay attention to your policies, backups, incident response, and response plan. Review all this information and test it once a year, all at once, if possible (if you haven’t tested your backups, they may not be backups at all). This will help your organization see what flaws exist in your security architecture.
4. Make sure to patch your applications and software as soon as possible. Zero-day exploits happen, and the easiest way to stop them is to patch. Your organization should also employ access controls and limitations for software. More accounts and credentials create more risk.
5. Remediate vulnerabilities. Most compromises happen on known vulnerabilities or known vulnerable systems. If you know there’s a weakness within your security architecture, so does the hacker.
The Importance of Multi-factor Authentication and Security Awareness Training
Even with a limited budget or staff, there are two major actions any government entity can take to better prevent themselves from evolving, increasing attacks: Employ multi-factor authentication (MFA) and conduct security awareness training.
- Multi-factor authentication, a form of authentication that verifies the user’s identity through two or more means, is crucial for thwarting credential theft and securing access to vital assets and systems. MFA is such an easy, important part of a security environment that a 2022 Executive Order now requires federal agencies to adopt the tactic. Compromised credentials are the number one exploited attack vector, followed closely by phishing. Both vectors can be stopped with MFA.
- Security awareness training takes many forms, from informational videos to quizzes to phishing simulations and more. No matter the form, employing it is critical to keeping your organization safe. The human element is involved in 82% of breaches, and a phishing attempt is only successful if a human takes the bait. A robust IT team and top-of-the-line technology can’t stop a user from clicking on a malicious link; that’s on the user.
While cybersecurity is always changing and threats are always evolving, the truth is that governments entities of all sizes can be proactive and more secure without major sacrifice. From evaluating access and data to offering strong security awareness training, little steps can become big leaps in the path to reducing cyber risk.
Evaluate your organization’s security posture with our checklist for state and local governments.
Read why local governments are choosing a security operations partner to further their security journey.
Learn how strong security awareness training can change your organization’s culture and keep you safe.