You open an email attachment and watch helplessly. Your desktop background image rapidly disappears, replaced with a ransom message demanding payment to unlock your now-encrypted files. You’re a victim of a cyberattack.
Think this won’t happen to you or your agency? Think again. Complacency and bad practices — at both the institutional and individual levels — are what criminals literally bank on.
Cybercrime is a lucrative business that rewards increasingly sophisticated criminals. For example, data trends show the average ransom paid by organizations topped $300,000 in 2020 — almost tripling over 2019. Overall, cybercrime takes a nearly $1 trillion annual toll on the global economy.
Whether you’re part of a local or state government agency, your ability to keep constituent services online and safeguard your sensitive information remain top priorities, said Jim Macisso, a certified information security manager who spoke about cybersecurity trends in a recent podcast. “In this day and age, we tend to say, it’s not a matter if, but when you’re attacked.”
Cybercriminals’ Favorite Tools
Cybercriminals continually adjust their efforts. They find new ways to infiltrate everything from organizational infrastructure, network systems, computers, and even smart devices with alarming precision and frequency, said Macisso. “The unfortunate reality is that there is no one individual or entity that’s immune to being attacked.”
According to Macisso, the most common attack outcomes are breaches of sensitive data and disruptions of service. Criminals continue to rely on ransomware and malware. But the most prevalent technique, by far, is social engineering.
The most common form of social engineering is phishing, where a criminal poses as a trustworthy entity via email, phone calls (vishing), texts (smishing), and websites. The goal is to dupe users into clicking on malicious links, opening malicious attachments, transferring money, or providing sensitive information such as usernames and passwords.
Eliminate Your Bad Practices
Fortunately, Macisso makes it clear that agency leaders who prepare, who fortify themselves with effective cybersecurity practices and detection solutions, and who’ve trained their incident-response teams have an advantage against cybercriminals. Here are four best practices to eliminate your agency’s bad practices.
1. Implement Multifactor Authentication
An exceptionally risky bad practice is using single-factor authentication to access systems. The Cybersecurity & Infrastructure Security Agency notes that this practice is fraught with danger for systems accessible from the internet. Macisso can’t stress the importance of this enough. “Mandate a multifactor solution across the enterprise, especially for staff that hold elevated access levels, public-facing employee services, and cloud-hosted portals.”
2. Train and Regularly Test Your End Users
Almost 40% of end users who have not gone through regular cybersecurity awareness training fail phishing tests, said Macisso. “All it takes is one click to put your organization at risk.” Technology is critical in the effort to detect and stop intrusions. But education and the action of end users play an equally critical role in effective cybersecurity practices. Macisso’s mantra? Train, test, and then train again.
3. Invest in Cyberattack Threat Hunting
Cybercriminals are always testing new attacks designed to bypass automated means of detection. In response, cyberthreat hunting has become a popular, proactive way for organizations to keep a step ahead. The SANS 2021 threat hunting survey revealed that 73% of respondents perform threat hunting, with 37% of those outsourcing detection to third-party experts. On average, performing threat hunting improves organizational security by about 25%.
4. Reevaluate Your Cyberattack Readiness
More than half of organizations lack a response plan for when an inevitable cyberattack occurs. And a majority of those that do have plans aren’t even confident in their plan’s effectiveness. Reevaluating your cybersecurity readiness is a great first step to identify gaps and chart a path toward strengthening your cybersecurity program.
Finally, maturing a cybersecurity program takes time. “We’ve always said being cybersecure is not a destination,” said Macisso. “There is no proverbial finish line.”
Steve Goll is the editorial content manager at Tyler Technologies, Inc. In his role, he shares stories of government leaders finding solutions to challenges across a range of disciplines. During his 15 years of government experience, he worked at the state level in economic development and higher education, at the local level in K-12 education, and at the county/regional level as a workforce development council member.