Security awareness

What Are the Biggest Security Threats to State and Local Governments?

Aroosa Ashraf
October 28, 2017 by
Aroosa Ashraf

Cybercrime is on the increase more than ever before and cybercriminals are becoming more notorious each day. It seems that the local and state governments have indeed become the main targets for cyberattacks. The reason for this is obvious. It is indisputable that these tiers of government possess lots of data and information that are vital and highly classified. So for different motives, individuals or organizations sponsor cyberattacks on both the state and local governments in other to lay hold of these data and information. At times, these attacks could be to manipulate Governmental statistics or to shut down a functional aspect of the government.

Cybersecurity threats to state and local government can come in various ways. The biggest forms of security threat to these tiers of government are hacktivism and ransomware.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

Hacktivism is a mixture of hacking and activism for a political and social cause. It is interesting to know that those who engage in such vices sometimes are not motivated by any financial benefit. For example, in 2016, there was an attack on the State of Michigan's main website by hacktivists because of the Flint water crises. Not only that; North Carolina's website has been the targets of cyberattacks by hacktivists.

Another big security threat to state and local government is ransomware. A recent report by Bitsighttech highlighted the fact that local and state governments have the second highest rate of ransomware attacks. The report added, "Ransomware attacks in this sector have more than tripled over the last 12 months." Perhaps what happened in Bingham County, Idaho, comes to mind. Another instance of Ransomware attack is the one that occurred in Licking County, Ohio, where the police department was targeted.

Cyberattacks are not limited to a particular place or environment. Governments in various parts of the world are continually under sophisticated attacks from rival nations, terrorist groups, etc. Therefore the need arises for security measures to be put in place to curb these criminal acts.

Why Do You Need Security Awareness Training in State and Local Government?

The importance of security awareness training in state and local government cannot be overemphasized. Just as awareness training in the health sector can help to improve the standard of living and avoid certain diseases, so security awareness in state and local government can prevent some errors.

One reason is that we live in a digital world, so most employees of the state government or local government make use of technology to perform their duties. Therefore, they need to be informed about the severe consequences that may arise from just one mistake.

In addition, it is obvious that data breaches and security incidents within state governments are on the rise, so a cultural change is needed. All state employees need to have a clear understanding that IT security is everybody’s job. They also need to have a good understanding of how to make use of the state’s IT resources in a manner that won’t create the risk of a security clash.

Security awareness training in state and local governments helps to reduce unpredictable costs. It costs money and resources to get back lost data and information. Sometimes, these criminals interfere with a state government’s IT network for a fee. If operating software is compromised, money is required to replace it, the best way to achieve a significant and lasting improvement in information security is by raising awareness and instructing everyone who interrelates with computer information systems and networks in the essentials of information safety.

Furthermore, there is constant change in threat landscape. The nature and type of security threats facing local and state governments evolves with time. More sophisticated techniques are used each day. Hackers devise new methods to break through into the state's network. Security awareness training is therefore essential so that workers can recognize these tricks and learn ways to avoid them.

An awareness session can also help government employees to learn how to use the right technology in the proper way to ensure security of all platforms without affecting operations, especially while defending the organization against a wide variety of cyberdangers. By conducting training sessions where people come to learn together, everyone can be notified of the information security structure, so that they can tackle any issues collectively.

Also, having everyone trained on the SecurityIQ platform is another great way of protecting governments from cyberdangers. Using the SecurityIQ platform, every worker will be trained on how to identify a phishing email, and how to build his or her own phishing email using SecurityIQ PhishSim.

What Regulations, Policies, and Standards Need to Be Considered?

It is important to note that effective IT security policies form the backbone to any governmental security program, as they provide a framework and support for maintaining orders, handling technologies, and accomplishing organizational set goals. They also assist in reducing threats and preventing security breaches and can assist state and local government employees in effectively managing risks.

Governmental organizations can set up polices and regulations that all employees must adhere to strictly to ensure smooth running of all departments. Some important tips to consider when setting up these policies include:

  1. All local government and state government employees must play a major role when designing a security policy, no matter what job function employees perform. They should be able to point out potential problems that may affect security.
  2. It is best to know what information needs to be protected. Excessive hours should not be spent trying to design a security policy to protect information that really does not require any protection at all.
  3. When the information to be protected is identified, it should be classified into different categories. For example, information for public viewing may require a little less protection. Information for private use should be adequately secured.
  4. Any Information that is put in storage on wireless and handheld devices should be analyzed to make sure there are no threats to information safety. This ought to include permanent storage of information on memory cards, hard drives, etc. A trusted online backup source can be used to store important information. This would make retrieval of any lost data easier.
  5. The security rules also ought to include physical sites of servers and every other device used in handling confidential information. Which personnel have access to these locations? Should code entry to computer rooms be used or should other advanced security devices be implemented?
  6. There should be an implementation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This will help to safeguard all medical information of any government worker.

