Don’t Get Hacked - Cybersecurity Basics

You don’t have to be an information technology (IT) professional to be a soldier in the cybersecurity war. Whether you’re an elected official, manager, or staff in a public agency, securing the information stored in your agency’s computers starts right in front of you at your desktop, laptop, tablet, or smartphone.

As the recent WannaCry global ransomware attack demonstrated, the risks are ever-present and can come through phishing attacks or a simple ‘worm’ that finds a vulnerability in a computer’s operating system.  One local government official told me that, even after receiving phishing training, 25% of his staff still clicked on a simulated phishing email sent later as a test.

Don’t be lulled into thinking that hackers are only trying to invade the digital territory of big businesses or big governments. According to John Miller, a Senior Consultant with Sophicity and the author of an article for the Georgia Municipal Association, the reality is that hackers seek easy targets, just like a burglar who looks first for the unlocked door.

And they think you’re easy.

Basic Cyberdefense

So, what can you do to erect an effective first line of defense at your worksite? Here are a few basic steps you can take with little or no investment.

Password maintenance. Make sure everyone uses a strong password and changes it on a regular basis.

Use updated software. Install software updates as soon as they come out, especially those containing security patches. Research indicates that most malware infections come through unpatched software and that between 11—13% of users are using outdated versions of software. Up to 6% are using software that is no longer even being supported with updates and security patches at all.  This past March, Microsoft issued an update for Windows that protected operating systems against the WannaCry worm. Predictibly, many of those businesses and organizations hardest hit by WannaCry had not installed this update.

Guard against theft. Take steps to protect your equipment and data from good, old-fashioned physical theft, especially mobile devices, tablets, and laptops.

Learn to spot phishing scams. Make sure you and your staff get regular training about phishing and spear phishing scams. “Think before you click.” One click on an enticing offer or fake message is all it takes to open the door for a malware download. A CSO article revealed 93% of all phishing emails contain ransomware. With more than 100 different ransomware strains in existence, security software coders, and consequently antivirus software, can’t always keep up.

Separate public from private. If you offer public Wi-Fi in your building or in a “break room” with an internet-only PC for staff, set it up completely separately from your office system. After all, locked doors and secured file cabinets are a feature of worksites everywhere. Set up your digital data in the same way; with varying levels of password-protected access and encryption to protect your most sensitive data. 

Additional Options

Here are a few more steps beyond the basics to consider.

Encrypt your data. Free, easy software exists for encryption. It’s even more important to encrypt data before using cloud computing services since documents can be more vulnerable to hacking if they are stored on the cloud.

Back up your data regularly. If you are subjected to a ransomware attack you’ll have a much easier job of recovery.

Learn how to perform “remote wipes.” You can strip sensitive data remotely from lost or stolen mobile devices (smartphones, tablets, and laptops) before this information falls into the wrong hands.

Try security awareness staff training. An informal poll of city and county managers statewide found that many invest in regular, security-awareness staff training through companies such as KnowBe4, while others found useful training material free online.

Consider contracting for IT. If you can’t afford “in house” IT staff, contract for independent monitoring and maintenance to make sure you have a dedicated party looking for any indication of internal or external attacks. Unusual, repeated log-in attempts, abnormally high data usage, or unidentified users accessing data may indicate possible security risks.

Network with others. Consider partnering with nearby public entities for assistance or to share expertise.

Review your insurance coverage. For example, members of the Washington Cities Insurance Authority can get 50% off the cost of a subscription to one of the leading cybersecurity training firms.

Final Thoughts

The International City/County Management Association (ICMA) Knowledge Network includes a page on cybersecurity with a number of links to helpful articles, information, and resources.

You can make your local government more resistant to attack if you make these simple steps part of your routine. Next week, Mike Kaser, the Information Services Director for the City of Mercer Island, will share his tips on cybersecurity measures for local governments.

Let us know how your jurisdiction takes steps to counter cybersecurity threats.  Comment below or email me lnordby@mrsc.org.