All local governments are potential targets for cybercrime, a risk that intensifies as victims increasingly pay ransoms to regain access to their hijacked technologies. It can be tempting to pay up because hacks are disruptive, damaging, and embarrassing--and expensive. As stewards of (often sensitive) public data, finance officers must understand the significance of this threat, including the large costs governments face in recovering lost data, restoring public trust, and otherwise recovering from a breach.
Finance officers can implement simple and inexpensive strategies that address people, process, and technology to protect their organizations from cyber threats without conducting a costly cybersecurity assessment. Many of the recommendations below address the weakest link in cybersecurity: the human factor.
Most breaches begin with an e-mail or file attachment. Employees in the finance department are likely targets because they have frequent transactions with vendors and access to business systems. To mitigate this threat, governments should train employees to:
* Be suspicious.
* Be wary of e-mails asking them to change their usernames or passwords.
* Double-check the sender's e-mail address before opening or downloading an attachment.
* Follow the government's compliance business processes when vendors request changes to electronic payment and bank account information (e.g., accounts payable) and staff members (e.g., direct deposit). These procedures are often "out-of-band" (i.e., not done by e-mail) and are therefore likely to expose wrongful requests.
* Check the sender's website address before entering or sending sensitive data.
* Periodically check the public website haveibeenpwned.com to see if their e-mail addresses and passwords have been exposed. If so, employees should report the breach and change passwords for the accounts listed.
Actions Governments Can Take:
* Conduct training for all members of the finance staff; online training videos provide a low-cost or free option.
* Avoid posting e-mail addresses on websites, if allowed by law.
* Remind employees frequently about the potential for cyber threats.
* Make sure employees know where to report suspicious incidents, and praise proactive behavior.
PATCH DIGITAL SERVICES
Software patches typically include security updates and fixes for vulnerabilities, so as part of cyber security awareness, teach employees about the value of updating all their devices promptly, including computers, laptops, and smart devices. Ideally, the updates should be pushed to all devices through a central server, but if this isn't possible, schedule updates to run automatically during the day (this can be done during workers' lunch periods to minimize downtime). Be sure to restart the device after a patch has been installed. Because employees' personal devices...