No good deed goes unpunished: How phishing exploits gov workers
Peter-verreussel/Getty Images
Phishing attacks target employees’ natural curiosity and their commitment to public service, experts say.
The causes of common cyberattacks may no longer be a mystery to state and local governments, but the ability to stymie them remains a challenge.
According to Verizon’s 2022 Data Breach Investigations Report, the public sector experienced the second most attacks following the entertainment industry, and more than 80% of breaches involved the “human element,” including phishing, use of stolen credentials or user error.
“Hackers prey upon the customer service aspect of county employees,” Rita Reynolds, Chief Information Officer for the National Association of Counties, said in an email. When an email comes in from what seems to be their boss, a vendor or even a resident, government staff members may want to answer the sender as soon as possible.
“That desire to be prompt and successful in filling the request can oftentimes result in a county employee maybe not paying closer attention to the authenticity of the email,” she said.
Plain curiosity is another culprit, said Arun Vishwanath, chief technology officer of the cybersecurity research and advisory firm Avant Research Group.
Even if an organization deactivates links sent through email to prevent users from clicking on them, it is likely employees will copy and paste the URL into their browser anyway “because the primary reason for email is sharing data, files [and] links,” Vishwanath said. For instance, just scheduling an interview with GCN required sharing a video call link.
“If I couldn’t click on the link, I would figure out a way to do it,” Vishwanath said. That means agencies must first understand why their staff overlook anti-phishing awareness campaigns or training exercises before they can establish a lasting solution.
Other anti-phishing techniques, such as email banners that warn users of suspicious content or contacts, are commonplace across government, Reynolds said. Agencies can also install commercial cybersecurity tools and follow recommendations of the Cybersecurity and Infrastructure Security Agency, she said.
For instance, CISA advises organizations to use phishing-resistant multifactor authentication, which goes beyond security measures such as one-time passwords and uses FIDO/WebAuthn authentication or PKI-based MFA, to close the gaps that bad actors could squeeze through.
State and local agencies are a desirable target for bad actors because of the sensitive information they harbor, ranging from data on social services to elections, Meredith Ward, the the National Association of State Chief Information Officers’ director of policy and research, said in an email, but public employees are no more susceptible to cyberattacks than anyone else.
Even organizations that pour thousands, even millions, of dollars into their cybersecurity budgets are not immune to cyberthreats. The 2020 cyberattack on SolarWinds’ Orion IT management software left IT systems—including those at U.S. government agencies and major corporations such as Microsoft—vulnerable.
“The reality is that there is no one protection tool or technology that can prevent or respond to every cyberattack,” Ward said. “The human factor plays a large part in this discussion, and human awareness is but one tool states have to thwart cyberattacks.”
NEXT STORY: Counties to field red team pen testers