Public, Private Indifference

Public entities aren’t known for cavalier spending habits, and their technology infrastructure, trainings, and defenses certainly reflect as much.

Beholden to limited and controlled resources and towing a copious amount of valuable data, local governments and agencies prove to be an open hunting ground for cyber-criminals in 2019. Incentives can range anywhere from being purely financial to having a foothold in special interests or outright terrorism.

Long gone are the days where a malicious actor needs to execute a careful, calculated attack to make hacking worthwhile. At the same time, there is a tremendous amount of data interconnectedness between public entities, their private vendor partners, and ultimately the everyday citizen. Public entities are being targeted because of resource vulnerabilities, but also because they store and process large amounts of highly sensitive information about citizens, public systems, and infrastructure operations.

As the level of cyber-attack creativity reaches an all time high and data flows at breakneck speed, the stakes have never been higher as we navigate throughout 2019.


Solutioning and Silver Lining

Although this piece is focused on the methodology of cyberattacks on public entities in 2019, it’s worth noting that cost needn’t be a showstopper any longer; in fact, local agencies self report that the biggest impediment to a tighter control on cyber is simply untrained employee behavior and user error. With an appropriately priced solution focused on improving cyber hygiene across organizations, there is surely hope for all that choose to address.


Higher Stakes, Cunning Criminals

Let’s talk bottom line: The Ponemon Institute’s 2018 Cost of a Data Breach Study indicates that for public sector organizations, the total average cost of a data breach is $2.3 million, with an average cost of $75 per stolen or compromised record.

How does this happen? Let’s start with the concept of how a cyberattack typically occurs. Ever see something come through your inbox that doesn’t look quite right? Maybe a link is out of place, the sender is asking for you to download software, or the language used is either incoherent or aggressive. Yes, this is how multi-million dollar losses occur - human error. Over ninety percent of cyber attacks start with a malicious email coupled with an untrained eye. Rightfully so, as keeping up to speed on the creative practice of cybercriminals is not exactly a small task.

By definition, this is called Phishing. Just as a hunter casts a wide net to capture dinner in the open sea, cybercriminals indiscriminately cast the same millions of times over. By clicking on the wrong link or responding with a sliver of sensitive data just once, the livelihood and operational flow of a city can be put at risk. Recently in Sarasota, Florida, a government employee innocently clicked on a malicious email link that resulted in what the local IT director identified as “the worst disaster I’ve ever encountered. It was an end-of-life event from the IT perspective.” Supporting this thesis, the demands for ransom were equivalent to $30M+ of cryptocurrency. While all hands on deck worked to resolve the issue, residents were unable to pay their utility bills, sensitive records remained locked down, and general chaos ensued. Although ultimately weathering the storm, this paralyzing interruption that is mistakenly only identified as a risk to a private business is incredibly real for public entities, as well. Cities can come to a complete standstill until demands are met.

With Phishing being one major technique to be aware of, a broader theme is that third party vendors can also be your biggest opening to attacks. Poorly implemented systems or lackluster security controls not only expose the payment information used, but more importantly put the sensitive data of all of your citizens and infrastructures at risk. Again, malicious actors don’t need much to latch on to in order to reap significant reward.

If you glean two takeaways from this overview, let them be the following:

  1. Invest in interactive, engaging employee training and cyber awareness programs
  2. Be hyper vigilant when vetting the security of your third party vendors

One step at a time, you can avoid being the next news headline and unfortunate cybercrime statistic!