Last year was a tough one for schools, local, and state governments. Not simply because of COVID-19, which forced every local government and school to navigate a pandemic, but also because the pandemic brought with it a different set of dangers. While local governments and schools were trying to figure out remote learning, remote work, and how to run public meetings safely and effectively online, cybercriminals took advantage of the fact that the remote world is new to most small governments.
It was much worse than a few Zoom-bombed public meetings; a recent report released from the K-12 Cybersecurity Resource Center found that 2020 was a “record-breaking” year for cyber attacks against public schools in the U.S., with 408 known school cyber attacks in 2020, an increase of 18% over the previous year.
State and local governments were also under attack; cyberattacks on state, local and tribal governments were up by 50% in the fall of 2020.
Why are state, local, and education (SLED) organizations vulnerable to attack?
In general, state and local governments haven’t kept up with digital innovations in private business. While some governments have moved toward digital systems of doing business, local governments in the U.S. often operate in an analog fashion, accepting tax checks in person at the town hall, asking residents to fill out paper forms in person, and holding meetings in person.
The past year has changed that, and while state and local governments and schools scrambled to set up remote work and remote learning, they didn’t necessarily have the cybersecurity infrastructure in place to make sure some of those connections were secure. Many governments have never needed them. Additionally, carving out a cybersecurity budget without causing strife among elected officials and budget-conscious residents may be difficult when much of a government’s funding comes from taxes. When a resident or a lawmaker doesn’t understand cybersecurity or technology, Chief Information Security Officers (CISO) are likely to hear complaints and face cuts in budget meetings.
In fact, according to a report from Deloitte, the top barriers to cybersecurity in state governments are resource-related. State governments often have insufficient cybersecurity budgets or lack a dedicated cybersecurity budget altogether. They also lack sufficient cybersecurity personnel and are unable to compete with the private industry to hire the talent they need.
The pandemic, however, has brought cybersecurity to the forefront, and there are a few specific risks state, local, and educational organizations need to protect themselves against.
5 cybersecurity risks for SLED agencies
1. The rise of remote work and school
The last year changed both work and school dramatically. Suddenly employees were working remotely and students were learning from home. Sometimes that work was being completed on devices owned by the agency and sometimes it was being completed on personal devices and using personal or public wi-fi connections, many of which were likely not secure. This meant endpoint security was a huge concern. According to a recent report, 36% of attacks on K-12 schools involved data breaches or leaks.
Deloitte found that many state workers are planning to continue working from home post-pandemic. With that in mind, CISOs need to keep an eye on endpoint security to ensure the cyberhealth of their organizations.
Ransomware has long been a problem for SLED agencies. In 2019, for example, the MS-ISAC observed a 153% increase in state, local, tribal, and territorial (SLTT) reporting of ransomware incidents. Ransomware has continued to be a problem for SLED organizations; one in six Massachusetts communities, for example, has experienced ransomware attacks. The latest, which took place in April, shut down a school system for two days. In New York State, both Buffalo and Rochester schools were targeted. Schools and governments are commonly targeted by ransomware schemes because SLED organizations often don’t have the training or the resources to combat it.
How can an individual prove their identity to a small government agency? Sometimes they upload personally identifiable information (PII) to a site. Sometimes there’s not a rigorous vetting process at all. During the COVID pandemic, this was highlighted when fraudsters stole COVID relief money from the government using stolen identities. As SLED agencies continue to use online delivery for resident services, it’s critical they invest in tools that verify users’ identities, such as the tools used in the private sector.
4. Website defacement
Just as school lockers and the sides of buildings are defaced, so are websites. While this isn’t nearly the dire threat of losing control of computers to ransomware or criminals stealing student data, it can be upsetting and hurtful to residents and students. For example, a Hebrew school recently had its website defaced with hate speech and images. Schools and local governments, which often don’t have robust security in place, are easy targets.
5. Legacy systems
One of the top cybersecurity risks highlighted by Deloitte in its report was the continued use of legacy systems. State CISOs say that legacy infrastructure and solutions are an impediment to improved cybersecurity. Such systems can’t be updated quickly enough to match existing threats, and in many cases, they aren’t secure. They also don’t integrate well with other systems and products. Migrating to the cloud and abandoning legacy systems, however, may be met with resistance from leaders and taxpayers who remember exactly what the system cost to create and maintain.
How can SecurityScorecard help?
The first step in securing your organization is knowing your risks, and your vulnerabilities. SecurityScorecard’s easy-to-read security ratings, based on an A-F scale, monitor your agency’s security posture across 10 risk factor groups, giving you the ability to see your biggest vulnerabilities, just as a cybercriminal would.
For example, if any of your sites are not using HTTPS, we can show any non-encrypted sites. Whenever you fall out of compliance in a risk factor group, your agency’s score will change. You’ll know as soon as it happens, so you can address it and make your organization more secure.