When choosing public sector software, it’s vital to choose software that offers maximum security for sensitive data and systems.
The Department of Homeland Security requested a $2.6 billion cybersecurity budget for the fiscal year 2020-2021. The Federal Government is taking cybersecurity very seriously, and for good reason. This year alone, we've seen many bad actors. Over the past decade, we've seen systems containing defense contractors' information attacked, denial of service (DOS) attacks, and many other cyber threats against the federal government.
For local governments, the threat is just as real. Although you may think that your town or state governments’ public sector software isn't worth the attention of a cybercriminal, think again. Just as small businesses and nonprofits are often the targets of attackers, so to are small, local government agencies the target of criminals.
Cyber Threats Against Local Governments via Public Sector Software
Why are local governments the subject of a cyberattack? First, there's a lot of them – over 90,000 local government entities, to be specific. Each represents a potential victim.
Secondly, many local government servers contain highly sensitive and valuable data in their public sector software. Driver’s license records, social security numbers, personally identifiable information, credit card information and more may be saved in multiple offices. Each represents a valuable piece of information that a criminal can exploit or resell for profit.
Local governments are often under-resourced. Many have only one IT expert or a small IT department. These departments cannot counter a swift cyber attack. Criminals know this and exploit this advantage in their public sector software.
Fortunately, there are many steps that you can take to secure and defend against cyber attacks. Here’s what you need to know about the potential threats against local government systems, and what to do to prevent them.
Know the Threats: Types of Security Threats
You can't protect against what you don't know, so knowing the types of security threats is essential to protecting your systems. Cyberthreats can take many forms, but the top three include server attacks, email threats, and internal threats.
Your computer server performs many critical tasks. It’s the ‘brain’ running many software programs, the place where your data is stored, and the platform that supports overall business functions. If your server is compromised, recovering from the attack can be a nightmare.
1. Ransomware: Server attacks can take many forms. The most common is a ransomware attack in which criminals install code onto the server to lock it. Only by paying a ransom to the criminals can you unlock your server and retrieve the data – if the criminals release the data. Sometimes they do, but often, they don't.
2. Denial of Service (DOS): Ransomware attacks are on the rise and represent one of the major attacks against government computer servers, but other attacks occur, too. A denial of service (DOS) attack can shut down systems for days. These attacks bombard servers with automated queries, which eventually overwhelm and shut down the target server. This can shut down critical government services for days or longer, disrupting local agencies and creating confusion.
Email represents a significant source of vulnerability for all businesses, including local governments. Anyone can find the email address of a government agency or employee and send, either intentionally or unintentionally, an email containing malware, viruses, or phishing scams.
1. Phishing: Attackers exploit social engineering and psychology to trick people into clicking fraudulent links and submitting their personally identifiable information. This is called a 'phishing scheme' in which data entered into the target website, such as names, addresses, phone numbers, and identification numbers, are stolen. Emails involved in phishing schemes may look like they come from recognizable businesses such as Amazon, your bank, the U.S. Postal Service, eBay, or other well-known businesses. Government agencies may be the target of a phishing attack or they may be spoofed, or copied, to trick others into trusting a link.
2. Spear Phishing: Criminals increasingly add to their tactics to get what they want. Spear phishing takes phishing to a new level by using personal information about the target to trick the recipient into clicking a link. It may also involve phone calls to your office from someone purporting to be from a known entity, such as your bank, pretending that there is a problem with an account, and asking you to divulge passwords and other information to check the account.
3. Malware: Malware installs a malicious program on your computer when you click a link or visit an infected website. Like phishing schemes, malware may arrive in an email, or it can be “caught”, like a virus, just by visiting an infected site.
While you may not like to think about it, internal threats – problems from within – can also compromise system security. The most common threats include misappropriation of funds and password or data theft.
1. Misappropriation of Funds: If your internal controls are lax, you are putting funds at risk. Poor cybersecurity and lax internal controls make it easy for employees or officials to misappropriate funds. Small and big government agencies are equally at risk. Small offices or agencies may have little or no internal controls, relying on personal reputation and trust to guide how the money is handled inside the office. Larger offices can make it easier for small thefts to go unnoticed for a long time until they add up to a larger amount.
