Security Risks for Local Government Employees

Written by Alaina Coffee, Security+ ce

Cyberattacks can be prevented through education and by taking proper precautionary measures.
Cybersecurity Services from CivicPlus

Download our fact sheet to learn how we can help you protect your citizen and civic data.

Download Now

Cyberattacks are on a sharp and steady rise for local government organizations. Bad actors—individuals, criminal enterprises, or nation-states that act to breach IT systems with nefarious intent—are searching for vulnerabilities in municipal websites. More prevalently, these infiltrations focus on the deception of individual employees via tactics such as phishing schemes. Phishing is the number one method by which IT systems are compromised, and this method is being deployed to trick individuals into giving information or granting access to malware such as ransomware to their systems and secure data. The end goal can be financial gain or causing disruption, disorder, or financial damage to a municipality.

Fortunately, these types of attacks can be prevented through education and by taking proper precautionary measures. Consider some of the following ideas to help create a strong front line of defense, in the form of each employee, against these malicious efforts.

Education and a Foundation of Vigilance

Before you address specific plans of action or the different types of threats, it is perhaps more important to start with the idea that vigilance will be the most important factor in whether your team can effectively thwart cyberattacks. It is not a complicated process to keep your system secure; it is just a difficult one to implement because it requires a steady, persistent approach across what can often be a large team. Your system’s entire line of defense may only prove to be as strong as its most vulnerable piece or team member. If a single staff member is missing the necessary information or isn’t attentive, the security of your website and every user could be compromised. Once you stress the importance of using a diligent and skeptical eye, move on to more granular aspects of the education process, such as:

  • Identifying vulnerabilities and course-correcting
  • Holding training events and follow-up refresher courses on cybersecurity
  • Incorporating security topics into regular department meeting agendas
  • Regularly sharing updates and learning materials with your staff
  • Writing a cybersecurity best practices guide
  • Constructing a central knowledge base for training purposes

Communicate What is at Stake

Ensure all staff knows exactly what is at stake and why maintaining security is crucial. Potential outcomes of a compromised platform include:

  • Great financial loss or burden to an institution
  • Loss of time to litigation, recovery, and remediation
  • Loss of public trust in your valuable online resources
  • A decrease in website traffic and interactions with online processes
  • Reduction in services utilized by citizens
  • A public that is less engaged with their local government

Specific Steps and Efforts

Every staff member can do their part to ward off cyberattacks by following simple steps such as:

  • Reporting suspicious activity to your IT team
  • Refraining from the access of any links or attachments from unknown or unexpected senders (including correspondence that appears as internal communications)
  • Never providing login credentials to external websites
  • Developing mandatory password standards, two-factor authentication, and credential update requirements
  • Reporting unprompted or duplicate two-factor approval prompts
  • Never reusing passwords across personal and work accounts
  • Carefully validating any link or resource that you choose to follow
  • Communicating examples of identified attempted attacks using descriptions, screenshots, and instructions

Aligning Attack Trends with National News

A rise in cyber attacks often correlates with major news events or national stories of interest. Attackers seek to take advantage of the public’s concern and interest by targeting resources that are commonly relied upon for valuable information and updates. COVID-19 is a prime example, particularly due to the seriousness of the pandemic and its lasting nature. Employees may receive malicious messages disguised as important correspondence related to the pandemic, and it’s important that these attempts are identified, reported, and then deleted.

Now more than ever, it’s critical that everyone approaches their workflow, email, and messaging with an attentive and skeptical eye. With consistent training, messaging, and instruction, you can provide your staff with the knowledge they need to prevent attacks and unnecessary loss and damages.