The Scariest Public Sector Cybersecurity Trends Part 2

A previous blog explored one of the scariest trends about cybersecurity in the public sector, which is that many organizations still do not have it on their radar screens. However, this clearly is beginning to change due to several high-profile cyberattacks that occurred in the last couple of years. More evidence of this change can be found in the fact that cybersecurity was a hot topic at this year’s NENA and APCO conferences.

This blog dives into an equally scary and vexing trend, which is that most public-safety and justice agencies fail to adhere to — or even acknowledge the existence of — longstanding cybersecurity recommendations issued by entities with quite a bit of game in this area, for example the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST). CISA, NIST, and their counterparts in Europe and Australia have worked collaboratively for years to ensure that public-sector organizations are well informed regarding emerging threats and the best strategies and tactics for mitigating them.

The Persistent Gap: Many Organizations Still Overlook Crucial MFA Measures for Cybersecurity

Yet, many such organizations still aren’t following recommendations made a decade ago, much less following current recommendations. One longstanding recommendation that’s still not being followed consistently across the ecosystem concerns implementing multifactor authentication (MFA), which is a hugely effective tactic. Every organization should employ it, especially for any infrastructure that exists in the cloud.

MFA involves asking the employee a question related to one of the following before they are allowed to access the network or system:

• Something you are — an example would be biometrics, e.g., a retinal or fingerprint scan
• Something you know — an example would be a challenge question, e.g., the hospital where you were born or the make and model of your first car
• Something you have — an example would be a token that changes an authentication code every few seconds

A strong passwords/passphrase management system coupled with MFA provides a very effective barrier for preventing cyberattacks.

The High Cost of Complacency

So, why aren’t more organizations following the recommendations of CISA, NIST, et al? Part of the reason is complacency — many organizations think that they won’t suffer a cyberattack. This is extremely wrong-headed thinking — in this environment it is virtually certain that every public-sector organization eventually will suffer a cyberattack, with the risk increasing exponentially for organizations that do not have a sound cybersecurity program in place.

A bigger factor might be that cybersecurity still is a top-down endeavor for most organizations. If an organization is fortunate enough to have effective information technology (IT)/cybersecurity resources — and most public-sector organizations, especially smaller agencies, do not — the requests made by these professionals often are rejected out of hand because those at the leadership level find them too bothersome or too expensive, or both.

This a classic example of thinking that is “penny wise and dollar foolish.” I’m reminded of a television commercial for an oil-filter brand from long ago that features an automobile mechanic uttering the iconic catchphrase, “You can pay me now, or you can pay me later.” The adage works very well today in the public sector — considering the havoc and expense that a cyberattack would generate, can any organization afford not to have a robust cybersecurity posture?

To be fair, public-sector leaders are not wrong in their belief that cybersecurity is bothersome and expensive. As a result, they not only eschew tactics that would improve the organization’s risk profile significantly, but also keep in service aging equipment that has virtually no cybersecurity protection baked into them. For example, we often see clients still using systems and devices that are running on the Windows 7 and Windows XP operating systems. The Windows 10 operating system is much better from a cybersecurity perspective — but replacing legacy operating systems across the entire enterprise would be expensive, so the thinking seems to be, “if it’s not broken, let’s not fix it.”

But this too is wrong-headed. Such thinking might work well when applied to a hammer — but computer systems need to be replaced, or at least upgraded, regularly to keep up with constantly evolving cybersecurity threats.

Going Beyond Monitoring

Finally, some organizations think that network, system, and device cybersecurity monitoring is all they must do. But without prevention tactics in place — e.g., physical security, access controls, password/passphrase management, MFA, penetration testing (which should be done at least quarterly), vulnerability scans (which should be done weekly), and patch management (which should be done every time a threat advisory is issued, at a minimum) — all monitoring will accomplish is alerting you when a breach has occurred. That’s far too late in the game — the damage already is done.

Cybersecurity is a big, messy endeavor, even for organizations that have robust resources in this area. MCP’s team of cybersecurity subject-matter experts would love the opportunity to help your organization sort through it all and develop a strategy that aligns with your environment and budget — please reach out.    

Jason Franks is an MCP senior cybersecurity consultant. Email him at JasonFranks@MissionCriticalPartners.com.