Protecting citizen-facing staff from phishing starts with a people-first approach
- By Tony Pepper
- Aug 23, 2021
As government agencies formalize their workforce plans for the remainder of 2021 and beyond, one ongoing concern for both the traditional office and remote locations is email security.
As we’ve all seen over the past 18-months, digital communications and online activity have skyrocketed, which has created more opportunities for bad actors to prey on citizens, school districts and state and local governments. In Illinois, for example, scammers recently sent out a number of phishing messages to residents posing as the Illinois Department of Transportation in the hopes of securing drivers’ license numbers, dates of birth and Social Security numbers so they could steal residents’ identities. Earlier this summer, Albuquerque, N.M., fell victim to a phishing attack that almost cost it $1.9 million in ransom.
For government agencies, the risk of not being able to provide access to services for residents is not worth taking, so it’s time to protect agency employees with self-learning cybersecurity solutions that give users confidence to work and communicate online freely.
While phishing has been around for quite some time, success rates have been rapidly increasing as the techniques have matured thanks to the increased availability of a user's history and behavior online. Additionally, online pockets of organized criminal groups are sharing stolen data and even selling access to critical information. These crime-as-a-service offerings can include the selling of access to the tools, expertise and information required to create sophisticated phishing campaigns – and often includes organizations’ email and contact lists.
Phishing attacks have traditionally targeted individuals as cybercriminals looked for access to personal information such as banking records, but criminals are also turning their attention toward larger organizations such as state, local and federal agencies. Within the government sector, phishing attacks were responsible for 70% of all government data breaches over the past year. Phishing has also led to a significant rise in ransomware cases, with attacks in North America up 158% and a specific focus on government agencies and utility providers.
Why this new focus? From what we see, it is twofold. First, people continue to be organizations’ greatest vulnerability and provide the easiest path to network access. Second, it is thought that government agencies are more likely to pay a ransom due to the critical nature of the services they provide their local residents.
With so many hacking attempts taking place, it is imperative that all public-sector security leaders add a human layer to their cybersecurity efforts in order to prevent the next take down of local services.
Growth in online communication for state and local governments
The majority of citizen engagements take place over traditional email, with federal, state and local governments sending or receiving hundreds of millions of email communications every year. These inquiries, questions and resolutions require a personal evaluation to provide constituents with the information they are looking for. This takes time and also requires that government employees trust that the emails they receive are safe and not the latest phishing tactic being leveraged by potential criminals.
With all of the investments made to increase cybersecurity, agency employees may have a false sense of security and assume that they are safe when engaging with inbound inquiries. With the high number of communications taking place, staff may also accidently (or intentionally) send sensitive information to the wrong recipients, because no monitoring or filtering system can prevent simple mistakes.
Why a human approach to cybersecurity
As government agencies continue to adopt a digital-first approach, they must focus on the No. 1 vulnerability: their employees. As mentioned earlier, people make mistakes. They can also get hacked and break the rules. These three facts have contributed to a rise in phishing scams and ransomware attacks across all levels of government. That is why agencies must now turn their attention to enabling employees to work freely and confidently, while being protected.
Intelligent solutions that adopt a zero-trust model can analyze the content and context of each email before it reaches the employee’s inbox. Using natural language processing technology, advanced solutions can go beyond the capability of traditional secure email gateways to detect even the most sophisticated attacks. NLP can accurately determine the sender’s authenticity, even detecting when cybercriminals are using compromised accounts to impersonate trusted contacts, such as colleagues. Agencies can also protect their employees who share data with machine learning technology that can understand individual users’ behavior to effectively prevent outbound incidents, too.
Increasing confidence for local citizens
Because of the close relationship between constituents and state and local government, agencies have the responsibility to retain the taxpayer’s trust that whenever communication takes place, steps and protocols are in place to protect their information.
By empowering the employees on the front-line of citizen engagement to conduct their jobs in a secure fashion, agencies can not only increase productivity but also fight off cybersecurity attacks. Keeping services online and communications open and secure provides the greatest service to local residents.
Tony Pepper is CEO Egress Software Technologies.