5 reasons municipalities are getting hit by cyber threats

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By John Randall
 

Connecting state and local government leaders

By John Randall

|

While enterprising attackers target government workers, solutions that combine the best of machine learning with expert human analysis can help stop, block and remediate advanced phishing attacks.

All too often, U.S. cities fall victim to hackers. The major attack on Atlanta earlier this year made it clear to every metro official that hacking is not a matter of “if” but “when” bad actors find an opening.

Not surprisingly, one of the key entry points for these attacks is phishing -- a form of fraud in which an attacker masquerades as a reputable entity or person in email or other communication channel to encourage the victim to compromise security. By most accounts, more than 90 percent of breaches start with phishing.

Enterprising cyber attackers target phishing spoofs at multitasking, government workers and get them to click a bad link, open a seemingly benign attachment or provide a nugget of personal information. The information gleaned from that unwitting action can be exploited, stolen or used for serious attacks like ransomware and business email compromise.

Cities like Houston and Fort Worth, Texas, are purchasing millions of dollars of cybersecurity insurance with annual premiums up to $500,000 in the face of increasing cyber attacks on state and local governments. What’s more, the scale of these attacks is unprecedented. The mayor of Atlanta has estimated that her city faced more than $20 million in costs following the attack on city networks and systems.

There are five reasons why is phishing so prevalent in city governments:

1. Distracted workforce. Like workers everywhere, government employees are overworked, distracted and a bit numb to all the emails and messaging noise they receive. Add to that, the online, smartphone, mobile app and social media engagements today are designed to keep our fingers and thumbs are itching to automatically click. Most of those clicks deliver highly entertaining images, videos, like-able links and more. But (cue the evil music here), some of these things aren’t good. Nearly 1.5 million phishing URLs are created each month just to trick users into thinking an email is indeed originating from their payroll provider, bank, Facebook page, insurance claim form … the list is endless. With so much click-bait, how can an ever-more-distracted workforce know good from bad when it comes to malicious emails? 

2. Cloud migration. Microsoft Office 365 moves email and other critical applications to the cloud, and municipalities want to take advantage of both cost savings and improved efficiencies. Unfortunately, many agencies unwittingly believe that Office 365’s “free” email security is sufficient. Industry analysts, however, state that 35 percent of Office 365 users are looking to augment the built-in email security, so clearly something is amiss. Gateway email security is vital, but it’s only one part of the equation. Office 365’s email security is no different.

3. “I have plenty of money to spend on email security,” said no government official ever. And while citizens appreciate fiscal prudence, it puts city government in an awkward position. Government, by law, must be transparent, yet it has the same limited-resource challenges that affect most organizations. That leaves IT staff with too much to do, not enough resources and unable to stay ahead of cybercriminal activities. These conditions make municipalities enticing targets, as does the visibility of the victim. If an attacker spoofs a private company and effectively shuts down servers for two days until he gets paid a ransom, there will be a few upset executives, customers and employees. If an attacker shuts down servers in Atlanta, there are thousands of residents without services, public welfare at risk and a horde of angry media waving torches and pitchforks on the steps of city hall. Not a great platform for re-election. 

4. Government employees in the public eye. City officials want visibility for their good works, including social services and transportation initiatives (but maybe not tax collection). The accessibility of public figures, combined with government open data, can provide kernels of information attackers can put together to use in phishing scams. If the mayor's public schedule has him or her visiting a specific school at a certain time, a bad actor masquerading as the school's security chief can email the mayor's office with a request for payment for additional security. He then requests the mayor’s office “send a credit card number to pay that with, please.” You get the picture. Sounds unbelievable, but it happens -- and works -- every day.

5. A shortage of information security pros. As larger companies compete for top IT talent, it puts tremendous pressure on municipalities hiring and retaining top expert staff. One insurance executive told the Wall Street Journal: “There aren’t enough of these men and women around for the Fortune 500, much less for all the towns and cities and states that need these talents.”

Here’s what every municipality can do:

Whether they're responsible for a small-town IT department or the IT security in New York City, IT managers don’t have to just buy a super-expensive insurance policy. There are several steps they can take to improve security readiness for any advanced email-borne threat.

First, don’t assume that an email security gateway is sufficient. The fundamental technology for these gateways is decades old. While they repel many threats and spam invasions, they are not adequate to block targeted, socially engineered attacks like spearphishing. And that goes double for anyone believing Microsoft Office 365 security is good enough on its own.

Second, don’t assume the IT staff and employees can fend off attacks on their own. While IT staffers may know a lot about email threats, they are usually not email security experts, nor do they have the time to review all the suspect emails that come to employees. And no matter how much training government workers get about the dangers of email threats, it isn’t enough in today's click-happy, distracted culture.

Third, understand that these new threats require a new approach. Not only a modern email security gateway that filters emails before they land in user’s inboxes, but a new layer of security that protects users after email arrives. And don't forget all-important incident response for when malicious email is detected in the inbox.

There are now solutions that combine the best of machine learning with expert human analysis to help stop, block and remediate advanced phishing attacks, taking the burden off employees and IT department.

You can consider it a bipartisan vote for a more secure email future.

NEXT STORY: NYC launches full-court cyber press

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.