How much do your agency’s employees know about cybersecurity? Are they familiar with the concepts of ransomware or social engineering? We are constantly inundated with news of the latest data breach. As a result, we may think we’ve become fluent in the language of cybersecurity. Unfortunately, we have not, or our cybersecurity breach statistics would not be so alarming. The worst part: these breaches undermine the public trust when especially these days, when public trust of governmental institutions is at hovering around a low point since the late 1950’s1. We need to do what we can to strengthen, not weaken it.
According to a February 2022 article in Fortune Magazine, cyber-attacks in 2021 rose by 105% compared to 2020. Sophos, one of the largest IT security companies in the world, reported that the average cost of recovering from a ransomware attack is around $1.85 million in 2021. By starting to understand the basics of cybersecurity we begin to understand what’s at stake and how to avoid falling prey to cyberattacks.
WHY ARE DATA BREACHES HAPPENING?
Cyber security incidents can come from either a failure of a technical control or a human element, with the vast majority coming from the human side2. The technical controls are vast: hardware and software configurations and updates, multi-factor authentication, device hardening, password hygiene and policies, network design and separation. On the human side, social engineering attacks (cyber-attacks that rely on human interaction and manipulate people into breaking procedures) can go anywhere from email phishing, pretexting (convincing people to give up valuable information), CEO fraud, scams, and even the attacker dropping a malware-ridden USB drive in the parking lot.
The adversary that we are up against is vast and unyielding. The “bad” guys range in competency anywhere from part time ‘script kiddies’ (individuals who uses scripts or programs developed by others to attack computer systems and networks and deface websites) all the way to well-funded nation state actors. Most groups responsible for higher profile ransomware attacks are highly skilled professionals that do this for a living and have well organized vertical and horizontally integrated business units. To combat these threats, your organization must have the technical controls and safeguards in place, and your employees must be trained to recognize social engineering attacks and react appropriately.
BEST PRACTICES: HERE’S WHAT TO DO
Step 1: Find a proven framework to adopt in your organization
It’s important to consult with your business executives and legal counsel to determine if your organization has state or federal mandates to adhere to a particular cybersecurity framework. Even without a legal mandate, there are many solid proven frameworks to choose from, such as those provided by the National Institute of Standards and Technology (NIST) and the Cybersecurity & Infrastructure Security Agency (CISA). Depending on your organizations’ needs, you will have to adapt a chosen framework to fit the organization infrastructure and practices. It is also recommended that you join any local networking or cyber security groups that you can find that share your organizations’ structure. If you’re having a problem or issue, you’re not the only one. For example, many organizations are moving away from traditional financial system intermediaries and instead embracing decentralized finance (DeFi), where software replaces bank controls comparable to the distributed ledgers used by cryptocurrencies.
Step #2: Address the human element and build a resilient cyber security minded culture
Humans are an absolute critical layer in any cybersecurity program and deserve just as much time and resources as our technical controls. The good news is that there is a framework for this and published under a creative commons license: The Security Culture Framework (https://securitycultureframework.net/). By using these tools, you don’t have to reinvent the wheel, and can take advantage of the millions of dollars and years of research that has already been done, tried and tested. Especially for municipalities and government agencies, it is critical that you safeguard your data so you can continue to deliver efficient and effective government services in your community.
Many CPA Firms, including LSL, offer such consulting services. They take deep, impartial dives into your cybersecurity policies and study whether they are current. Next, they ensure that the nominal defensive methods translate through your IT department to the financial controls governing public funds you are entrusted with. This present-day external examination can be crucial as some existing protective controls were written and put in place years before cybersecurity was an issue. For example, as cashless transactions become more dominant in the marketplace, we must alter controls to address or mitigate these additional risks. The public good is served, and everyone will sleep better.
As the financial markets evolve and the risks advance with them, so must all people, controls, and organizations. Want to learn more about how LSL can help? Contact your LSL advisors or contact us here.
- Pew Research: https://www.pewresearch.org/politics/2022/06/06/public-trust-in-government-1958-2022/
- Verizon 2022 Data Breach Investigation Report: https://www.verizon.com/business/resources/reports/2022/dbir/2022-dbir-data-breach-investigations-report.pdf