October is National Cybersecurity Awareness month so we at Public Trust Advisors, LLC (Public Trust) are pleased to present you with our 2019 update on cybersecurity for the public sector. In this report, we provide a brief background on safety and crimes such as hacking, examine cybercrimes in 2019, detail the Public Trust security framework, and end with a few of our best tips to enhance security within your organization.
The Cost of Cybercrime
You don’t have to be an information technology professional to know that hacking and cybercrime have been an enormous threat to both the private and public sectors over the past decade. For many public sector organizations, keeping up with rapidly evolving technology, staying informed of new and advanced cybercrimes, and budgeting for the costs associated with cybersecurity are an increasingly difficult task. Worse yet, public sector organizations often have a lot to lose – most notably the money and trust of taxpayers and constituents not to mention headline risks.
When it comes to the kinds of cybercrimes, there are a few consistent types of threats. The most common cybercrimes are phishing attacks, malware, ransomware, credential theft, identity theft, and credit/debit card fraud.
Phishing attempts target your personal information through email by pretending to be a trusted individual, company, or website. These can often appear very realistic, with only a letter or number changed to an email or URL.
Malware is malicious software that is designed to gain unauthorized access to a computer or system intended to disrupt and damage your files and systems.
Ransomware is a type of malware that requires you to pay a ransom before potentially regaining control of your files, computers, or systems.
Credential theft is most often aimed at organizations rather than individuals; hackers use phishing, malware, and other techniques to gain access to the user names and passwords of large numbers of employees and/or customers.
Identity theft can have serious long-term negative effects on your life, as hackers can obtain your information to finance loans or take out credit cards and make purchases in your name.
Credit/debit card fraud can happen in several ways including entering your card number into a fraudulent website or using an unsecured public Wi-Fi network.
With all of these cybercrimes, hackers are trying to gather information about you, your organization, or your clients. Hackers target humans because they are more likely to make an error or fall for a realistic or emotionally appealing scam. Arming and training your staff to spot phishing, malware, and other fraudulent attempts to gain information is imperative.
Significant Data Breaches (Records Accessed)
The unfortunate truth is that cybercrime is on the rise and the impacts are more costly than ever. According to the 2019 Accenture Annual Cost of Cybercrime Study, the average number of reported cybersecurity breaches increased from 130 to 145 from 2017 to 2018, an increase of 11%. However, over the last five years, the average number of security breaches increased by an alarming 67%. And not only has the sheer number of cybersecurity attacks increased, but the cost of cybercrime is also on the rise. The average cost of cybercrime for a single company in 2018 was $13 million, an increase of 12% over 2017 and a 72% increase over the last five years.
Old Hacks, New Targets
While hackers and cybercrime have been present since the inception of the Internet, the number of cyberattacks focused on local governments and public sector organizations has been steadily increasing. According to CNN, “140 attacks targeting public state and local governments and health care providers have been reported” so far in 2019 (Kim, 2019). This represents a 65% increase in attacks over 2018, which had a total of 85 reported attacks on public entities for the entire year. The cost of cybercrimes to the public sector is also increasing. From 2017 to 2018, the cost increased by 83% with the average cost per crime reaching almost $8 million dollars (Accenture, 2019). The cost of cybercrime includes far more than just the ransomware demand such as emergency contracts and services, enhanced infrastructure, network monitoring, and extra insurance.
When hackers target cities, schools, hospitals, police departments, and local governments, day-to-day activities are disrupted and the costs to restore services can be astronomical. Earlier this month, a network of Alabama hospitals had to stop accepting new patients and had to send existing patients to other locations because of one ransomware attack (Kim, 2019). When the city of Baltimore was hit with a ransomware attack earlier this year, hackers infected the majority of Baltimore’s government computer systems and demanded $76,000 in bitcoin in exchange for restored access. The Mayor of Baltimore opted not to pay and instead had to “transfer $6 million from a fund for parks and public facilities to pay for the devastating impact of the May ransomware attack on the city” (Broadwater, 2019).
Recent headlines are a scary reminder that local governments and public entities are not exempt from hacking, malware, and ransomware attacks. Examples from the past few months include: “Hit by Ransomware Attack, Florida City Agrees to Pay Hackers $600,000”; “Second Florida City Pays Giant Ransom to Ransomware Gang in a Week”; and “Hackers get $4.2 Million from Oklahoma Pension Fund for Retired Troopers, State Agents.” But for every chilling headline and report of cybercrime, the Federal Bureau of Investigation notes that “most ransomware cases in the U.S. aren’t publicly reported and victimized companies are particularly eager to avoid the negative publicity” (Calvert, 2019).
Our Security Framework: The Public Trust Approach
Cybercrime and hacking attempts become more sophisticated every year, adapting their targets, techniques, and impacts. In the past few years, hackers have adjusted their methods to better target the “human layer – the weakest link in cyber defense – through increased ransomware and phishing” (Accenture, 2019). Training employees to approach all aspects of their job with security in mind is generally underprioritized in organizations but at Public Trust, we strive to make our employees one of our strongest defenses against cybercrime. Employee training, education, and skill reinforcement via testing are imperative to our cybersecurity efforts.
