Wave of Cyberattacks Against Public Sector Agency Underscores Need for Digital Security Training

In a 2017 survey, cybersecurity firm Netwrix released compelling statistics regarding the public sector’s ongoing struggles with digital security, including the following eye-raisers:

  • 57% of the public-sector information technology (IT) professionals surveyed reported “human errors caused security incidents” in the previous year.
  • 100% of the same respondents saw the organization’s employees “as the biggest threat to security.”
  • 86% of queried government entities “are not well prepared for cyber attacks [sic].”

One need not be an IT professional to understand the salient need for cybersecurity efforts. With multilevel breaches seemingly making headlines daily, it is hard not to have some knowledge of the topic, if only at a conceptual level. Netwrix’s findings shed new light on a point that security experts have preached for years. When employees and other assorted end-users lack practical awareness, even the strongest digital security techniques and protocols are one misstep away from becoming moot.

CONTINUE READING

Taking this idea a step further, then, the value of digital security training for all employees becomes evident. This is especially true in first response, a field that inherently provides hackers a number of financial and political motivations to carry out their attacks. By providing law enforcement, fire, EMS, and other responder personnel a baseline of knowledge before breaches become an issue, agencies effectively close off the single most popular attack vector for cyber attackers, “hacktivists,” and other computer criminals. In doing so, they greatly reduce the risk of financial loss, reputational damage, and erosion of public trust.

For responder agencies, increased reliance on digital systems creates advantages for cyber attackers

One needs only glance at the headlines for a stark reminder of the tremendous power hackers wield when they gain access to public-sector information systems. In one incident, an employee of a Maine law enforcement department “clicked a link in a suspicious email” and prompted a “ransomware” attack, causing a handful of area departments to lose face (if not a lot of money) by paying a $300-plus ransom for the safe return of their data. In another, more detrimental event, Dallas law enforcement lost “eight years’ worth of digital evidence” when they refused to pay a $4,000 ransom for data acquired via similar means.Providing law enforcement, fire, EMS responder personnel a baseline of knowledge before breaches, agencies effectively close off the single most popular attack vector. Click To Tweet

These events, which occurred roughly a year apart, highlight the ever-increasing stakes responder agencies face during a digital security incident. While no department wants to lose $300 to hackers (let alone have their acquiescence make national news and threaten the loss of public trust), that figure is certainly easier to stomach than $4,000. Nevertheless, the Dallas event showed an increased level of sophistication on the part of the hackers, who “spoofed” departmental email addresses and thus convinced the unwitting personnel that they were safe to click the link.

Another worrisome fact underlying many attacks levied against public-sector organizations involves the nature and importance of the highly personal data they must keep and are trusted to protect. The more an office relies on digital systems, the more advantages attackers have following a successful hack. Presumably, this is why hackers levy so many financially motivated attacks against law enforcement organizations and healthcare systems (including EMS providers). Electronic evidence and health-records systems contain data that can make or break cases or even save lives, relative to data that simply poses a major hassle to restore or replace.

This is not to imply that health and law enforcement organizations are the only ones that suffer digital breaches, or that digital evidence and health records are the only ones with value to hackers. Employee and citizen records (including pay rates, addresses, and Social Security numbers), private communications held in email and chat servers, and even operational data such as employee schedules and locations can all be used for illicit means. Ultimately, the combined reliance on and value of this data is what makes persistent education of personnel, administered prior to a breach event, so important to responder organizations of all walks.Many attacks levied against public-sector organizations involve the nature and importance of the highly personal data they must keep and are trusted to protect. Click To Tweet

Making the case for enhanced digital security training

Public-sector entities are far from the only ones concerned with keeping data secure, and the means by which attackers acquire access are largely the same whether they attack public or private organizations. In CSO’s list of the “17 biggest data breaches of the 21st century,” fully half—perhaps more—were the direct result of insecure behaviors by employees of the affected companies or third-party vendors. Alongside the previously mentioned ransomware attacks, notable examples include hackers exploiting weak passwords to gain access to a major retailer’s trove of consumer data.

It is impossible to say whether more proactive training measures would have prevented these attacks. No system is 100 percent hack-proof, and hackers themselves are nothing if not persistent and inventive. Even so, stronger security measures mean fewer attacks, and as the examples provided here show, people are the first point of a robust defense.

