In so many areas of life, the pandemic took a tough situation and made it that much worse. Cybersecurity was no exception, especially for state and local agencies.
Perpetually working with limited resources, many agencies were already struggling to fend off ransomware and other cyberthreats. With the pandemic, they saw a surge in malicious activity, especially phishing, but their resource constraints did not change.
“The bad buys are looking for ways to hit us when we are most distracted and get into our environment,” said Maria Thompson, State Chief Risk Officer for North Carolina.
During GovLoop’s latest virtual summit, Thompson and her fellow panelists discussed strategies for helping agencies shore up their cyber defenses.
Double-down on cyber awareness training
Thompson said that the primary way that bad actors are getting into networks is through social engineering and phishing. That is, they are crafting emails that trick users into sharing information or into clicking on a link that downloads malicious code.
“People are not taking that extra step to stop and think, ‘Should I click on this link?’ or ‘Is this person trying to get information from us? Should I validate that the request is valid?’” she said.
The state has responded by increasing end-user training, much to the consternation of some employees who said they didn’t have time for it. “But I said, now is the time more than ever that we should be focusing on this,” Thompson said. “The bad guys are looking for ways to hit us when we are most distracted and get into our environment.”
Keep network administrators up to speed
Texas has taken a similar approach. In fact, the Texas legislature recently passed a bill that required security awareness training for all public employees, said Daniel Hankins, Cybersecurity Coordinator for Texas.
But the state is also focused on ensuring that its IT administrators keep their skills up to date, providing them with a steady stream of information about training opportunities.
There is real risk “if your administrators are a little bit behind on the technologies or they don’t understand that something is critical,” Hankins said.
Don’t rely on training alone
While training modules have their purpose, “you need to find other ways to help users think cyber first,” said Thompson.
For example, North Carolina came up with five or six basic messages that they wanted to share – for example, how to configure a home network to comply with agency requirements — and put them on screensavers that rotate on end-user devices.
Don’t look for a quick fix
Given the complexity of today’s cyber challenges, agencies should not expect to find one solution or even one company to fix their problems, said Rufus Coleman, Director and General Manager for the U.S. State, Local and Education markets at Infoblox, which provides core network services.
Instead, agencies should take a defense-in-depth strategy, using security orchestration, automation and response (SOAR) capabilities to manage cyber activities across their environment, Coleman said.
Industry vendors need to do their part as well, he said – sharing information and insights that can help one another understand the threat landscape.
“What we do is share information with other vendors in the tech community to [help them] make their tools smarter,” Coleman said. “We work in tandem to produce better outcomes and quicker outcomes for our public partners.”
Don’t miss a good learning experience
Just days before the panel, ransomware made headlines when Colonial Pipeline got hit with a ransomware hack, triggering fuel shortages in several southeastern states. Such a high-profile incident provides a good opportunity to highlight the dangers of ransomware, Thompson said.
“We can leverage this incident to further educate folks on how this happened, why this happened, and what we can do to further secure ourselves,” she said.
In short, don’t let a disaster go to waste.
This online training was brought to you by: