The public sector – government, education, law enforcement – is the backbone of society. Citizens entrust their local governments, police, and public schools with vast amounts of personal information in return for their services. In effect, the public sector has become a data collection machine.
Yet public organizations in particular are ill-equipped to deal with the digital responsibilities that come with managing vast amounts of personal data. Unlike private companies, the public sector typically does not have the appropriate funding, staffing, or the ability to treat cybersecurity as the priority it should be.
Indeed, recent cyber attacks against the public sector paint a dire picture. In 2023, the Medusa ransomware group attacked the Minneapolis Public Schools system, demanding a $1 million ransom. When the ransom wasn't paid, a ton of sensitive files were leaked. This included documentation of abuse, sexual assault, student mental health, medical records, and those little gold nuggets called Social Security numbers.
This is just one example.
How do threat actors do it?
Social engineering is the most common attack vector for cybercriminals. Phishing, which accounts for 70-90% of all breaches, and its variants such as business email compromise continue to lure public sector employees. Hackers use these entry points to trick well-intentioned public sector employees into clicking malicious links, thereby putting organizations and the data they protect at risk.
Plus, a new tool has emerged to the delight of cybercriminals: generative artificial intelligence. GenAI can not only develop new malware, but it can also help bad actors launch more sophisticated social engineering attacks. Cybercriminals no longer need to be hacking experts or fluent in English; now artificial intelligence can do the work for them.
What can the public sector do about this?
The reality is that those with the least awareness of security threats often pose the greatest risk. Employees who lack awareness of threats, protocols, and response procedures are most likely to become victims of social engineering attacks. This is why security awareness training is so important. To shore up a fragile layer of human cyber defense, agencies can conduct a variety of awareness training campaigns. This training can take many forms, including case studies, games, and phishing simulations. The goal is to educate vulnerable employees, especially those who think they're not part of the problem.
Employees don't like being told they're doing something wrong or that they need to change how they do things. They wonder why they should spend their valuable time following cybersecurity procedures and paying close attention to every potentially suspicious email link when they don't think they'll fall for a social engineering ploy. They may think it's a waste of time when it's the organization that's affected, not them.
But the reality is that employees of a breached organization are also at personal risk.
One effective way to make employees aware and comply with security policies is to help them understand what risks they face in both their work and personal lives. For example, if your office is cyber-attacked and your personnel records are stolen, bad actors could use your personal information to apply for credit cards and incur huge bills.
Highlighting past cyber attacks, especially those that targeted technically savvy or astute people, can also help change employees' beliefs that social engineering doesn't work on smart people. Unfortunately, doctors, lawyers, educators, and many other astute people have fallen prey to social engineering attacks. It's a misconception that some people are too smart to be fooled.
By participating in simulated social engineering attacks, employees begin to understand exactly how vulnerable they are and how sophisticated these attacks can be. Additionally, organizational leaders explaining the risks and supporting training is more effective than messages from the IT department. When leaders demonstrate good behavior, others will be more likely to do the same, ultimately strengthening the security culture in the organization.
Some organizations have had great success by gamifying phishing education and practice. A phishing derby is a fun way to gamify learning by assigning points for each correctly reported mock phishing email and tracking scores across the organization. Some organizations choose to pick a time period (October, Cybersecurity Awareness Month, is a great choice) to eliminate negative consequences such as additional training for failure and dramatically increase the number of mock phishing emails to give employees more opportunities to improve their scores.
This contest can be run at the individual, department, or branch level, with simple prizes ranging from pizza parties to special parking spots or even a fun trophy to brag about. By offering prizes without the negative consequences, many employees will look forward to receiving simulated messages to improve their scores and rankings, and your organization will benefit from plenty of practice in quickly spotting and reporting potential serious threats.
Rebuilding a cybersecurity culture within an organization is difficult, especially in resource-strapped government agencies. But at-risk organizations need to realize that security training and education is a worthwhile investment. Protecting citizen data is key. value Roll out training modules and overhaul protocols, even if this will be difficult in the short term.
It's easy to think “I've never been hacked before, so I don't need to worry,” but this is short-sighted: cybercriminal groups put public sector organizations at even greater risk of being breached.
Prevent this by prioritizing awareness, building a positive security culture, and promoting shared responsibility.
Eric Cron is a security awareness activist. Nowby 4He is a veteran information security professional with over 25 years of experience.