Cybercriminals are continually scheming ways to get their hands on your sensitive data. Learn how to protect your data & stakeholders before it’s too late
Private and public sector organizations alike were surprised by the SolarWinds cyber attack that was announced by FireEye in December 2020. As one of the largest cyber attacks in history, it affected 18,000 of its customers globally. By injecting code into SolarWinds’ Orion platform, hackers carried out a supply chain attack that allowed them to infiltrate the IT systems of many private and public sector organizations globally, including:
- Local, state, and federal government agencies within the United States,
- National Atlantic Treaty Organization (NATO),
- European Parliament,
- U.K. government, and
- Several private companies.
It’s believed to be one of the worst cyber-espionage incidents ever suffered by the United States. Even worse, it took nearly nine months before the attack was ever detected, at which point the damage had already been done.
While this was a colossal attack on the public sector, it’s far from the only one. Hackers today are increasingly targeting public sector organizations. Without aggressive countermeasures, governments stand to lose sensitive data from data breaches. But why and how frequently are hackers targeting the public sector? What are governments doing to combat these increasing attacks? And what challenges do public sector organizations face?
Let’s hash it out.
Why Do Hackers Target Public Sector Organizations?
According to a 2019 Tenable and Ponemon report, 88% of public sector organizations have experienced at least one cyber attack within the previous two years. More recently, COVID-19 had a major impact on the workforce. As of January 2021, Gallup reports that 56% of employees were working remotely part or all of the time during the pandemic, and 44% of survey respondents indicate that they’d prefer to continue working remotely. With less stringent cybersecurity measures in place at home or in public Wi-Fi locations, the pandemic created an opportunity for more cyber attacks.
According to Verizon’s 2021 Data Breach Investigations Report, about 11% of cybersecurity incidents involved the public sector (3,236 incidents, 885 of which involved confirmed data disclosures out of a total of 29,207 incidents). Several key attributes make public sector organizations more attractive to hackers.
Public Sector = Loads of Sensitive Data
Many of the organizations that have been targeted in recent ransomware attacks fall within the public sector. That’s because public sector organizations are a virtual treasure trove of data for hackers. They maintain large databases of information concerning sensitive information, such as:
- Social security numbers,
- Confidential health information,
- Insurance numbers,
- Financial information,
- Trade secrets and other intellectual property (IP), and
- Personal identifying information for employees, citizens, students and other stakeholders.
They Know Their Activities Can Remain Undetected for Long Periods
Verizon’s 2019 Data Breach Investigations Report reported that public sector organizations were involved in one-in-five cyber incidents. Their data also revealed that approximately 47% of public sector data breaches were not discovered until years after the initial attack. This delayed discovery allows criminals more time to steal information and wreak havoc while avoiding detection and responsibility for their crimes.
This likely is, at least in part, due to a lack of public sector cybersecurity resources. Cybercriminals are able to circumvent security systems more easily if their targets’ defenses aren’t at full strength.
Budgets for public agencies’ cybersecurity budgets are notoriously limited. A joint report from Deloitte and the National Association of State Chief Information Officers (NASCIO) found that the most significant barrier CISOs identified in terms of overcoming cybersecurity challenges is an insufficient cybersecurity budget. The Deloitte/NASCIO report also indicates that only 36% of states report having a dedicated budget for cybersecurity. And to make matters worse, the majority of states allocate less than 3% of their total IT budget on cybersecurity.
A lack of funds can create additional cybersecurity vulnerabilities due to:
- Outdated IT infrastructure, software, and security systems,
- Lack of cyber security awareness training (which would help prevent falling prey to phishing attacks and other cyber scams),
- Inadequate cybersecurity staffing, and the
- Ongoing IT security skills gap and a lack of training for IT professionals to help them learn new skills and recognize new threats.
Speaking of which…
Public Sector Organizations Need More Cyber-Skilled Employees
The cybersecurity skill gap widened during COVID-19 as more strain was put on IT professionals worldwide. Data from the 2020 (ISC)² Cybersecurity Workforce Study shows that the cybersecurity talent gap is at 3.12 million unfilled jobs.
This is a global problem. The most recent Cyber Security: Skills In The UK Labour Market report found that more than 54% of the roughly 1.3 million businesses in the UK lacked the skills or confidence to carry out basic cybersecurity tasks. These tasks included creating back-ups or competently managing access privileges.
The lack of a consistent framework among federal, state, and local governments contributes to the existence of more security gaps. According to the Deloitte/NASCIO report, in the U.S.:
- 27% of states provide cybersecurity training to local governments and public education entities, and
- 28% of them say they have collaborated extensively with local governments as part of their state’s cybersecurity program.
