What types of data do public entities collect/store/transact? What are some unique challenges in this sector with regard to safeguarding information assets?
Public entities do business and engage with every citizen in their community, so the data collected could be mundane, like books checked out from the library, or it could be critical PII like social security numbers, driver’s license numbers, or medical records. Public entities by law have a duty to protect this data, but they also face many challenges to data security. The biggest is probably funding, which is always a challenge for public entities but is required for hardware and software, IT staff, security protocols, and other resources. Many times this comes down to politics and getting approval for budget expenditures. What’s more, many of these entities —whether educational institutions or local services in cities and towns — have designed their websites to be open spaces where people can come and transact business, which creates vulnerabilities. Another complication we’re seeing is the increasing use of the Internet of Things for applications like traffic lights, police cameras, and utility grids. In Dallas, the tornado warning system was recently hacked and went off for two hours. Overall, more and more public entities are seeing the need to devote resources to cyber security, including cyber risk policies that will cover them in case of these events.
What are some of the leading cyber threats impacting public entities?
In general, because of the openness I just mentioned, governments and public entities are soft targets. Ransomware continues to be a challenge. Another emerging threat is “malicious cryptomining”, which is when an entity’s servers are hijacked for their computing power to solve complex blockchain transactions in order to earn a Bitcoin reward. This kind of attack is stealthy, impairs computer performance, and leaves the entity vulnerable to further attack. Finally, we’re also seeing more “hacktivism”, with hackers launching DDOS attacks for political reasons. The unifying issue here is often social engineering and a lack of awareness on the part of employees about avoiding these threats. Password hygiene continues to be an issue, and it’s important to stay current with best practices—for instance, now the experts are saying that we should use long and memorable phrases (such as a line from a poem) instead of short passwords with complex symbol and number combinations that we frequently forget and end up writing on a sticky note — which further exposes us to danger.
What are the top five things a public entity can do to mitigate cyber risk exposures?
- Communication. Staff across agencies and all levels of government need to do a better job of talking about the threats they’re facing, the policies and plans that are being put into place to stop them, and educating everybody about how to handle these situations.
- Training. Staff needs to be trained how to deal with security issues, how to properly use devices in a safe way, how to avoid phishing and spearphishing, and how to respond to active events.
- Technology. It’s critical to keep up with browser updates, security patches, and antivirus software, as well as use the latest technologies that will protect data more effectively.
- Assessment. Public entities need to do a better job of assessing threats and understanding their cyber exposures so they can protect themselves against them.
- Planning. Creating an incident response plan is key to knowing exactly what to do when these events hit — how to detect them, how to recover, and how to prevent them from happening again.
We want to thank Thom for his thoughtful insights into PE cyber risk exposures. From his top five list (above), we wanted to especially underscore the importance of the final bullet on breach preparation. Having an actionable data breach crisis plan, one that the PE management can find, access and use at a moment’s notice late at night, is quickly becoming a baseline level of due care. It’s also a document that cyber risk insurance carriers and cybersecurity data breach enforcers (such as FTC or state AGs) are increasingly requesting during the post-data breach investigation phase.