Washington's state and local governments possess countless IT systems that provide critical government services and handle vital and sometimes very personal data. The public expects government to do all it can to ensure that these systems are secure to ensure services are not interrupted, and stored data is not lost, stolen or damaged.
The disruptions caused by the COVID-19 pandemic resulted in increased dependence on technology and electronic payment networks. This shift has created new opportunities for bad actors to steal public resources and assets from your government. By using various cyber fraud schemes, such as fake email addresses or compromised email accounts, bad actors are successfully tricking governments into rerouting electronic disbursements to their own accounts. And the fraudsters are raking in a hefty profit.
The COVID-19 pandemic forced local governments to rapidly convert many office employees to work-from-home employees. While some have returned to the workplace, many employees continue to work either fully or partially remotely. Working from home has many benefits, but it also brings additional risks because remote workers are more vulnerable to cybercrime than those who work in the office.
It doesn't matter if you're a small government, a big government, or somewhere in between: You have information that hackers want. From employee personal information and payroll to vendor payments, tax information, critical infrastructure and more, hackers want it all—and they're constantly evolving their tactics to get it.
If it seems like data breaches are in the news nearly every day, it's because they are. While breaches at large companies often dominate the headlines, cybercriminals are also hacking local and state governments, public and private universities, and school districts. Yet, despite the prevalence of the breach-centric news cycle, many people don't know what exactly a data breach is, how it typically starts, and why it occurs.
When a cyberattack occurs, we often want to point the finger at our technical staff. We assume there must be a hole in our organization's security, and that our IT employees weren't doing all they could to prevent the attack. In reality, the days of simply relying on firewalls and antivirus software to keep hackers out of your network are over.
Whether you work for a local government that provides frontline emergency services or an agency that handles sensitive information like personal or financial records, you have an important role in cybersecurity.
That is why the State Auditor's Office will be joining in the theme of Cybersecurity Awareness Month, “See yourself in cyber.” While cybersecurity can be technical and complex, much of it comes down to people and the choices they make.
Do you remember the Nigerian prince scheme—that long-running internet fraud where the bad actor drains your bank account after obtaining your information? Fraudsters made $703,000 in 2018 alone on that one. While some fraudsters are still working that old scam, others have moved on to impersonating your employees and vendors to redirect Automated Clearing House (ACH) payments meant for payroll direct deposits or vendor payments. In fact, Washington governments reported $4.7 million lost to these schemes in 2020 and 2021.
Last month, President Biden warned that Russian cyberattacks on American companies were coming, and he urged them to harden their defenses. In separate news earlier this month, the FBI reported that local governments—and the critical services they offer—are becoming attractive targets for cyber criminals.
This weekend marks the start of daylight saving time, and we all know the drill: Change your clocks and the batteries in your smoke alarms. But how often are you testing your government's backup file system? With the rapid rise in phishing and ransomware schemes, the biannual time change can also serve as a handy reminder to perform this critical task.