Cyberlaws and regulations are not created for fun. The purpose of cybersecurity regulation is to make local and state governments protect their systems and relevant information from malicious attacks, such as phishing, viruses, control system attacks, denial of service (DOS) attacks, Trojan horses, and unauthorized access (stealing of intellectual properties or confidential information).

Example of such a law is the New York cyberlaw act.

How Do You Set Up a Security Awareness Program in State and Local Governments?

Setting up a security awareness program in state and local government is not child's play. But, with proper preparation, such a program can become successful. Achieving a successful security awareness program involves dedication, zeal, and desire among members of this program. The following tips should be carefully considered if a security awareness program is to function effectively.

Create an Awareness Team

Creating a security awareness team is often the first step in the right direction. This team will be responsible for the development, delivery, and maintenance of the security awareness program. It is often best to staff this team with personnel from different areas of the organization, with differing responsibilities representing a cross-section of the organization. Having a team in place will help ensure the success of the security awareness program through assignment of responsibility for the program.

Make the Program Fun and Lively

Sometimes, games could be introduced into the program. Brief, intriguing, "sticky" content is the key. From time to time, staffs should be reminded about important security policies. People ought to be enlightened about dangers like spear-phishing techniques or a new means to assist their individual and career lives online. Add competitions or other learning techniques that have been proven to be efficient. It has been proven that the livelier the program is, the more people will be interested in it.

Measure Success and Growth Rate of the Program

When the growth rate is measured, important decisions should be made to improve the quality and contents of the security awareness program. Questions such as: How many local government and state government employees actually complete the training? What did they like? Did they acquire any knowledge? Did their behaviors change? Are they still regularly participating in the program? Do not forget to request the latest ideas and suggestions to develop. Encourage inventiveness. Provide mechanisms to obtain instantaneous data from staff. Of course, when this is done in a timely way, the position of the security awareness program is enhanced.

Government Security Awareness Resources

Many resources have been made available to enlighten workers and staffs about security threats. These materials are easily accessible. With the availability of these resources, most staffs and workers in the local and state government are becoming aware of the antics used by cybercriminals. Some of these resources are:

Banners such as:

Government Resources

The federal, state, and local governments also provide information security awareness resources. The following resources are samples developed for government audiences that you may want to consult as you develop materials for your campus:

  • Defense Information System Agency (DISA) Information Assurance Support Environment (IASE) Cybersecurity Training Online.
  • FTC (Federal Trade Commission) Mass Publication Request Website (free large quantities of educational materials from FTC).
  • FTC (Federal Trade Commission) ID Theft Source Page.
  • NIST Special Publication 800 - 50: Building an Information Technology Security Awareness and Training Program.

Flyers such as:

Games and quizzes such as:

  • Florida State University: Be a Cyberhero! Game (2016).
  • Georgetown's Danger Game (2011): This game creates an opportunity to discuss the policies that are significant to information security, as well as any other security topic for your staff or students, and the institution’s faculty. You are allowed to modify and reuse the slides.
  • Naval Postgraduate School CyberCIEGE Educational Video Game (2010): CyberCIEGE is a thoughtful game developed to educate network security models. Its development was sponsored by the U. S Navy and it is used as an education and training tool by agencies of the U.S. government, universities, community colleges, and high schools. The game is freely available to the U.S. Government and a no -cost license is available for academic institutions.
  • Zombie Survival Game: University of Rochester (2013).
  • The Nefarious Code Vs Patch game: University of Toronto (2017).

Tips for Government Security Awareness

As much as we try, it is not possible to totally eliminate cyberattacks on government networks. But the risks posed by these attackers can be minimized by employees. Everyone has a role to play. Some simple tips workers can adhere to include:

  • Making use of strong passwords; the passwords should be long and should include uppercase letters, numbers, and symbols.
  • Staying away from links that appear suspicious.
  • Encrypting sensitive data.
  • Updating operating systems and applications promptly and regularly.
  • Making use of a layered defense system on your network (e.g., firewall, intrusion prevention, web content filtering, email content filtering).

References

http://searchenterprisedesktop.techtarget.com/tip/Setting-up-an-information-security-policy

http://www.govtech.com/blogs/lohrmann-on-cybersecurity/ransomware-in-government-wh o-what-when-where-and-how.html

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

http://www.pbs.org/newshour/rundown/hacktivists-launch-cyberattacks-local-state-governments/

Aroosa Ashraf
Aroosa Ashraf

Aroosa Ashraf is a trained and registered pharmacist from the Government College University of Faisalabad (GCUF). She completed her graduation in 2013. She is an experienced researcher and technical writer and for the last 4 years, she is working as a writer on different platforms. Currently, she is writing many technical and non-technical articles for her national and international clients.