Public sector cyber breaches: the next frontier?
By Robin Leal
While cyber-attacks at large retailers and banks have dominated media coverage, two recent breaches on HealthCare.gov and the U.S. Postal Service underscore that public sector organizations face similar risks.
Governments maintain a trove of information about their employees, residents, vendors,and other third parties, making them a target for cyber criminals. In addition to names and addresses, records contain personally identifiable information, including Social Security numbers, financial and banking account numbers, health information for employees and from social services programs, court records, and other legal documents.
Despite considerable public awareness of these data risks, public officials’ confidence in their cyber protections is alarmingly low. In a survey of nearly 240 public risk managers at the 2014 Public Risk Management Conference and 2014 National Association of Counties (NACo) conference, only 13 percent of respondents were “very confident” that their public entity has adequate protection against cyber threats. More than 60 percent answered that their greatest concern was a data breach that compromised personally identifiable information. With criminals constantly looking for new vulnerabilities, the public sector needs to take proactive steps now to mitigate their risks of cyber attacks.
That recommendation becomes even more important in light of additional factors that set governments and municipalities apart from businesses and corporations. For instance, public sector budgets can be limited, and governments may be unlikely to invest in annual security and firewall upgrades. Also, elected or appointed officials can change with every election, affecting continuity in long-term planning, funding and oversight of network and information systems and records management. Finally, politics, even at the local level, may involve controversial issues and polarizing viewpoints. Those who may feel disenfranchised may target a public entity’s website or systems as a political response. While businesses are most commonly hacked by those with criminal motives, public entities are more frequently targeted by those with political agendas.
However, there are several ways the public sector to address cyber risks and manage cyber-related exposures.
The first priority for public entities is to establish written policies and procedures regarding authorized use of networks, computer systems and devices, physical premise security, use of entity information, and a “bring your own device” (BYOD) program. For instance, connecting an employee’s personal device to a network for charging can transfer outside viruses or malware. Written policies on authorized use should be supplemented with robust and regular training of employees.
Beyond systems’ training, public employees should receive frequent reminders to update passwords, avoid downloading files from unknown sources or attaching their personal devices to network systems without proper security screening and upgrades, and to delete spam or “phishing” emails before opening. It is estimated that half of all data breaches result from employee negligence, mistakes, or errors. Third-party vendors and other contractors with access to personally identifiable information should follow the same stringent requirements.
Even with policies and procedures in place and regular employee training, public entities should stress test their contingency plans by conducting a mock breach event and evaluating the response once an intrusion is identified. Depending on the amount of data retained, an annual review is the minimum standard for review. Public entities should also understand the laws and regulations requiring them to retain information for a certain period of time. Older records that are no longer needed should be disposed of in a secure manner. This will help reduce the amount of information on hand that could be stolen.
Depending on the size and complexity of their systems, public entities should consider hiring an IT, security or cyber information security officer. As public officials cycle in and out of offices and employees turn over, governments need a department dedicated to information management to apply consistent monitoring and safeguards. Asking managers to oversee multiple functions including an IT/network system can be overwhelming, and, an overworked employee trying to manage varying tasks – including IT security – may be the prime target criminals need to gain access to your public entity’s computer systems.
Even the best-laid plans can go awry, and as a result, public entities should consider a financial safety net in the form of insurance. Only 10 percent of current public sector clients add cyber protections to existing insurance policies. And the majority of new business submissions reflect that cyber insurance is not part of their current coverage. Many carriers now offer this insurance, including first-party coverage options that can address certain expenses incurred from a breach, including retaining a computer forensics firm to determine the cause and scope of a breach.
This coverage can also help companies comply with privacy regulations, notify and provide credit monitoring services to affected individuals, and retain legal counsel. Costs from a breach can increase rapidly, and it is short-sighted to believe that a public entity’s existing protections are strong enough to prevent a cyber-attack.
With the volume of cyber breaches happening every week, two types of organizations exist: those that know they have been hacked, and those that have been hacked and do not know it yet. While businesses and corporations invest in new protections, the public sector – which often has limited resources, contentious politics and a lack of foresight – may become hackers’ target for the next wave of attacks.
Robin Leal is the underwriting director at Travelers Public Sector Services.