Dan Lohrmann, CSO & Chief Strategist, Security Mentor.
Public and private sector organizations share many similarities regarding technology and cybersecurity. However, public sector organizations face unique challenges, requirements, and constraints related to cybersecurity and the threats that government entities confront. In this blog, we explore six of these areas:
- Government Benefits Fraud
- Ransomware and Government
- Government Budgets for Cyber Security
- Security Awareness Training Challenges for the Public Sector
- Recruiting and Retaining Cyber Talent
- Supporting Custom Applications and Legacy Systems
Government Benefits Fraud
Government benefits fraud is fraud conducted against any type of government-provided benefit such as unemployment, Social Security, disability or Medicare. Such crimes are perpetrated by individuals, groups or entities applying for benefits to which they are not entitled. Two common types of benefit fraud are: individuals filing as themselves but providing fraudulent information to gain unwarranted benefits, and fraud conducted by those who file using stolen credentials to steal another person’s benefits. In this blog, the focus is on the latter type of cybercrime, where cyber criminals target government benefits.
During the global Covid-19 pandemic, unemployment benefits fraud exploded, as we discussed in our blog on unemployment fraud. With the American Rescue Plan Act signed into law on March 11, 2021, additional stimulus benefits became available, including extensions of unemployment benefits payments. Trillions of U.S. dollars are now flowing through multiple channels to fight the Covid-19 pandemic, strengthen schools, pay for vaccines and help the economy. This flood of benefits has attracted the attention of cyber criminals around the world as an easy way to make money.
Fraudsters use a variety of methods to acquire the Personally Identifiable Information (PII) they need to commit government benefits fraud. They phish individuals directly using email, SMS, telephone, websites, and social media. They also hack online databases to steal identities in mass, and purchase identities on the Dark Web.
While digital transformation has both expedited government processes and made them more widely available and remotely accessible, unfortunately many governments have failed to institute sufficient controls to prevent fraudulent transactions. The Internet itself also has enabled the explosion of fraud by making it easier for criminals to impersonate others online.
One of the best ways for governments to thwart benefit fraud is by teaching citizens what benefits fraud is, how cyber criminals target them, how to avoid scams and attacks, and how to identify when you have been victimized and what to do about it.
Ransomware and Government
The second area where cyberattacks hit the public sector organizations differently than the private sector is ransomware attacks. While both for-profit and public-sector organizations that are struck by ransomware typically experience loss of revenue and reputation, the impact for cities, counties, states and other governments can also include serious, even dangerous, disruption of essential government services. For example, the Baltimore ransomware attack shut down numerous city functions including public hearings and city support telephone lines. Other governments hit by ransomware have been crippled with impacts to critical city services, taxes, prisoner support in jails, fee collections and even harm public safety efforts.
In addition, governments often fail to implement the needed protections against ransomware. The reasons for this vary, but can include a lack of required resources (both financial and staffing), old legacy equipment, a security culture that does not value the right skills and other reasons. Further complicating matters, when struck by ransomware, government entities may face laws that may prevent them from paying ransoms to get their data decrypted.
This catch-22 situation can make the resolution of issues even more difficult. What is clear is that ransomware is a growing problem for government organizations – especially during the pandemic. Ransomware attackers often gain unauthorized access to sensitive government assets through the theft of logon password(s) or other authorization credentials. One common attack scenario is the attacker phishes an employee, installs malware on their computer system, and from there is able to penetrate further into the entire network, ultimately resulting in the encryption of sensitive assets and a demand for a ransom to be paid.
Important actions for public sector entities, as well as all organizations, to take to prevent ransomware are: 1) put strong security protections in place, 2) perform regular backups and test them, including backups that are stored off-line or are immutable, and 3) train employees not to fall for phishing attacks, which has become one of the predominant ways to infect organizations with ransomware.
Government Budgets for Cyber Security
Another unique difference with cybersecurity in government revolves around adequate funding for cybersecurity and technology solutions. The National Association of Chief Information Officers (NASCIO) puts out a bi-annual survey of state CISO issues, and ensuring adequate cyber resources has been a top issue for the past decade.
These budget difficulties are evident in that most states spend (on average) 1-2% of IT budgets on cybersecurity, while many financial institutions spend over 14% on cybersecurity.
Compounding this issue is the challenge of getting additional funding. Security teams often need to go through a complex legislative appropriations process that is bound by fiscal years and are very different compared to private sector budgeting processes. The complexity of getting appropriations for emergency situations can make traversing the government bureaucracy difficult – even for experienced public sector leaders.
Security Awareness Training Challenges for the Public Sector
The wide range and number of government jobs, and employees filling them, present governments with the challenge of training a very diverse staff, much more so than most private sector organizations. Employees come from all education and skill levels, ages and backgrounds, requiring training designed to appeal to a wide audience, while still being effective for each individual, and is written in a way that is easy to understand. Security awareness training must also address the broad cybersecurity threats that public sector organizations face. Meeting all these requirements is no small feat for a security awareness training program. However, by preparing for these challenges from the beginning, organizations can be sure that these essential criteria are met.
