Cybercriminals are continually scheming ways to get their hands on your sensitive data. Learn how to protect your data & stakeholders before it’s too late
Private and public sector organizations alike were surprised by the SolarWinds cyber attack that was announced by FireEye in December 2020. As one of the largest cyber attacks in history, it affected 18,000 of its customers globally. By injecting code into SolarWinds’ Orion platform, hackers carried out a supply chain attack that allowed them to infiltrate the IT systems of many private and public sector organizations globally, including:
- Local, state, and federal government agencies within the United States,
- National Atlantic Treaty Organization (NATO),
- European Parliament,
- U.K. government, and
- Several private companies.
It’s believed to be one of the worst cyber-espionage incidents ever suffered by the United States. Even worse, it took nearly nine months before the attack was ever detected, at which point the damage had already been done.
While this was a colossal attack on the public sector, it’s far from the only one. Hackers today are increasingly targeting public sector organizations. Without aggressive countermeasures, governments stand to lose sensitive data from data breaches. But why and how frequently are hackers targeting the public sector? What are governments doing to combat these increasing attacks? And what challenges do public sector organizations face?
Let’s hash it out.
Why Do Hackers Target Public Sector Organizations?
According to a 2019 Tenable and Ponemon report, 88% of public sector organizations have experienced at least one cyber attack within the previous two years. More recently, COVID-19 had a major impact on the workforce. As of January 2021, Gallup reports that 56% of employees were working remotely part or all of the time during the pandemic, and 44% of survey respondents indicate that they’d prefer to continue working remotely. With less stringent cybersecurity measures in place at home or in public Wi-Fi locations, the pandemic created an opportunity for more cyber attacks.
According to Verizon’s 2021 Data Breach Investigations Report, about 11% of cybersecurity incidents involved the public sector (3,236 incidents, 885 of which involved confirmed data disclosures out of a total of 29,207 incidents). Several key attributes make public sector organizations more attractive to hackers.
Public Sector = Loads of Sensitive Data
Many of the organizations that have been targeted in recent ransomware attacks fall within the public sector. That’s because public sector organizations are a virtual treasure trove of data for hackers. They maintain large databases of information concerning sensitive information, such as:
- Social security numbers,
- Confidential health information,
- Insurance numbers,
- Financial information,
- Trade secrets and other intellectual property (IP), and
- Personal identifying information for employees, citizens, students and other stakeholders.
They Know Their Activities Can Remain Undetected for Long Periods
Verizon’s 2019 Data Breach Investigations Report reported that public sector organizations were involved in one-in-five cyber incidents. Their data also revealed that approximately 47% of public sector data breaches were not discovered until years after the initial attack. This delayed discovery allows criminals more time to steal information and wreak havoc while avoiding detection and responsibility for their crimes.
This likely is, at least in part, due to a lack of public sector cybersecurity resources. Cybercriminals are able to circumvent security systems more easily if their targets’ defenses aren’t at full strength.
Budgets for public agencies’ cybersecurity budgets are notoriously limited. A joint report from Deloitte and the National Association of State Chief Information Officers (NASCIO) found that the most significant barrier CISOs identified in terms of overcoming cybersecurity challenges is an insufficient cybersecurity budget. The Deloitte/NASCIO report also indicates that only 36% of states report having a dedicated budget for cybersecurity. And to make matters worse, the majority of states allocate less than 3% of their total IT budget on cybersecurity.
A lack of funds can create additional cybersecurity vulnerabilities due to:
- Outdated IT infrastructure, software, and security systems,
- Lack of cyber security awareness training (which would help prevent falling prey to phishing attacks and other cyber scams),
- Inadequate cybersecurity staffing, and the
- Ongoing IT security skills gap and a lack of training for IT professionals to help them learn new skills and recognize new threats.
Speaking of which…
Public Sector Organizations Need More Cyber-Skilled Employees
The cybersecurity skill gap widened during COVID-19 as more strain was put on IT professionals worldwide. Data from the 2020 (ISC)² Cybersecurity Workforce Study shows that the cybersecurity talent gap is at 3.12 million unfilled jobs.
This is a global problem. The most recent Cyber Security: Skills In The UK Labour Market report found that more than 54% of the roughly 1.3 million businesses in the UK lacked the skills or confidence to carry out basic cybersecurity tasks. These tasks included creating back-ups or competently managing access privileges.
The lack of a consistent framework among federal, state, and local governments contributes to the existence of more security gaps. According to the Deloitte/NASCIO report, in the U.S.:
- 27% of states provide cybersecurity training to local governments and public education entities, and
- 28% of them say they have collaborated extensively with local governments as part of their state’s cybersecurity program.
