In June, federal employees in Kansas City, Missouri, were shocked to discover they’d experienced a serious security breach. Criminals reportedly hacked into the computer system, stealing personal information from as many as four million government employees. The Associated Press reported that the hackers allegedly stole Social Security numbers, banking information and other highly personal data.
As serious as this breach was for millions of people, it is just one example of the targeted IT security attacks directed at local governments in this new millennium. With millions of personal records at stake, not to mention the nation’s overall security at risk, the cost of these attacks can become astronomical. Not only do many lose money when hackers steal personal information – estimated to be in the billions of dollars, according to a Ponemon Institute Annual Study – the loss of citizen trust may be among the most challenging to recover.
Reports of incidents from San Francisco to Syracuse have led public officials to note that if local agencies do not effectively manage IT security today, breaches will occur more regularly, impacting millions of people and costing well into billions of dollars to remedy.
For example, the South Carolina Department of Revenue recently sustained a security breach that affected 3.8 million taxpayers who had their Social Security numbers exposed, along with other personal banking and financial information. The attack was traced to a single phishing e-mail delivered to a government employee that allowed hackers to access servers where they installed malicious software. Because the breach was undetected long enough for the hackers to access personal information, the state is estimated to spend as much as $12 million to enroll at-risk individuals in credit-monitoring services.
Eric Chabrow of ISMG Corporation in Princeton, New Jersey, says the biggest threats facing local governments today are much the same as faces any other individual and organization that’s online. “It’s usually mistakes made by employees,” he said, “such as falling victim to spear-phishing that allows the bad guys to enter the system.” Chabrow said it all comes down to basic “cyber hygiene” and whether an agency or organization has invested enough time and manpower to prevent attacks before they happen.
One way governments can brace against these attacks is by increasing financial support for IT security by hiring more qualified staff and buying the proper tools to monitor systems and servers. “Most cybersecurity programs are underfunded,” Chabrow said. “Legislators and governors need to commit more resources to cybersecurity.”
Chabrow admits that finding qualified IT security professionals is also becoming more challenging, because there simply are not enough people trained to handle these pressing issues. But it’s up to the local government leaders to be able to properly assess cyber-risk and build a platform to address it effectively before a breach happens.
And while there’s no hard data suggesting just how much governments should be spending on IT security, most are not spending enough despite the enormity of these threats and the cost they can incur after a breach happens.
“Each organization has unique needs,” Chabrow said. “But it’s safe to say that very few organizations are spending enough on IT security.” It’s also safe to say that spending on preventative services can actually save money in the long run, money that is often needed after a breach happens, which can be very expensive in terms of system upgrades and clean-up for user, who may be impacted even years later.
Shared Threats, Shared Services?
Security solutions developer Sophos recently released the results of a survey about the state of IT security for local governments in the UK. The research, conducted by Dods Research, found that 41 percent of respondents in the public sector thought their current IT security practices would offer suitable protection against the growing threat of cyber-crime. But almost 50 percent admitted that they did not have an awareness of cybersecurity issues in the government workforce.
“With cybercrime at an all-time high and public sector budgets reducing year on year, it’s more important than ever that organizations maximize the resources available to them,” said James Vyvyan, regional vice president of Sophos. “There is a clear trend towards local authorities partnering with neighboring authorities to increase and implement shared services. The collaborative approach is certainly helpful in the fight against cyber-crime.”
The survey showed that budget cuts have been impacting the amount of money allocated to fight cyber-crime on the local level. The idea of sharing services is a novel one, saving money for many municipalities, while offering more robust protection in advance of an attack.
“Our research indicates that local authorizes and police may also be missing the opportunity to consolidate their IT and security techniques,” said Vyvyen, “which can deliver further savings, helping to protect jobs and frontline services.”
A Form of Terrorism
Hexis Cyber Solutions, a cybersecurity solutions provider in Hanover, Maryland, said that cyber-threats are just as real in the public sector as it is in the private, but that government breaches can impact more people because of the sheer amount of personal data that makes these targets so appealing to hackers. Many of the latest cyber-attacks are actually coming from outside the U.S. And that so many agencies are not connected can actually make it difficult to share services.
In a step in the right direction, the White House developed its own comprehensive National Cyber Security Initiative to address these threats. Since 2009, the Obama administration has been working with the Cyberspace Policy Review by establishing an executive branch cyber security coordinator, who works closely with key officials, as well as state and local governments, to ensure a unified response to future incidents. The National Cyber Security Center (NCSC) within the Department of Homeland Security is also helping to secure the U.S. government networks with six centers providing analysis and reporting on the state of security on the federal, state and local levels.
By treating cyber-attacks as a form of terrorism, the federal government has been able to allocate funds needed to prevent attacks from paralyzing the most sensitive networks containing personal and classified information. Click here to find a complete list of initiatives already underway.
Local governments can also rethink how IT security is managed is through the National Cyber Security Review, a voluntary self-assessment survey that’s designed to evaluate security management at any government level. The free assessment not only evaluates security, but also delivers a custom report pinpointing recommendations to improve security, as well as what can be done to help prevent problems in the future. It also helps measure against what peers are doing to help prioritize efforts and even finances. Many officials are effectively using the service to help gauge yearly progress and contribute to in-house assessment programs. Click here to find out how to take the survey.
The Multi-State Information Sharing and Analysis Center (MSISAC) also offers daily tips for IT security professionals here.
Natalie Hope McDonald is a writer and editor based in Philadelphia.