hile cybersecurity can seem like an overwhelming problem, we strongly and consistently encourage cities to start with the initial step of addressing the most important low-hanging fruit risks we call the 3Ps: passwords, patching, and people.
If cities can improve upon these three areas, they can eliminate some of the biggest risks that lead to viruses, ransomware, hacking, and cybersecurity incidents. Being proactive and intentional about these problems will lead to strengthening your overall cybersecurity and decreasing your liability.
Let’s look at the 3Ps in more detail.
Too many cities still use default passwords, obvious passwords (such as a child’s name, pet’s name, college mascot, birthdate, etc.), or weak passwords (like “123456”). Half of all security breaches involve stolen or easily guessable passwords. The weaker or looser the security around a password (such as people writing their passwords on paper notes around their desk), the easier it is for hackers to break into your systems and steal information. Hackers use automated software to look for holes in your systems. That automated software attempts common and weak password combinations that are easy to crack.
To protect yourself:
- Do not write passwords down and leave them visible.
- Use a password on all devices.
- Do not use simple or obvious passwords. We strongly recommend using passphrases.
- Do not save passwords to websites and applications.
- Change passwords regularly.
- Do not use the same password for all systems you access.
Two Factor Authentication (2FA) is also becoming easier to use and vastly decreases the risk of a hacker using a password to break into your systems. With 2FA, your employees may enter their email login information and then receive a notification through an app on their phone that they use to complete the sign-in process. Even if a hacker somehow obtains an employee’s username and password, the information is worthless because they are required to validate the authorization through an app on the employee’s phone—which obviously they cannot access.
So many data breaches and cybersecurity incidents—including major stories that dominated headlines over the past two years such as Atlanta,Equifax, Petya, and WannaCry—are rooted in a simple failure to patch software security vulnerabilities. Sadly, government entities (including cities) significantly lag on replacing outdated software, patching current software, and implementing endpoint defense that makes sure devices connected to the network follow a compliant process.
It’s not unusual for us to see cities using software that is 8-10 years old—or even older. That’s an eternity in technology time—so much so that software vendors often stop supporting those systems. If you keep using older software, then security vulnerabilities are not getting patched and that software becomes more of a major vulnerability for your city. By not regularly applying patches, whether your software is older or newer, you are choosing to leave security holes open for hackers to exploit.
In a previous post, we discussed a few important points about patching:
- Patch management is an essential element of cyber protection. Just do it. Fears such as “I’ll break my software” mean you need to modernize your software or you’re making excuses.
- You need IT professionals overseeing patch management and following rigorous procedures. There are too many risks when you let non-technical city employees apply patches themselves.
- Non-technical employees aren’t able to test patches before applying them. IT professionals test patches to monitor possible issues and ensure they will work before full-scale deployment.
- Patches need to be applied to all your machines regardless of their location. That includes the devices of remote employees using your city-owned hardware and software.
A recent survey shows that 64 percent of working adults either did not know the definition of ransomware or defined it incorrectly. In addition, 32 percent of working adults could not define malware or misunderstood it.
Now, ask yourself, even if you have the best information security at your city:
- Who is likely to receive an email with ransomware?
- Who is likely to click on a malicious website link?
- Who is likely to open a malicious file attachment?
- How is ransomware most likely going to enter your city network?
The answer? People. It’s possible that you, your staff, or some other user on your network will make a mistake that leads to a cybersecurity incident.
And what’s the answer to combatting this weakness? Training.
Today, training employees about cybersecurity is more important than ever. Hackers use techniques that trick employees into handing over access to your systems—and criminals know that people can be the weakest link in your security. Those who need ongoing regular training include your mayor, elected officials, the city manager, the city clerk, and department heads, along with all other employees.
We’ve created a blog post titled “How to Create Effective Cybersecurity Training for Cities” that outlines what you need to cover in your cybersecurity training and how to get started.
Remember it takes just…
- One unprotected or unmanaged computer for a cybercriminal to exploit.
- One unsuspecting employee for the cybercriminal to trick.
- One critical best practice to overlook (such as regularly patching your software) for a cybercriminal to steal your data.