As state and local government agencies fight against an onslaught of threats like ransomware and phishing, a standard cybersecurity strategic plan isn’t enough.
Those threats are bombarding agencies at an unprecedented rate — and a good chunk of them are coming at what one county chief information security officer calls “the Achilles’ heel” of any system: email.
“It’s users clicking on links, it’s the fact that those bad emails get to us,” said Michael Dent, the CISO for Fairfax County, Virginia. “We’ve got to be able to stop that.”
In South Dakota, it’s a similar fight. Jim Edman, the state’s chief security officer, said that with almost 90 percent of incoming email to state employees being categorized and flagged as spam, it makes protecting against threats difficult — especially if something slips through the cracks.
“The employees, boy, those people are sitting in front of that computer reading that message — they are absolutely critical,” Edman said. “If they give up their credentials, or they click on something that’s going to download malware, then you’re in a reactive game there.”
Most spam gets filtered out at the email gateway level, Edman and Dent said, but the key to developing resilience really centers on employee education.
“[Employees] are the ones that are getting the phishing messages, the spoof phishing attempts and other aspects of social engineering,” Edman said. “I think there’s a lot of components to everybody’s cyber strategy, and certainly one of those important components is going to be client education.”
While employee education helps cover the weakest links in the systems, states can use technology and cybersecurity strategy to help bridge the gap.
“Security teams are getting better and better,” Edman said. “If you apply the updates, you keep the patches, you use a desktop protection system and you don’t click on the ‘prince from Nigeria’ message saying you just won $8.7 million, that goes a long way in the digital world.”
For more information on a checklist to plan for cyber resilience, and more on how state and local agencies should go about creating that plan, check out the full report.
Download the special report report here. This article was produced by CyberScoop for, and underwritten by, Mimecast.