2. Password and Data Theft: Phishing isn't the only way that passwords and data can be stolen. Criminals can bribe employees to make photocopies of forms or download sensitive files to thumb drives. Records can be resold on the black market to make false identification documents. Anyone can succumb to temptation, even your most loyal, long-term employees. It is better to be safe and suspicious of everyone, putting in place controls and systems to prevent temptation, than to handle the ramifications of data theft.
Is Cybercrime That Much of a Problem for Local Governments?
Now that you know about some of the many types of cybercrime activities, is it such a big threat to local governments?
The answer is yes. The city government of Atlanta, Georgia found itself under a brute-force attack where hackers use automated programs to generate passwords rapidly and try each one until they break into servers. The successful attack took down the municipal court systems’ servers, the city’s email servers, and the water bill and traffic ticket payment system. It even took down the Wi-Fi at Hartfield-Jackson Airport and destroyed police cruiser dashboard cameras that relied on the Internet of Things (IoT) to transmit dashcam information to servers.
Baltimore, Maryland was hacked not once, but twice. The city's 911 and 311 dispatch systems were taken out in ransomware attacks. Luckily, the city had a good IT infrastructure in place and was able to isolate the problem and put in place backup systems quickly, but the safety of Baltimore's residents could have been severely compromised if they hadn't been smart about backup systems.
Can your public sector software withstand such an attack?
Steps to Take to Combat Cyber Threats
The threat, as you can see from these two local government examples, is very real. What must agencies do to combat cybersecurity threats?
Fight Server Attacks
There are many ways to fight back and prevent server attacks. First, some third-party software companies already have in place preventative measures such as firewalls to prevent DOS attacks from ever reaching your on-premises servers. If you’re using secure cloud-based systems, you’re already ahead of the game.
Properly configured servers can also fend off many DOS attacks. Make sure that your IT systems are updated and that staff has the latest information on potential server attack scenarios.
Installing the best antivirus software you can afford and keeping it updated is also critical. Many agencies install software but fail to update it regularly. Updates install patches against new threats and close loopholes that criminals exploit, so it’s important to run updates.
Combatting Email Fraud
The best way to combat phishing schemes and other forms of email (and phone) trickery is education.
Make sure that all staff know that under no circumstances should they give out critical information such as usernames or passwords to someone who calls them or emails them looking for the information. If they receive an email that looks like it is from a trusted source, such as a credit card company or a known vendor, but they cannot recall requesting the email or placing the order, they should close the email, delete it, and log in from another browser to check the request.
Prevent Internal Threats
Internal threats can be prevented in many instances. First, insist that all users change their passwords monthly. Next, do not allow employees to share passwords, no matter how trusted they are or how long they have worked in the government office.
Lastly, make sure you have strong internal controls in place, such as insisting that two people witness the counting and distribution of petty cash, who signs checks, and similar tasks. Government accounting systems such as AccuFund Anywhere Online also have safeguards in place that can be enacted to limit data access in accounting systems and prevent misappropriation of funds.
Training and Communication Is Essential
Communication is essential. Prevention begins with training. Make sure that everyone in every government office is aware of the potential threats including ransomware, malware, and phishing attacks.
In addition to a written internal control policy, have an IT policy ready that deals with cyberattacks. As the city of Baltimore found out the hard way, having an emergency plan in the event of a successful cyberattack enabled them to restore critical emergency dispatch services quickly. Without such a plan in place and the awareness of the teams monitoring the situation, Baltimore's citizens could have been in great danger without 911 services. Imagine being unable to call an ambulance if your spouse was having chest pains or your child fell down the stairs – that's the risk of not having an emergency cybersecurity plan.
Although you can't protect against all threats in life, you can prevent many cyber threats. The right software, the right server configurations, good antivirus and firewall protection, and communication, awareness, and training can lessen many threats.
Government Financial Management Software