More and more municipalities are becoming victims of hacks. For example in the US, the first half of 2018 has seen many major (or not so major) cities being attacked by bad actors using a variety of methods. In fact, amajor attack on Atlanta put every metro official on notice that hackers don’t balk at attacking cities, and it’s not a matter of “if” but “when” they find an opening.
Not surprisingly, one of the key entry points for these attacks is (drumroll please) …
By most accounts, over 90 percent of breaches start with phishing. The criminal underground marketplace has made it easy for any enterprising cyber attacker to “spear throw” targeted phishing spoofs at multi-tasking, government workers and get them to click a bad link, open a seemingly benign attachment or provide a nugget of personal information. That unsuspecting action can be exploited, stolen, or used for serious risks like ransomware and business email compromise (BEC).
As mentioned in a recent Wall Street Journal article, cities like Houston, Fort Worth, and many others are purchasing millions of dollars of cybersecurity insurance policies with annual premiums up to $500,000. This is understandable as the scale of recent attacks is unprecedented — and incredibly costly. The mayor of Atlanta has estimated that her city faced more than $20 million in costs following their attack.
But why is this so prevalent now in city governments? Well, there are six major reasons:
1)Migration to Office 365
Everyone wants to benefit from the cloud. It’s easier and cheaper to manage, and it’s what the experts say we should all be doing, right? Microsoft Office 365 moves email and other critical applications to the cloud, and municipalities want to take advantage of both cost savings and improved efficiencies.
Unfortunately, many organizations unwittingly believe that Office 365’s “free” email security is sufficient. Yet, industry analysts state that 35 percent of Office 365 users are looking to augment the built-in email security, so clearly something is amiss. Gateway email security is vital, but it’s only one part of the equation and Office 365’s email security is no different.
2)Our click-happy culture
There are never enough hours in the day to get everything done, meaning we work nights and weekends too — often from our mobile devices. We are overworked, distracted and a bit numb to all the emails and messaging noise we experience in our lives.
Government workers are no exception. Add to that the online, smartphone, mobile app, and social media engagements people today all abuse, and our fingers and thumbs are itching, nay twitching, to click on stuff.
Most of those things are highly entertaining images, videos, like-able links and more. But (cue the evil music here), some of these things aren’t good, like URLs that are being made up to the tune of 1.5 million a month just to fake us into thinking an email is indeed originating from your payroll provider, bank, Facebook page, insurance claim form… the list is endless.
With so much clickbait available, how is this ever-more distracted workforce to know good from bad when it comes to malicious emails?
3) Public servants in the public eye
The nature of city governments (and all governments except, apparently, North Korea) is to seek out visibility for their good work, including social services, transportation initiatives (but maybe not tax collection).
Whether shaking hands or kissing babies, government employees interact with large swaths of public and have lots of information online that can provide kernels of kindling for cyber attackers to use in phishing scams.
Let’s just say your mayor is touring a school system and has publicly stated he/she will speak at a certain school at a certain time. At the same time, that mayor’s email could also be known to a not-so-honest citizen. The bad citizen can then send the mayor’s office an email saying he’s with security at that school and needs to pay for an extra police patrol during the speech.
He then requests that the mayor’s office to “send a credit card number to pay that with, please.” You get the picture. Sounds unbelievable, but it happens — and works — every day.
4)“I have plenty of money to spend on email security”
That’s something no government official will ever say. And while citizens appreciate the fiscal prudence, it puts city government in an awkward position.
They have to, by law, be very transparent, yet have the same limited-resource challenges that affect most organizations. So, they are left with an IT staff, or perhaps an information security staff, that is lean and mean as a junk yard dog. Too much to do, not enough resources, unable to stay ahead of cybercriminal activities.
This isn’t a finger pointing exercise, it’s just reality. This exposure to threats makes city municipalities enticing targets. If a cyber attacker spoofs a private company and effectively shuts down servers for two days until he gets paid ransomware, you’ve got a few upset executives, customers, and employees.
If the same attacker shuts down servers in say, Atlanta GA, you’ve got thousands of civilians without services, public welfare at risk and a horde of angry media waving Frankenstein-ian torches on city hall steps. Not a great platform for re-election.
5)Not enough information security pros
As larger companies compete for top IT talent, it puts tremendous pressure on municipalities in hiring and retaining top expert staff.
In the aforementioned Wall Street Journal article, one insurance executive who is helping write new municipal cyber security insurance policies stated “There just aren’t enough men and women around for the Fortune 500 let alone for all the towns and cities and states that need these talents.”
Go ahead, ask yourself this: Does my constituency want better roads, quality health care, improved educational facilities — or deeper layers of email security for government workers? Hmmm. Kind of a no-brainer for anyone serving public interests. Or is it?
If a municipal government can’t safely and securely communicate, manage vendors and funds, exchange private data and more, they can’t effectively facilitate plans for these better roads, schools and healthcare systems.
One phishing email that leads to a ransomware attack and shuts down systems and services quashes it all. By the way, the national publicity about your city under siege doesn’t help with voters when it comes time for re-election either.
So what can municipalities do?
Whether you work in a city service department or are the CISO of New York City, you don’t have to just buy a super expensive insurance policy. There are things you can do to improve your security readiness for any advanced email-borne threat.
First, don’t assume that your email security gateway is all you need. The fundamental technology for these gateways is decades old. While they repel many threats and spam invasions, they are not adequate to block targeted, socially-engineered attacks, like spear phishing. And that goes double for anyone believing MS O365 security is good enough.
Second, don’t assume your IT staff and employees can just fend it off on their own. Your IT staff does a lot of things. While they may know a lot about email threats, they are usually not email security experts, nor do they have the time to review all the suspect emails that come into your employees. And no matter how much you may train your government workers about the dangers of email threats, it isn’t enough (see above section on our click-happy, distracted culture).
Third, understand that these new threats require a new approach. Not only a modern email security gateway that filters emails predelivery before user’s inboxes, but a new layer of security that protects users post delivery of email into their inbox. And, lest we forget, the all-important email incident response for when malicious email is detected in the inbox. There are now solutions that combine the best of machine learning with expert human analysis to help stop, block, and remediate advanced phishing attacks, taking the burden off your employees and IT department.
You can consider it a bipartisan vote for a more secure email future.