A 2019 report from Tenable and the Ponemon Institute report found that 51% of survey respondents say their public sector employers spend more time with manual processes than handling security vulnerabilities. This situation is expected to worsen with the Insurance Journal reporting that the pandemic has further widened security gaps for public sector officials. Most security experts believe that the probability of a security breach is higher in the next 12 months than they reported during a similar 2018 study.
Public sector organizations can help mitigate cyber security vulnerabilities by learning about the common methods hackers and other cybercriminal use to attack public sector organizations.
5 Attack Methods Targeting Public Sector Organizations
The Institute for Defense & Business (IDB) identifies the following five methods of attack as those that cybercriminals use to target public sector organizations.
Phishing is a major issue for public sector organizations. The IDB classifies phishing as impersonating a licensed institution in order to retrieve personal information from victims. For example, the cybercriminal may pose as a health official and ask the recipient of an email to verify their personal information.
Verizon’s 2021 DBIR report indicates that social engineering was responsible for more than 69% of breaches for public administration organizations. Phishing was present in nearly 100% of those breaches.
Ransomware is a nightmare for businesses. It’s a type of malware that infiltrates a system and makes it (or its data) inoperable or inaccessible to the owner. Attackers usually demand large amounts of money in exchange for allowing access to the owner. At least 60 government entities, including cities, transportation agencies, and police departments, were impacted by ransomware attacks during the first half of 2020.
3. Nation-State-Sponsored Cyber Attacks
Nation-state cyber attacks are backed by foreign governments and often target agencies that are known to store valuable information about the target country’s citizens. Examples of state-sponsored cyber attacks include:
- Identifying and manipulating critical national infrastructure,
- Collecting intelligence on the nation’s people that can be used for identity theft and phishing campaigns, and
- Stealing money or demanding ransoms.
Because attacking a public sector can have a larger effect on the people of a nation, these actions can be a type of warfare. If left unchecked, state-sponsored cyber attacks can threaten national security.
4. Distributed Denial of Service (DDoS)
This type of large-scale attack involves using a network of infected devices to bombard websites and services with connection requests. The goal is to overwhelm servers and make the sites inaccessible to legitimate customers and visitors. Attackers capitalize on vulnerable devices, essentially hijacking them to use as pawns in their DDoS army.
On May 4, 2021, Belgium’s public sector ISP, Belnet, reports its network was targeted by a large-scale DDoS attack of unknown origin. The attack affected around 200 public sector organizations, including universities and other government websites.
Some cyber criminals target public sector agencies with whom they disagree. They may consider themselves political activists and attempt to prove a point or highlight a social cause. However, they do so by illegally hacking into the agency’s computer system and exploiting the information there by:
- Leaking private emails,
- Sharing information in confidential databases,
- Threatening to release sensitive information to the public if the agency does not take a certain action, and
- Revealing sensitive or confidential information about the organization or its members.
Any of the above methods can have devastating effects on a public sector organization and the target nation at large.
A Harrowing Example of a Public Sector Cyber Security Attack
In 2017, cybercriminals launched WannaCry, a massive ransomware attack targeting organizations in more than 150 countries. The malware targeted computers with a specific Microsoft operating system exploit to encrypt critical files and data. This tactic gave the attackers leverage to demand Bitcoin payments in exchange for releasing the data.
By the time the ordeal was over, the results were devastating for businesses and public sector organizations globally:
- More than 200,000 computers were shut down.
- Thousands of hospital services, surgeries, and appointments were canceled or delayed.
- The United Kingdom’s Department of Health and Social Care reports that the nation’s National Health Services (NHS) lost $92 million in lost output and IT-related costs.
The WannaCry attack expanded into new variants, including Petya ransomware. McAfee describes Petya ransomware as a variant of the Petya malware that capitalized on the same server block vulnerability as WannaCry to spread to unpatched devices. NotPetya was another variant that used different encryption keys, displays, notes, and reboot styles.
Cybercriminals had stolen Eternal Blue at least one year before the attack. Microsoft had issued a fix well before the launch of the WannaCry attack. The attack could have easily been avoided had the individuals using affected computers simply installed software patches or had purchased a newer operating system. Once cyber security experts identified the attack, they were able to slow it down by downloading emergency security patches Microsoft released and a kill switch that prevented infected computers from further spreading it.
