5 reasons municipalities are getting hit by cyber threats
- By John Randall
All too often, U.S. cities fall victim to hackers. The major attack on Atlanta earlier this year made it clear to every metro official that hacking is not a matter of “if” but “when” bad actors find an opening.
Not surprisingly, one of the key entry points for these attacks is phishing -- a form of fraud in which an attacker masquerades as a reputable entity or person in email or other communication channel to encourage the victim to compromise security. By most accounts, more than 90 percent of breaches start with phishing.
Enterprising cyber attackers target phishing spoofs at multitasking, government workers and get them to click a bad link, open a seemingly benign attachment or provide a nugget of personal information. The information gleaned from that unwitting action can be exploited, stolen or used for serious attacks like ransomware and business email compromise.
Cities like Houston and Fort Worth, Texas, are purchasing millions of dollars of cybersecurity insurance with annual premiums up to $500,000 in the face of increasing cyber attacks on state and local governments. What’s more, the scale of these attacks is unprecedented. The mayor of Atlanta has estimated that her city faced more than $20 million in costs following the attack on city networks and systems.
There are five reasons why is phishing so prevalent in city governments:
1. Distracted workforce. Like workers everywhere, government employees are overworked, distracted and a bit numb to all the emails and messaging noise they receive. Add to that, the online, smartphone, mobile app and social media engagements today are designed to keep our fingers and thumbs are itching to automatically click. Most of those clicks deliver highly entertaining images, videos, like-able links and more. But (cue the evil music here), some of these things aren’t good. Nearly 1.5 million phishing URLs are created each month just to trick users into thinking an email is indeed originating from their payroll provider, bank, Facebook page, insurance claim form … the list is endless. With so much click-bait, how can an ever-more-distracted workforce know good from bad when it comes to malicious emails?
2. Cloud migration. Microsoft Office 365 moves email and other critical applications to the cloud, and municipalities want to take advantage of both cost savings and improved efficiencies. Unfortunately, many agencies unwittingly believe that Office 365’s “free” email security is sufficient. Industry analysts, however, state that 35 percent of Office 365 users are looking to augment the built-in email security, so clearly something is amiss. Gateway email security is vital, but it’s only one part of the equation. Office 365’s email security is no different.
3. “I have plenty of money to spend on email security,” said no government official ever. And while citizens appreciate fiscal prudence, it puts city government in an awkward position. Government, by law, must be transparent, yet it has the same limited-resource challenges that affect most organizations. That leaves IT staff with too much to do, not enough resources and unable to stay ahead of cybercriminal activities. These conditions make municipalities enticing targets, as does the visibility of the victim. If an attacker spoofs a private company and effectively shuts down servers for two days until he gets paid a ransom, there will be a few upset executives, customers and employees. If an attacker shuts down servers in Atlanta, there are thousands of residents without services, public welfare at risk and a horde of angry media waving torches and pitchforks on the steps of city hall. Not a great platform for re-election.
4. Government employees in the public eye. City officials want visibility for their good works, including social services and transportation initiatives (but maybe not tax collection). The accessibility of public figures, combined with government open data, can provide kernels of information attackers can put together to use in phishing scams. If the mayor's public schedule has him or her visiting a specific school at a certain time, a bad actor masquerading as the school's security chief can email the mayor's office with a request for payment for additional security. He then requests the mayor’s office “send a credit card number to pay that with, please.” You get the picture. Sounds unbelievable, but it happens -- and works -- every day.
5. A shortage of information security pros. As larger companies compete for top IT talent, it puts tremendous pressure on municipalities hiring and retaining top expert staff. One insurance executive told the Wall Street Journal: “There aren’t enough of these men and women around for the Fortune 500, much less for all the towns and cities and states that need these talents.”
Here’s what every municipality can do:
Whether they're responsible for a small-town IT department or the IT security in New York City, IT managers don’t have to just buy a super-expensive insurance policy. There are several steps they can take to improve security readiness for any advanced email-borne threat.
First, don’t assume that an email security gateway is sufficient. The fundamental technology for these gateways is decades old. While they repel many threats and spam invasions, they are not adequate to block targeted, socially engineered attacks like spearphishing. And that goes double for anyone believing Microsoft Office 365 security is good enough on its own.
Second, don’t assume the IT staff and employees can fend off attacks on their own. While IT staffers may know a lot about email threats, they are usually not email security experts, nor do they have the time to review all the suspect emails that come to employees. And no matter how much training government workers get about the dangers of email threats, it isn’t enough in today's click-happy, distracted culture.
Third, understand that these new threats require a new approach. Not only a modern email security gateway that filters emails before they land in user’s inboxes, but a new layer of security that protects users after email arrives. And don't forget all-important incident response for when malicious email is detected in the inbox.
There are now solutions that combine the best of machine learning with expert human analysis to help stop, block and remediate advanced phishing attacks, taking the burden off employees and IT department.
You can consider it a bipartisan vote for a more secure email future.