Cyber threats and how to protect your municipality

Often, when we hear about securing online systems against cyber-attacks the first thought is to invest time and energy into cyber security software. While this is important, and should not be downplayed, did you know that software alone will only defend against a small percentage of cyber-attacks.

The easiest way for someone to breach your security infrastructure is to employ the unsuspecting assistance of your users.

According to PhishMe’s 2017 Enterprise Phishing Resiliency and Defense Report, 91% of all cyber-attacks are a result of people who fall prey to Phishing Attacks. Of the remaining 9% of cyber-attacks, more than 75% are the result of other forms of “human failure” to secure information.

Phishing is an attack that begins with a very targeted email sent to your staff (and perhaps yourself), that often impersonates a service provider, colleague, family member or friend and entices you to click on a link or open a document. This action may include a request for private information that provides the perpetrator the means to launch a secondary cyber-attack or it may launch an attack directly through the download of malicious software. Attacks can be in the form of spyware, malware, and increasingly ransomware and data theft.

Wombats Security’s – State of the Phish 2018 report suggests that phishing attack frequency from 2016 to 2017 increased by 48%; phishing is on the rise because it continues to work. Hackers have quickly learned that it requires less energy to trick users into giving them access than it does to circumnavigate the sophisticated security systems deployed today.

6 simple steps that a municipality can do to protect themselves

Here are a few steps a municipality can take to minimize its chances of security breaches and cyber attacks.

  1. Stay Informed and educate your team

Much of the battle against phishing and spear phishing (personalized phishing) attacks is getting users to understanding what this type of attack looks like, so they are less likely to be duped. Phishing relies on basic human conditions:

  1. information overload and shortcuts our brains take to process the information,
  2. a desire to help those we care for and trust of information that (seems to) come from them,
  3. curiosity for new information.

These traits are well known to attackers and are exploited in order to get victims to click on a link or open a document. Emails look like they’re from legitimate sources: Microsoft 365, Google, Dropbox, PayPal, Adobe account, LinkedIn, credit card company and many more.

There is a great info graphic called don’t get hooked: how to recognize and avoid phishing attacks from the Digital Guardian. Print it out and post it for all to see.

  1. Keep your software up to date

Malware is being created all the time and is designed to take advantage of newly discovered vulnerabilities in our general use software. Vendors are quick to update their software, but you must update your version in order to be secure. You should regularly, or ideally automatically, update your software:

  1. Browsers (Chrome, Safari, Firefox, etc)
  2. Operating Systems (Windows, MacOS)
  3. Office Software (Outlook, Word, Adobe)
  1. Call before you click

Any email from a bank or colleague can usually be responded to directly, rather than via a reply or by clicking on a link. If there is ever any doubt, call your bank on the phone (using published numbers, not one in the email), or log directly into their website directly – not from the link in the email. By not taking the shortcut, fraudulent links can be avoided.

  1. Install anti-virus software and activate the Anti-Phishing toolbar if available

Antivirus software is designed to guard against known vulnerabilities. Even though today’s operating systems are more secure than ever, security tools look for malicious content in real time and provide an extra layer of scrutiny. And make sure you keep it updated as well.

Internet browsers can also be extended with anti-phishing toolbars. Such toolbars run quick checks on any site you visit and compare it a to lists of known phishing sites. If you stumble upon a malicious site, the toolbar will alert you about it. This is just one more layer of protection against phishing scams, and there are many that are completely free.

  1. Implement Secure Password Policies

As hard as it is to believe, the 10 most common passwords in 2017 were:

  • 123456, 123456789, qwerty, 12345678, 111111, 1234567890, 1234567, password123, 123123, 987654321

It won’t take a hacker long to break these codes.

Equally important though – do not use the same password for everything: If you do, and someone gets access to one system, they can often get access to them all. If you struggle to remember passwords (who doesn’t) there are many excellent tools that can assist:

These programs store an encrypted version of your passwords on your computer and conveniently provide them when you need them. This means remembering only one password.

  1. Beware the Unknown Storage Devices

It is possible the free USB drive that is received from a tradeshow, or the one you found in the parking lot has a virus on it. Sites that sell marketing USB drives unwittingly provide ones that have viruses installed from the source in China, Russia, India, Korea and other countries (yes including the UK, US and Canada). These were likely never checked by the company who put their information on the drive to give to you.

If a data storage device is not bought by your company or municipality from a reputable source then it should not be allowed on one of your computers, ever!

These are only a few ideas to help better protect your organization from cyber-attacks. The common element in each remains the same; people and their behavior represent the greatest risk but also provide the best defense against cyber-attacks. Any user can open the door to intruders, so ensuring everyone understands the risk and remains vigilant is critical. Investment in the human factor will pay off quickly and be more cost effective than any other action.