Surviving the cyberscare
Local government leaders are scrambling to answer the question: “Are our systems cybersecure?”
The question is valid considering the cyber attacks that have occurred recently, such as the Federal Office of Personnel Management’s data breach of its security clearance database, which compromised the Social Security numbers and other personal information of 22 million government workers and their family members.
With cyber attacks occurring in the highest level of government, technology directors say the odds of avoiding cyber crime attempts at city and county levels are slim to none. However, technology experts do advise that mitigating the onslaught of imminent hacks on financial systems, personnel databases and other sensitive data can be achieved by local technology departments deploying routine training, updating systems regularly and implementing rigorous IT policies.
Hackers often target governments
Government agencies made up 20.2 percent of the reported cyber attack targets as of June 2015, second to industry at 32.1 percent, according to monitoring website hackmageddon.com. The primary technique those hackers used were defacing websites, targeted attacks and malware.
Those statistics are largely due to the sensitive data that high-profile mayors, county financial directors, city managers and local human resources directors have at their fingertips, says Rick Loggins, director of the St. Tammany Parish, La., department of technology. Protecting the data with those government leaders at the helm is an hourly effort, says Loggins, who has led the parish’s technology team for the last seven years.
“We just traced a hacker down to a university in China… We’re all scared to death about security,” he admits. “If I lose sleep, that’s where I lose it. It’s not if; it’s just when. The only secure system is the one that’s off.”
Training and awareness key
Though software and websites are attacked by cyber criminals, the access granted typically comes at the hands of humans responsible for keeping those systems secure, says Montana Williams, dubbed a cyber evangelist and senior manager of cybersecurity practices at ISACA, an association of IT governance professionals.
“The problem comes down to where information and all these data breaches have begun with is that there’s a human being in the loop that either is the root cause of the problem or exacerbates the problem,” Williams explains. “All the way down from the boardroom to the break room, to the mayor of the city, through their entire staff, there needs to be better awareness of the risks related to cyber security and what is responsible behavior on cybersecurity networks.”
Williams suggests that all government staff have regular IT training on what trends exist in how hackers access systems. Social engineering, a form of phishing where a hacker tricks someone into allowing access to data, has been a common way that cybersecurity breaches have occurred. An employee at Sony, William cites, was socially engineered to open an e-mail that allowed a cyber criminal to take over that person’s e-mail account and credentials, which led to the infamous Sony data breach.
“[Employees] have to be really careful,” Williams adds. “[Hackers] send you something based on some profiling they’ve done on you. They’ve looked at your LinkedIn. They’ve looked at your Facebook. They say ‘O.K., this person’s interested in outdoor activities. I’m going to send them a phony link to Outdoor World or Bass ProShops.’ They click on the link and that downloads a set of malware onto their system – that’s referred to as a watering hole.”
It is up to IT leaders in government agencies to drive home the detrimental effects of downloading unnecessary software or opening e-mails from unknown senders, says Justin Heyman, director of information technology for the Township of Franklin, N.J. Heyman has made a 45-minute cybersecurity class mandatory for every employee of the township. The class is also available to the public online.
“As cyber attacks get more sophisticated, it becomes more and more important for education of end users in good cybersecurity practice,” Heyman says. “Ultimately, even with the best technology solutions in place, without a sound technology policy and regular education of your end users, you are still quite vulnerable.”
Multilayered approach to security
Combining end-user training with updated technology solutions and sound IT policy has helped St. Tammany Parish win the National Association of Counties’ (NACo) Annual Digital Counties award five years in a row, Loggins shares. When he arrived in 2008, Loggins says, the parish’s IT department had minimal training on cybersecurity and threadbare equipment. Since then, Loggins has annually cycled in new equipment, provided an IT best practices policy and invested in a patch system – software that automatically updates systems by fixing security vulnerabilities and other bugs.
Catawba County, N.C., has implemented a similar cybersecurity framework and policies, says Rick Pilato, chief information officer for the county. Measures, such as prohibiting government staffers from downloading software have helped the county secure and standardize its IT system, he says.
A multilayered approach – IT systems, policy and training – can be the difference between cyber threats and cyber attacks, says Pilato, whose county was also named as one of NACo’s Digital Counties this year.
“It’s an hourly challenge to secure our systems,” Pilato says. “Training and creating the policies and assuring that you have an enterprise culture that understands how important this stuff is and how it’s being handled, a lot of that is free – that helps thwart those attacks. It’s as equally important as the appliances that cost a lot of money that you’re putting in place.”