Big and small, municipalities are under siege from cybercriminals. It feels like at least once a week there is a headline about the latest city government breach. You would have thought the Atlanta breach would be a wakeup call for all cities, but the evidence indicates there is still a long way to go. We live in a world where the question is no longer “if” a breach will occur, but “when”.
Not surprisingly, one of the key entry points for many attacks is phishing – the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.
Some reports claim phishing is the entry point for over 90% of breaches. But why is phishing so successful? To start with, it’s the easiest method for an enterprising phisherman to execute targeted attacks. And with the plethora of information most people make available about themselves on social media, it’s not hard to collect enough information to sound legitimate. Think I’m joking? Search YouTube for Dave the Psychic and be amazed.
Combine the above with multi-tasking, government workers who check their email at all times, day and night, from multiple devices. Getting them to click a bad link, open a seemingly benign attachment or provide a nugget of personal information is child’s play when there is always “just one more” email to read. Once “hooked”, the unsuspecting victim can be exploited to download ransomware or transfer funds via business email compromise (BEC).
In the face of unrelenting attacks, and overwhelmed security teams, according to a recent article in the Wall Street Journal, cities like Houston, Fort Worth and many others are purchasing millions of dollars of cyber security insurance policies with annual premiums up to $500,000. What’s more, the scale of these attacks is unprecedented. The mayor of Atlanta has estimated that her city faced more than $20 million in costs following their attack.
Why is this so prevalent now in city governments?
- “Easy” targets
Compare the cybersecurity budget for a typical city government with that of a reasonably-sized financial services institution and it’s no wonder that city governments are targets. While IT teams have always lamented the lack of people, time and money, being lean and mean as a junk yard dog doesn’t work against today’s cybercriminals. Too much to do, not enough resources, unable to stay ahead of cybercriminal activities. This is not a finger-pointing exercise, it’s just reality. This exposure to threats makes city municipalities enticing targets.
- Media attention is valuable
If an attacker shuts down servers in say, Atlanta GA, you’ve got thousands of civilians without services, public welfare at risk and a horde of angry media on city hall steps. Regardless of whether the criminal group is ever identified, the city has a public relations nightmare that must be dealt with quickly. Whereas a private corporation may be able to ride out the storm, city governments need to get services up and running quickly. Not surprisingly, ransomware, (again activated via a phishing email) is a common attack. Encrypt thousands of endpoints and servers and cities will readily pay the ransom.
- Migration to Office 365
Microsoft Office 365 moves email and other critical applications to the cloud for a defined monthly fee with no 3-year upgrade cycles; a CFO’s financial dream. And municipalities want to take advantage of both the fiscal prudence their constituents love and improved efficiencies their IT teams need. While Office 365 provides “free” email security, it falls in to the “good enough” category for most organizations. Reality is, though, that industry analysts state that 35 percent of Office 365 users are looking to augment the built-in email security, so something is amiss. Gateway email security is vital, but it’s only one part of the equation and Office 365’s email security is no different.
- Tasty clickables
Let’s face it, there is no shortage of “tasty clickables”. Whether it’s the latest smiling cat video or the past-due invoice from a vendor, things to click, open, view and listen to are coming at us fast and furious. And with the increasingly mobile work force, it’s becoming harder to differentiate work from personal as everything melds together on our phones and tablets. Our fingers and thumbs are itching, nay twitching, to click on stuff. But some of these things aren’t good. URLs are published up to the tune of 1.5 million a month just to fake us into thinking an email is indeed originating from your payroll provider, bank, Facebook page, insurance claim form, etc. With so much click-bait available, how is this ever-more distracted workforce to know good from bad?
- IT to the rescue (?)
For many organizations, the challenge of phishing is “solved” by having users forward suspicious email to the internal security team. And why not? These are trained professionals whose entire raison d’être is to protect the organization from everything – only if they had the time. Or experience. Or proper tools. Or money. Suffice to say, there is a reason many users chose NOT to send suspicious email to their security team.
- Not enough Information Security pros
As larger companies compete for top IT talent, it puts tremendous pressure on municipalities in hiring and retaining top expert staff. In the aforementioned Wall Street Journal article, one insurance executive who is helping write new municipal cyber security insurance policies stated: “There aren’t enough of these men and women around for the Fortune 500, much less for all the towns and cities and states that need these talents.”
So now what?
Whether you work in a city service department or are the CISO of New York City, there are things you can do to improve your security readiness for today’s advanced email-borne threats.
1) Don’t assume that your email security gateway is all you need. The fundamental technology for these gateways is vital, but decades old. While they repel many threats and spam invasions, they are challenged to block targeted, socially engineered attacks like spear phishing. And that goes double for anyone considering that Microsoft Office365 security is good enough.
2) Don’t assume that your IT staff and employees can just fend it off on their own. Your IT staff does a lot of things. While they may know a lot about email threats, they are usually not email security experts, nor do they have the time to review all the suspect emails that come into your employees. And no matter how much you may train your government workers about the dangers of email threats, it isn’t enough (see above section on tasty clickable).
3) Consider that these new threats require a new approach. Not only a modern email security gateway that filters emails predelivery before user’s inboxes, but a new layer of security that protects users postdelivery of email into their inbox. And, lest we forget, the all-important email incident response for when malicious email is detected in the inbox. There are now solutions that combine the best of machine learning with expert human analysis to help stop, block and remediate advanced phishing attacks, taking the burden off your employees and IT department.
You can consider it a bipartisan vote for a more secure email future.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.