Don’t Let the Hackers Win: How State and Local Governments Can Avoid Cyber Attacks with Security Training
November 8, 2019
Earlier this year, the city of Baltimore, Maryland, fell victim to a ransomware attack that turned the entire city on its head. A group of hackers took control of all government computers, requesting 13 bitcoins, or approximately $76,280, to release the stolen files back to the city. This event not only cost the city millions of dollars—an estimated $18.2 million in total—it also disrupted various government programs and departments across the city, from phone system interference to halted water bills and property tax payments.
This type of cyber attack isn’t new—and it isn’t unique to Baltimore, either. In fact, there have been more than 100 public sector ransomware incidents reported in 2019 so far, up from 51 in 2018. Beyond devastating economic repercussions, these events put sensitive citizen information at risk. Public sector organizations are especially susceptible because they manage valuable information about their constituents, such as social security numbers and fingerprints.
Cybersecurity Awareness Month may have just ended, but that doesn’t mean you should stop prioritizing security and compliance. While there is no way to guarantee immunity to these incidents, there are steps you can take to protect yourself and your agency.
Ransomware and Social Engineering 101
Before you can prevent a cyber attack, it’s important to determine exactly what it is and how it could impact your organization. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) defines ransomware as "a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid." It is usually spread through phishing emails or unknowingly visiting an infected website.
Your staff may also be susceptible through what’s known as social engineering. Unlike ransomware, which relies on access to hardware or software, hackers exploit vulnerable employees to gain access to sensitive information about them or their organization. The most common example is phishing, or the act of using email or social media to trick individuals into disclosing.
Implementing a Cyber Security Training Plan
In fact, some states have already introduced legislation that requires public sector employees to complete cyber security training. In Texas, for example, this includes employees who perform at least 25% of their job on a computer and local government employees who have access to a municipal computer system and database. Elected and appointed officials must participate as well, regardless of how much technology they use.
Internal leadership and third-party vendors are also developing training programs with course content that covers what Texas’s Department of Information Resources has designated "the principles of information security." The goal? Teach employees how organizational data is stored and educate them about basic cybersecurity threats.
But Texas isn’t the only state investing in these types of programs. Others, including Florida and Louisiana, have adopted mandatory training. Meanwhile, states like Maine and Massachusetts offer voluntary sessions.
Regardless of whether or not your state provides these opportunities, you can take steps to ensure your employees don’t fall for an attack. The National Initiative for Cybersecurity Education (part of the National Institute of Standards and Technology) contains several resources to help organizations implement effective courses. Think about how you can tailor this content to your employees; then, do your research. Determine what type of learning format would best resonate with your workers: Do they prefer to learn on the go? Maybe they respond best to bite-sized microlearning courses. Whatever their preference, find software that meets those needs. After all, a cyber attack could happen to any organization, at anytime. Your employees need to be prepared—before it’s too late.
Image: Creative Commons