Another challenge for the public sector is that with so many important projects on their agenda, governments sometimes take a “check the box” mentality regarding security awareness training. Security leaders focus on ensuring compliance with specific mandates like payment card industry (PCI) or criminal justice, and take a very narrow approach in their other required training, leaving unchecked the broad range of cyber threats that government employees face.
The procurement process can also be an impediment for public sector purchasing. Sometimes it is so difficult and tedious, that entities may choose to stick with the same training year after year – even if it is boring and ineffective – and or could even be considered “death by PowerPoint.” The result of this approach is employees tune out. Thus, a key criterion for security awareness training programs should be to put in place an effective program that engages employees. The additional time needed in the procurement process will be time well spent.
Finally, budgets for security awareness training are often limited, resulting in public sector organizations selecting the least expensive alternative. Often overlooked is the reality that the most expensive part of training is staff’s time, far exceeding the actual cost of the training purchase. Furthermore, low-cost trainings usually are of lower quality, leaving employees poorly prepared to face the onslaught of cybersecurity threats. To avoid budget shortfalls, public sector organizations should plan carefully – preparing a detailed analysis of cybersecurity weaknesses, and then developing a well-documented and substantiated plan outlining the importance, needs and desired outcomes of a security awareness training program. Such planning can help direct much needed resources to security awareness training programs.
Recruiting and Retaining Cyber Talent
The Wall Street Journal (WSJ) described the large pay gap between public and private sector cybersecurity talent. Even when government cyber experts are provided excellent training, many eventually leave for higher pay and benefits in the private sector.
Attracting and retaining professionals with credible cybersecurity experience into government positions has never been harder than it is right now. Constraints such as compensation packages make it hard to compete in our current “talent war.” Further complicating this problem are government employees eligible for retirement. A public-sector “brain drain” is still predicted when senior staff reach their organization’s minimum retirement age with full benefits.
What can be done? Here are three strategies to consider in the public sector:
- Retrain staff from other parts of government. Offer cross-training and technology transfer programs from the business side of government. Since cybersecurity roles often pay more, agency staff from other parts of the tech organization and/or business areas are often keen to make the jump to security roles. These pros know how government runs, so they bring added value to the security team. Also, consider programs like Hiring Our Heroes to bring military veterans into the workforce. These veterans often bring hands-on experience from the front lines of cyber warfare around the world.
- Grow your own team. There is a strong case to be made for starting one’s career in government IT, since public-sector positions often offer a wider breadth of opportunities and challenges than initial private-sector roles. Make a concerted effort to recruit and engage young people starting in high school and early college. Get involved with cybersecurity competitions to find the right students.
- Ensure vendor management excellence. Enlarge your vision and make sure the best private-sector cyber pros are working on your contracts – both at the beginning of projects and throughout your program lifecycle. Attract and maintain the best contract oversight staff who understand procurement and keep the top vendor talent working on your projects.
Supporting Custom Applications and Legacy Systems
Many government organizations are using old computer hardware and operating systems, legacy applications that are running decades-old software, and/or networks that need to be upgraded. These systems can be difficult to secure and keep updated, especially when the vendor no longer provides support, as well as a shortage of professionals who have the training and knowledge to maintain the needed system administration duties.
Governments on tight-budgets struggle ensuring appropriate security vulnerabilities are addressed on these systems, data is encrypted at rest and in transit, backups are consistently taken and tested, or other essential technology functions are consistently performed. To add to the troubles, many governments are challenged to upgrade their identity management, data center processes and procedures or move data to cloud hosting – due to their legacy environment.
One solution for these challenges is to ensure proper cross-training – especially on system administration and security duties. While upgrading these systems can often cost millions of dollars and be cost-prohibitive for governments, building a legacy modernization plan is essential to ultimately build a secure, 21st century technology architecture. Role-based cybersecurity training is an important piece of this effort.
History has shown us that governments face a myriad of difficult technology and security challenges that are unique and difficult to address – and these challenges continue to accelerate on a global basis.
Security Mentor can help. We bring more than a decade of experience with helping public sector organizations navigate the cybersecurity landscape and have a strong customer base in federal, state, and local government, as well as P-20 education sectors. We can assist public sector organizations in providing truly effective security awareness training and ensuring both that staff are well trained and that the security culture is in place to navigate the cyberattacks that governments defend daily.
Consider these additional tips to improve your organization’s security culture. Finally, offer your staff end user security awareness training that is fun and engaging. While these strategies won’t solve every security problem listed, they will strengthen your team and provide the base understanding and knowledge that all staff and contractors need.
Thomas Jefferson once said: “The excellence of every government is its adaptation to the state of those to be governed by it.” Let’s ensure that public sector staff are trained with excellence in mind.