A 2019 report from Tenable and the Ponemon Institute report found that 51% of survey respondents say their public sector employers spend more time with manual processes than handling security vulnerabilities. This situation is expected to worsen with the Insurance Journal reporting that the pandemic has further widened security gaps for public sector officials. Most security experts believe that the probability of a security breach is higher in the next 12 months than they reported during a similar 2018 study.
Public sector organizations can help mitigate cyber security vulnerabilities by learning about the common methods hackers and other cybercriminal use to attack public sector organizations.
5 Attack Methods Targeting Public Sector Organizations
The Institute for Defense & Business (IDB) identifies the following five methods of attack as those that cybercriminals use to target public sector organizations.
1. Phishing
Phishing is a major issue for public sector organizations. The IDB classifies phishing as impersonating a licensed institution in order to retrieve personal information from victims. For example, the cybercriminal may pose as a health official and ask the recipient of an email to verify their personal information.
Verizon’s 2021 DBIR report indicates that social engineering was responsible for more than 69% of breaches for public administration organizations. Phishing was present in nearly 100% of those breaches.
Don’t Get Phished.
Email is the most commonly exploited attack vector, costing organizations millions annually. And for SMBs, the damage can be fatal in terms of suffering data breaches & going out of business. Don’t be another statistic.
2. Ransomware
Ransomware is a nightmare for businesses. It’s a type of malware that infiltrates a system and makes it (or its data) inoperable or inaccessible to the owner. Attackers usually demand large amounts of money in exchange for allowing access to the owner. At least 60 government entities, including cities, transportation agencies, and police departments, were impacted by ransomware attacks during the first half of 2020.
Nation-state cyber attacks are backed by foreign governments and often target agencies that are known to store valuable information about the target country’s citizens. Examples of state-sponsored cyber attacks include:
- Identifying and manipulating critical national infrastructure,
- Collecting intelligence on the nation’s people that can be used for identity theft and phishing campaigns, and
- Stealing money or demanding ransoms.
Because attacking a public sector can have a larger effect on the people of a nation, these actions can be a type of warfare. If left unchecked, state-sponsored cyber attacks can threaten national security.
4. Distributed Denial of Service (DDoS)
This type of large-scale attack involves using a network of infected devices to bombard websites and services with connection requests. The goal is to overwhelm servers and make the sites inaccessible to legitimate customers and visitors. Attackers capitalize on vulnerable devices, essentially hijacking them to use as pawns in their DDoS army.
On May 4, 2021, Belgium’s public sector ISP, Belnet, reports its network was targeted by a large-scale DDoS attack of unknown origin. The attack affected around 200 public sector organizations, including universities and other government websites.
5. Hacktivists
Some cyber criminals target public sector agencies with whom they disagree. They may consider themselves political activists and attempt to prove a point or highlight a social cause. However, they do so by illegally hacking into the agency’s computer system and exploiting the information there by:
- Leaking private emails,
- Sharing information in confidential databases,
- Threatening to release sensitive information to the public if the agency does not take a certain action, and
- Revealing sensitive or confidential information about the organization or its members.
Any of the above methods can have devastating effects on a public sector organization and the target nation at large.
A Harrowing Example of a Public Sector Cyber Security Attack
In 2017, cybercriminals launched WannaCry, a massive ransomware attack targeting organizations in more than 150 countries. The malware targeted computers with a specific Microsoft operating system exploit to encrypt critical files and data. This tactic gave the attackers leverage to demand Bitcoin payments in exchange for releasing the data.
By the time the ordeal was over, the results were devastating for businesses and public sector organizations globally:
- More than 200,000 computers were shut down.
- Thousands of hospital services, surgeries, and appointments were canceled or delayed.
- The United Kingdom’s Department of Health and Social Care reports that the nation’s National Health Services (NHS) lost $92 million in lost output and IT-related costs.
The WannaCry attack expanded into new variants, including Petya ransomware. McAfee describes Petya ransomware as a variant of the Petya malware that capitalized on the same server block vulnerability as WannaCry to spread to unpatched devices. NotPetya was another variant that used different encryption keys, displays, notes, and reboot styles.
Cybercriminals had stolen Eternal Blue at least one year before the attack. Microsoft had issued a fix well before the launch of the WannaCry attack. The attack could have easily been avoided had the individuals using affected computers simply installed software patches or had purchased a newer operating system. Once cyber security experts identified the attack, they were able to slow it down by downloading emergency security patches Microsoft released and a kill switch that prevented infected computers from further spreading it.
Government’s Strategy to Fight Cybercrime
Each government has the ability to create a strategy to fight cybercrime, provided that it is given the authority and resources to do so. While each strategy may be unique, the general steps of…