Protecting Against the Digital Unknown

April 21, 2022, Feature, by Paula M. Jacoby-Garrett

may 2022 feature digital unknown 410

For an enhanced digital experience, read this story in the ezine.

Discover best practices
for safeguarding yourself and your organization from a cyberattack

While the world has been focused on the coronavirus (COVID-19) pandemic over the past two years, another type of threat has been lurking behind the scenes and steadily growing in its reach and its impact. Cyberattacks are capable of affecting our workplaces, homes, schools and governments. By targeting an individual or entity’s cyberspace, these attackers maliciously disrupt, disable, destroy or control another’s digital environment, and these kinds of attacks are on the rise. In 2021, the frequency of one type of cyberattack, ransomware, rose 10.5 percent, with attacks “endangering our food supply, our water supply, our fuel supply, our hospitals and our municipalities,” according to the 2022 SonicWall Cyber Threat Report. Local governments are increasingly becoming targets of cyberattacks, with the estimated costs in the billions. Yet, many municipalities are ill-prepared and underfunded to protect against these attacks.

Knowing Risks and Assessing Resilience for Organizations

An important step in protecting yourself is to understand what risks are present and to assess your individual resilience to those risks. A place to start is reviewing the resources provided by the federal Cybersecurity and Infrastructure Security Agency (CISA). Its overarching goal is to provide resources for organizations to build their cyber resilience to combat cybersecurity threats. CISA has created a cybersecurity framework (see chart at right) that provides a guideline for individual organizations to assess and define their own cybersecurity needs and to identify any gaps in their own systems. Specific sector-based tools are available to meet specific needs.

CISA’s cybersecurity framework:

  • Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data and capabilities.
  • Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
  • Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
  • Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
  • Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

Resources are available to state, local, tribal and territorial governments to assist in the recognition of their cybersecurity risks and to provide resources to address those risks. Included are resources to identify threats, to protect against them, and to respond to those threats.

One resource CISA provides is the Cyber Resilience Review. This voluntary assessment can be self-assessed or facilitated by a Department of Homeland Security professional. These assessments review programs and practices across the organization, measuring current cyber strengths and weaknesses. Another resource CISA provides is the National Cyber Awareness System, which offers up-to-date alerts and tips to combat emerging cyber threats.

Types of Threats

While there are many types of cybersecurity threats, ransomware, phishing, crypto mining malware and Trojans are the most common. “Ransomware, now the fastest growing and one of the most damaging types of cybercrime,” according to Steve Morgan, editor-in-chief, Cybercrime magazine, is one of the top choices for cybercriminals, with attacks occurring every few seconds and causing damage costs in the billions.

Cities like Baltimore and Greenville, North Carolina, were hit with the devastating RobbinHood Ransomware. Though neither paid the ransom, the overall end cost was significant. While many entities refuse to pay the ransom, the threat still leaves its mark by halting many services and typically requiring systems to be rebuilt afterward, which causes a significant recovery cost. For Baltimore, recovery costs were tens of millions, and the attack left the city crippled for months.

For Justin King, chief of information technology (IT) at the Baltimore City Department of Recreation and Parks, the 2019 ransomware attack resulted in major changes. “It took the worst thing that could possibly happen [to make change]. Previously, there wasn’t enough investment in cybersecurity; it was overlooked. There have been astronomical changes since then. We looked at our network from the ground up, and we completely rebuilt it. One of the most substantial changes to our system is two-factor authentication. It’s something people don’t think is critical, but it changes everything and makes such a tremendous difference. The root cause of the ransomware was someone’s password being compromised. [To keep current,] we have calls daily with all the IT leadership in the city. We get briefed every single day by our information security department, and they tell us what’s going on.”

When Cyberattacks Affect Individuals

While devastating and costly for a municipality, cyberattacks also can affect the individuals who work for or do business with that entity. For “Laura,” the nightmare of a cyberattack started with a piece of technology she used every day — her cellphone. (Editor’s Note: “Laura” is a pseudonym to protect her identity.) “I would go to use it, and a cursor would move across the screen. Then I was working on my home computer one night, and I got a pop-up, so I turned off the computer and went to bed. I turned the computer back on the next day, and the screen didn’t look familiar, and someone was controlling the screen. So, I went to another computer in the house, and it was doing the same thing. When I went into the office, the same virtual screen was on my computer,” she recalls. The cyberattackers were able to access all her passwords and gain access to her online tax records, which contained both her and her husband’s social security numbers. From there, they were able to access her bank accounts and her mutual funds. She had some of her mother’s health records stored on her computer, which allowed the attackers access to her mother’s retirement accounts as well. “Everywhere I turned — from my house to my work to my phone to my car — they were there. They were in every single electronic account you can think of,” Laura says.