This fact is of particular importance to responder agencies, a group of organizations in which even front-line employees hold access to sensitive data. Emergency dispatchers, for instance, need insight into critical mapping and identification data to do their jobs effectively. Besides the risk of “troubled” employees using this information in ways that are damaging to their employer and the public, an untrained dispatcher’s weak or predictable password could be all hackers need to springboard an attack.

Other attack vectors take a more passive approach. Instead of hackers guessing passwords, they may send poisoned links—often through official-looking emails—to get the job done, as was the case in Atlanta and Maine. Unlike password concerns, easily negated by smart policy and rules requiring frequent change, watching out for these attacks (known as “phishing”) takes active awareness on the end user’s part. Teaching officers, firefighters, EMTs, and others the signs of a phishing attempt (misspellings and unusual grammar, for two common examples) is imperative if they are to recognize potentially malicious messages. Teaching officers, firefighters, EMTs, and others the signs of a phishing attempt is imperative if they are to recognize potentially malicious messages. Click To Tweet

In situations such as these, digital training programs can protect agencies, their employees, and the public they serve from potential malfeasance, alongside other secondary benefits. First and arguably most important is simple awareness. Replacing the attitude of “this can’t happen to me” with the knowledge that attacks can and do routinely befall responder organizations might be enough to cultivate a smarter approach to insecure behavior. Following this, training courses give instructors the chance to dispel common misconceptions, such as the idea that affected users must make naive mistakes to grant hackers access. When a user can infect a system by clicking a link in an email or opening a word processing document, it is fair to assume anyone can make an oversight.

Training sessions also give rules-bound (and union-active) agencies more ground to take corrective action in instances of preventable errors or misuse. Updating the entity’s acceptable use policy and providing training to match, for instance, is a good first step for organizations concerned about personnel visiting inappropriate or insecure websites on their official-use laptops or smartphones.

At minimum, an agency’s training course should consider the following topics:

  • Acceptable password use, including structure and themes (not using easily found personal information, for example).
  • Identifying toxic emails via spelling, grammar, sender email address, and “gut feel”: If the employee does not feel an email is legitimate, they should contact a supervisor or IT staff to make the determination.
  • Physical access risks, such as inserting a non-vetted flash drive into agency devices, leaving one’s workstation unlocked, or leaving a work device in an unsecured area.
  • Using unauthorized solutions for work purposes (e.g. official communications via a personal email address or official document shared in a commercial cloud storage solution), often referred to as “Shadow IT.”
  • Using personal devices for work systems, where applicable: Logging into an evidence system via an unsecured home computer is one example of this behavior.

Exploring the benefits of on-demand training systems

Looking beyond the specific content of a cybersecurity training course, on-demand training services represent a faster, more affordable, more efficient vehicle for agencies to deliver it. Designed by the agency and accessed over any authorized computer, cloud-based learning modules provide a quick way to deliver critical information, all without the scheduling and transportation woes of traditional classroom-led courses.On-demand training services represent a faster, more affordable, more efficient vehicle for agencies to deliver cybersecurity training. Click To Tweet

Here, much of the difference comes down to the style of content provided. While training that covers shooting, tactical driving, or active fire scenes will always require a physical component, digital security courses lend themselves perfectly to a digital medium. An instructor does not need to be in the same room as their students to talk about strong passwords or common traits of poisoned emails.

Instead of scheduling a group of employees for a costly in-person session, they can access an on-demand event any time within a provided timeframe, with completion and testing records automatically attaching to their personnel file when completed. Quicker access to these records is important for certification checks, potential corrective action, or legal defense, giving on-demand cybersecurity training several advantages over classroom learning.

Whatever format the agency chooses to provide it in, every breach in the headlines is another sign that cybersecurity training is necessary. For organizations unfortunate enough to have suffered a major breach, courses are a way to prevent past mistakes from repeating and formally outline expectations. And for those that have thus far avoided an incident, giving employees the knowledge they need to avoid critical mistakes can be the best line of defense against potential attacks.
 


Join the Conversation on FirstForward®

Related Posts

2018-10-31T14:55:56+00:00 October 31st, 2018|General, Homeland Security, Homeland Security, Readiness|