We strive to provide our clients with robust protection against cybercrime, so we view cybersecurity as a multifaceted effort, approached from multiple directions. While our IT team is continually developing and improving security measures and providing ongoing training for all staff members, our Client Service team utilizes dual signatory forms and two-factor authentication for web access. Below are a few of our top cybersecurity protections:
Firewalls – multiple firewalls block any unnecessary traffic from entering our network environment, preventing unauthorized access to our systems;
Antivirus and Anti-Ransomware – specifically designed to protect and remove known viruses and malware while identifying ransomware and exploits;
Experts – members of the IT team have received special certifications and trainings including Certified Information Systems Security Professional (CISSP), Certified Cloud Security Professional (CCSP), VMWare Certified Professional, Microsoft Certified Solutions Expert, and more;
File Server Auditing – identifies abnormalities related to our files. If there is any unusual activity in our files, we will be promptly notified;
External Email Disclaimer – helps identify all emails received from outside sources to help employees identify emails where they should be more cautious;
Local and Off-Site Backups – data is backed up in more than one location, locally and off-site;
Advanced Threat Protection – protects against sophisticated threats such as phishing and zero-day malware and automatically investigates and remediates attacks.
From an operational security standpoint, we have implemented multiple security controls protecting both our online and in-person processes. Our online transaction system uses multifactor authentication to make it extremely difficult for non-authorized persons to gain access to your account; your username, password, computer, and geographic location are all considered as you log in. On top of that, our transaction system masks bank account information and runs in a “safe zone” that is not Internet-facing to store data in a secure environment. Our transaction system allows for appropriate internal checks and balances for your organization, as well. While some signatories can be authorized to make transactions, others can be designated as view-only, and you will be able to check and verify your own work, eliminating periodic processing errors.
While the majority of this report has focused on the online components of cybersecurity, we have also taken our anti-fraud practices off-line with dual signatory forms, established authorized signers with the ability to make account changes, established banks on file, external auditing, and complete audit trails. By completing an annual Statement on Standards for Attestation Engagements (SSAE 18) SOC 1 Type II audit, we go one step further to ensure we are providing our clients with highly trusted administration services, operational transparency, and a commitment to a high standard of internal controls. For more information about the SSAE 18 audit, click here.
What You Can Do For Your Organization and Yourself
Over the next five years, the value at risk globally from direct and indirect cyberattacks is predicted to exceed $5 trillion. While this is a daunting number and no organization is ever completely safe, there are certain security measures that should be considered.
The easiest and most cost-effective way to increase your cybersecurity efforts is to focus on and provide training to your employees. We recommend Wombat and KnowBe4 as two great services that provide on-going training and assessments for staff on a variety of cybersecurity topics. Services like these also allow you to send out simulated phishing campaigns and can serve as a teachable moment to those who fall for the scam. Where possible, equip your staff with two-factor authentication to better protect information and add a disclaimer for external emails to alert your staff to pay extra attention to the validity of the email. For more information on fraud prevention at the employee level, check out our blog “Five Ways to Protect Your Organization from Fraud.”
Along with staff training, we recommend that your organization follows the National Institute of Standards and Technology Cybersecurity Framework (NIST) that features five essential functions: identify, protect, detect, respond, and recover. This framework helps organizations focus their efforts on the protection and recovery of sensitive information via a data-centric approach to security. Often, the recovery function is overlooked, but proper data recovery can be the difference between hours, days, and weeks for organizations dealing with hacked systems. Make sure you are backing up your data both locally and off-site as frequently as possible. Having off-site backups of your data can dramatically reduce both downtime and data losses.
Use technology to reduce the rising costs associated with cybercrime wherever possible. Using comprehensive antivirus and anti-ransomware software, web browsing controls, and cloud services can increase the ability of your organization to detect and deter fraud before the heavy costs associated with responding and recovering. Between cybersecurity savvy staff members, the NIST framework, and technology, your local government will be better prepared for cybercrime in the year ahead.
Six Big Takeaways:
The average annual cost of cybercrime for a single organization exceeds $10 million dollars and is increasing every year. This cost includes ransomware payments, cybersecurity insurance, enhanced infastructure, network monitoring, and more.
Hackers are using more sophisticated and advanced techniques to try and gather information about you, your organization, and your clients.
Back up your data as frequently as possible and in more than one location. We recommend backing up locally and off-site as often as daily.
Use technology to your advantage wherever possible. This includes two-factor authentication, password protection software, external email disclaimers, web browsing controls, and more.
Make your staff your first line of defense against phishing and other hacking attempts. Provide regular and ongoing training that includes simulated phishing campaigns.
The value at risk globally from direct and indirect cyberattacks is predicted to exceed $5 trillion. Being prepared before an attack can be a million-dollar difference for your organization!