Government’s Strategy to Fight Cybercrime
Each government has the ability to create a strategy to fight cybercrime, provided that it is given the authority and resources to do so. While each strategy may be unique, the general steps of any strategy should include the following:
Developing Cybersecurity Policies and Processes
It is important to have written policies regarding cybersecurity. A written policy ensures that everyone is in-the-know about who holds what role in cyber incident response situations. Public sector organizations may have a variety of cybersecurity policies they use, such as:
- Acceptable encryption policies
- Acceptable use policy
- Data breach response policy
- Disaster recovery plan policy
- Email policy
- Internet usage policy
- Password protection policy
- Personal communication devices and voicemail policy
- Remote access policy
- Server security policy
- Virtual private network (VPN) policy
- Web application security policy
These policies should be created based on established guidelines and best practices. This can help inform the strategy and help the organization understand potential fraud risk.
Public sector organizations should implement federal frameworks, such as the NIST Cybersecurity Framework, which establishes a baseline for strong cybersecurity state policy and can help inform your organization of potential fraud risk and best practices. A comprehensive security framework should help you identify potential risks and improve cybersecurity related to your critical services and infrastructure.
Best practices in your cybersecurity policy should include:
- Limiting digital and physical access and privileges to only certain individuals or roles.
- Establishing procedures to protect and secure data on devices and in transit.
- Making clear requirements for making updates and installing security patches.
- Providing guidelines on how to respond to a cybersecurity incident or threat.
You can get comprehensive information about the possible provisions to include with SANS’ Security Policy Templates.
Collaborating with Industry Experts
Organizations can work with academics and known cybersecurity experts to help identify vulnerabilities and build frameworks that help prevent fraud. This approach provides useful insights into cybercrimes and what organizations can do to avoid becoming targets. Experts can help the organizations by identifying real threats or running exercises to see how prepared the organization would be if it paced a potential threat.
Creating Cybersecurity Awareness Within Their Organizations
Public sector employees should be taught about cybersecurity and work in a culture of awareness regarding cybersecurity threats. Clear guidelines should be in place about where, how, and when employees can access information. Additionally, clear processes should be in place so that employees verify the authenticity of requests. One way to do this is to have the employee call a person directly before conducting any important financial transactions or sending sensitive data.
Effective cyber awareness training should include not just information but real-world cyber threat examples. You can educate your staff by having them interact with materials that include cybersecurity threats, such as:
- Malicious links — Malicious links contain malware that infects a computer or device once the user clicks on it. This may result in software being downloaded onto the devices that tracks the user’s keystrokes or sends the user to a site where they provide their private credentials.
- Phishing emails — A phishing email is a communication that pretends that it is from a reputable organization in order to get the recipient to interact with the message so that the user’s information can be stolen.
- Malicious ads – Malicious ads spread malware and compromise computer systems. Bad actors pay legitimate advertising networks to display infected ads so that anyone visiting the sites can become infected and further spread the malware.
- Ransomware — Ransomware encrypts an organization’s data and denies access to it unless the victim pays ransom to the hacker. A recent and alarming trend in ransomware attacks is the use of data exfiltration by attackers.
- Social engineering — Social engineering manipulates people into giving up confidential information by pretending to know the person.
Training should present employees with scenarios that they might encounter on the job so that they are able to recognize them during the scope of their work. This approach also helps build critical thinking skills and shows employees how to respond in case of a security threat.
Be sure that you also provide resources, best practices, and information about who employees should contact if they receive or engage with suspicious content.
Developing a Cybersecurity Response Plan
Before a data breach, account takeover, or another type of cyber attack or cybersecurity incident occurs, develop a response plan. If an attack occurs, the plan can be followed to provide a prompt response.
Your cybersecurity response plan may include:
- How to secure systems after a cyber attack, data breach or other security incident occurs.
- Who to report a cybersecurity incident to.
- How and when to back up data.
- How to fix identified vulnerabilities.
- How to secure physical areas related to the breach.
- The need to remove affected equipment offline.
- Remove sensitive information from the web.
- How to preserve evidence related to the attack.
- Which law enforcement agencies to notify about the attack.
- How to notify affected parties.
- When, how and what information your organization will communicate to the public.
Because of the potentially enormous consequences that can result from many types of cyber incidents, it’s vital that public sector organizations take cybersecurity seriously. This entails not just keeping IT systems up to date and fixing known vulnerabilities; it’s also about investing in other security measures to secure your organization’s systems and data. Without the proper protections in place, citizens can lose their personal information to criminals with the most nefarious motives.
We have already witnessed the havoc that cybercriminals can create with the WannaCry attack. And as we continue dealing with the COVID-19 global public health crisis, the potential stakes are even higher. Increasing your cybersecurity budget, implementing a solid framework for IT best practices, and ensuring you have a strong IT infrastructure are necessary to guard against increasingly sophisticated cyber attacks. These are investments that we, as a society, cannot afford to be without.