Cybercrime continues to be an issue for all organizations, but even more so for municipal governments. Local governments, schools, law enforcement and hospitals have become easy targets as they struggle to keep up with the everchanging and sophisticated tactics used by cybercriminals. According to KnowBe4, a cybersecurity training service provider, the most common type of attack is a ransomware attack. From 2017 – 2020, the average ransomware attack cost municipalities $125,697. From paying the ransom, recovery costs, reputational risk and capital devoted to preventing attacks, cybercrime is expensive for local governments.
Preventing cybercrime is a challenge, but there are a few basic guidelines that local governments can follow to help avoid disaster.
Municipal organizations looking to prevent a cyberattack, should first focus on employee education. In 2019, an employee clicking an unsuspecting link cost a small beach town in Florida $600,000. Cybercriminals can gain access to local government data through compromised emails, phishing scams, downloaded malware and passwords with questionable security. The good news is that these are all largely preventable with a solid employee education program. Business Email Compromise (BEC) accounts for over a billion dollars in actual and attempted losses worldwide. Help educate employees at all levels of your organization to avoid these security traps:
Phishing Scam Protections. Nearly one-third of employees are still falling for email phishing scams, which continue to gain sophistication. Ten years ago, phishing emails were easy to spot with poor spelling and grammar, incomplete sentences and jumbled instructions. Today’s phishing attacks closely mimic legitimate emails from internal and external sources. They have spoofed email addresses, appear to be from a coworker or manager. Clicking on these emails and entering information can grant remote users access to core systems.
Weak Passwords. There is an overabundance of personal data available online, and password security is critical to keep that information safe. While it may feel easier to keep track, using the same password for multiple websites is dangerous, and simple passwords can be too easily guessed based on social profiles and widely available personal information.
Lack of Controls. Local governments don’t always have the resources to put important controls in place. At a minimum, employees should regularly reset their password. Systems that house important information such as payments details, social security numbers and other personal data should be restricted so that only necessary employees have access.
Cyber Security and Payments Fraud
Local government organizations usually accept a large number of payments, such as utility payments and taxes, which is what them prime targets for cybercriminals. As a municipal government, you should work with your financial partners and make use of tools like Positive Pay, a service that matches the account number, check number and dollar amount of each check presented for payment against a list of checks previously authorized and issued by the company. Similar services also exist for ACH payments. Instituting these programs can help protect both citizens and governments.
Educating your residents is also critical to avoid payment fraud. One common tactic of cybercriminals is to trick customers into making a payment on a fake website, often through emails. Remind residents to only make payments through official websites and payment platforms. Instruct them to contact your organization directly if a website or email seems suspicious. Valid requests from financial institutions, such as Bremer Bank, will not ask for your full account information, credit card number or Social Security Number via email, SMS text message or outbound call. Instead, we may request limited personal or professional details for verification such as the last four digits of your Social Security number, zip code or date of birth.
Fraud by email has become much more sophisticated over the past few years as they are much better at seeming legitimate. It’s critical to question any request for a wire transfer even by people or organizations you know. Return email addresses are too easy to mask, making an email seem as though it came from a well-known contact asking for assistance or from a partner such as your bank requesting you log into a website and make an update.
Cyber Liability Insurance
Attacks on your organization can inflict damage far beyond the initial loss of data and direct costs. Indirect costs such as loss of customer trust can be difficult, if not impossible, to quantify. Local government organizations may feel that they aren’t likely to be targeted by cybercriminals but 53.2% of all state government attacks are targeted at schools and cities. It’s important to remember that as a local government, you’re dealing with taxpayer money. Losing trust of your local citizens could be detrimental to your ability to pass levies and budget increases. Business hit by a cyberattack may fold and shutdown completely, but local governments can’t do that. Suffering from a costly cyberattack could really damage a municipality’s credit analysis.
The costs associated with cybersecurity breaches continues to rise, making it urgently important that businesses of all sizes put adequate protection measures in place. While training staff in security best practices is a solid first step, cyber liability insurance is an important part of your risk management strategy. This specialized insurance helps ensure your business can continue operations even after a devastating attack.
Tips for Protecting Your Data
It only takes a few simple pieces of information for a smart hacker to begin making inroads into your digital data repositories. Protect the security of your data both online and offline using these tips:
Invest in security. Local governments have become an easy target due to decreasing investment and tight budgets. 60% of states have voluntary or no cybersecurity training programs in place. Even a basic training program can help prevent an attack.
Multifactor Authentication is a must. Implementing MFA requires someone to verify their identity a second or third time. It’s easy to implement and offers an extra set of security.
Control Social Access. Check the security and privacy settings on your social media accounts and educate your employees on the importance of staying vigilant in this channel.
Fully Vet Third Parties. Rigorously vet any third-party services that attempt to connect to your computers or servers.
Use Trusted Resources. Ensure all potential partners working with you are well-known and trusted in your business community. Phone systems and Wi-Fi hotspots can provide an entry point for bad actors to gain access to your network configurations.
Following these basic security principles will help your organization stay under the radar and reduce the risk of data theft or infiltration from cyber criminals. While no methods are foolproof, following these guidelines can improve the overall security of your organization’s and residents’ sensitive personal and financial data.