How do cyber threats impact public entities?

Though private companies are most in the news, public entities perhaps face an even greater level of scrutiny and expectation when it comes to cyber security.

Even with the world’s most secure computer network, human error or negligence will always be a cybersecurity issue. (Photo: Getty)

From a remote location in any part of the world with internet access, a hacker uses access credentials obtained from an unsuspecting county employee who inadvertently responded to a phishing email. In minutes, the cybercriminal locates a property tax database containing extensive information about homeowners, including in some cases, credit card and checking information used to pay their tax bills. In a clandestine manner, the data is copied and, just as swiftly as the criminal entered the system, the hacker disappears. The county fails to detect the intrusion for more than six months, until they are contacted by numerous financial institutions informing them they are the likely source of their customers’ personal information used to make fraudulent purchases and bank account withdrawals. The incident becomes a serious liability for the county as well as a public relations scandal that cycles in the media – and the courts – for years.

We hear about large-scale data breaches so often in the news that they have become commonplace. People aren’t sure how it will affect them, if at all (it will). And even if it may, they don’t really know what to do about it. Many view it predominantly as a retail problem, but even public entities such as schools and municipalities can be targeted for a damaging cyber attack.

Related: Is your CEO a cybersecurity dinosaur?

Public entities perhaps face an even greater level of scrutiny and expectation when it comes to cyber security. Endowed with the public’s trust, they are expected to adhere to a higher level of preparedness.

Just like any Fortune 500 company, public entities need to have a priority listing of cyber threats, including:

Voter registration rolls and election systems security have become a focus of national attention and concern. The Department of Homeland Security reported that during the 2016 general election, 21 state systems were targeted and a “small number of systems” were actually penetrated by cyber attacks. A Bloomberg investigative report revealed that 39 states became hacking targets during the 2016 elections, and a successful attack compromised 90,000 voter records in the state of Illinois. Such cyber intrusions are expected to be a major risk during the upcoming 2018 midterm elections.

Public agencies use an extensive network of critical systems and communication that operate over potentially vulnerable channels. Consider how traffic control and transportation coordination is automated. Interoperability is essential between law enforcement agencies for both routine services and emergency management. The connected nature of such systems, and failure or interference with them during a natural disaster or terror incident can multiply the damage and severely delay recovery efforts.

What can public entities do to protect themselves?

First and foremost, public entities can protect themselves by taking steps to reduce the human error that can inadvertently give criminals an access point. Oftentimes employees are not aware that their seemingly harmless habits, such as putting off needed system updates or plugging in an unsecure device like a flash drive, can have major consequences from a cyber security perspective. Regular cyber security trainings can help employees to create strong passwords, recognize phishing and other malicious emails, avoid dangerous apps, and take necessary precautions when dealing with sensitive information. Without having to invest hundreds of thousands of dollars in a robust cyber security platform, training is the best way to begin to protect your agency. Even with the world’s most secure computer network, human error or negligence will always be an issue.

Organizations should also have a strong Cyber Security Policy and Breach Response Plan in place. These preemptive manuals can help document policies and procedures for important topics such as encryption requirements and how to delete outdated files, as well as provide a plan for how to handle a cyber breach incident when and if it occurs. Like any other emergency, if your agency prepares itself and does “table-top” exercises to game plan itself for the inevitable, it will be able to better respond when it does actually happen.

What about Cyber Insurance? While it helps mitigate financial liability in the event of a cyber breach, perhaps the most valuable aspects of such coverage come from the expertise and resources to assist agencies with preventing attacks. Implementing IT best practices and loss control measures by the organizations that have seen a wide range of cyber liability occurrences can greatly minimize the risk for a local agency.

With almost every state having a different set of rules and regulations around cyber risks, cyber insurance will provide your agency with a “breach coach” to help maneuver through the regulatory minefield. The breach coach, which will most likely be a law firm dedicated to cyber response, deals with these issues on a daily basis and will help with all questions and situations. It is important to make sure your policy has both first party breach mitigation coverage and third-party liability language.

The cyber threat is real and growing. Is your organization ready for it?


Brad Keenan is an account executive at Keenan & Associates specializing in cyber liability and policy administration for K-12 public schools.