While she first noticed activity on her cellphone in August 2021, the forensic investigators found traces of the activity a year prior. “The police still don’t know where it started or when it started or who did it," she says. "I had to leave my job and move to another area of the country, just to feel safe.” Now Laura uses a password manager and has hired a company to secure her home internet at a personal cost of $750 per month. However, she still isn’t sure if she is completely protected.

Best Practices

While cybercrime is ever changing and constantly evolving, there are best practices that can reduce risk and minimize the impact if there is a cyber breach. First and foremost, adequate funding must be available for cybersecurity. This includes staffing, which may include agency staff, as well as an outside cybersecurity contractor. Failure to adequately fund and staff cybersecurity will almost certainly lead to adverse cyber outcomes, which, in turn, will lead to unnecessary and significant costs to local governments. Donald Norris notes in his article, “A Look at Local Government Cybersecurity in 2020,” that the top four barriers to effective cybersecurity reported in a 2016 nationwide survey were “inability to pay competitive salaries to cybersecurity employees (58.6 percent); insufficient number of cybersecurity staff (53.1 percent); lack of funds (52.8 percent); and lack of adequately trained staff (46 percent)”.

While funding is always a challenge, the Infrastructure Investment and Jobs Act that was signed by President Joe Biden in November 2021, includes $1 billion for cybersecurity in state, local, tribal and territorial governments. This largest-
ever federal cybersecurity grant program could add much-needed funds in a sector that could use it.

Finding cybersecurity personnel, however, can be a complex process. “We have a tremendous shortage of talented security,” said Aidan Kehoe, CEO at SKOUT Cybersecurity in a video podcast. Further complicating security, we have seen profound changes in workplace settings over the past two years. “You’ve seen a massive expansion of people’s footprint that work from home, so it’s not nice and tidy inside a network anymore,” which can lead to an increase in cyberattacks.

Responsibility lies on municipalities as well as the individuals who make up the workforce. Employees should be trained in cybersecurity and be held accountable for their cyber actions. Cybersecurity is an ever-changing, ever-moving target. Policies should be reviewed and revised when appropriate and current threats should continually be monitored.

“The data reveals that state and local governments struggle to keep their heads above water. The weakest areas include a lack of support from top officials, ‘inefficient’ to ‘no end-user training at all,’ and ‘too many network/IT systems.’ The answer is not just to have great IT systems, but also to have personnel who are trained to recognize the threats, giving the IT department support in creating a human firewall,” according to KnowBe4.

Protecting against a constantly changing threat can be difficult but not impossible. “One of the biggest challenges for municipalities is trying to deal with all the potential cyber threats that are out there at one time,” says Erich Kron, security awareness advocate at KnowBe4. “They have to be very selective in where they put their resources because there is only so much to go around. What these organizations should do is look at the cyber incidents that have been causing them trouble. Everyone gets some sort of cyber incidents, and it makes sense for these organizations to look at where most of these threats are coming from and focus on how they can deal with that.”

“Most of the time, these organizations are going to find out that email phishing is their number one threat,” continues Kron. Creating training programs that teach people how to spot phishing attempts and providing a place to report them are key. Also creating training programs that “teach them some better hygiene, such as how to make a secure password and the reasons why you don’t reuse passwords across multiple places. This is a big issue in cybersecurity — someone uses a password in one place, and that website gets breached. Then they take that username and password and try it in all these other places. Concentrating on those things that are the biggest threats can have a significant impact in the security of these organizations.”

So, whether you are a small or large organization, or perhaps an individual looking to keep your data secure, defining good protocols — like unique password selection and two-factor authentication — coupled with a keen eye to types of threats you are vulnerable to, can make a significant difference. Getting support through cybersecurity consultants or advisors and using resources available from CISA can further your protection. Threats can come into our systems in many ways. Being prepared for those threats requires diligence, up-to-date information, and a trained and committed workforce protecting our digital environment.

Paula M. Jacoby-Garrett is a Freelance Writer based in Las Vegas, Nevada.