Public sector organizations such as schools, hospitals, manufacturing units, essential services and government offices have become a popular target for cybercriminals. Per recent estimates, 20% of security incidents can be linked back to the public sector, which is one of the highest among any industry.

Why do Cybercriminals Favor Public Sector Organizations?

There are multiple reasons why cybercriminals favor public sector organizations. Here are the top three:

1. A Mountain of Private Data: Public sector organizations store and process massive amounts of sensitive data such as classified documents, personally identifiable information, demographic and state-level intelligence, etc. This type of data can fetch money for cybercriminals in underground dark web marketplaces.
2. Opportunity for Large-scale Disruption: State-sponsored cyber terrorists aren’t always motivated by financial gain. Sometimes their aim is to disrupt essential services, cause unrest and panic, undermine democratic institutions, damage or destroy national assets, spread misinformation, leak classified documents or promote a specific political ideology or narrative.
3. Limited Security Coverage: Most public sector organizations run on meager budgets with limited room for advanced cybersecurity defenses. Moreover, many of these institutions run on outdated legacy technologies that have vulnerabilities. Some organizations even lack specialized or dedicated cybersecurity teams; this explains why public sector organizations are slow in responding to cyberattacks.

Top Security Trends in the Public Sector

If one studies attacks on the public sector, three key trends come into view:

• Barrage of Phishing and Social Engineering Attacks: Social engineering is easily one of the biggest threats facing public sector organizations today. Threat actors routinely prey on normal human vulnerabilities such as gullibility, lust, impatience, greed and biases, to circumvent technical defenses and gain initial access into organizations.
• Breeding Grounds for APTs, Ransomware and Espionage: An advanced persistent threat (APT) is a sophisticated cyberattack where threat actors infiltrate an organization and remain slow and low, instead of the traditional “smash and grab”. Before being identified, malware and ransomware tend to remain undetected for months in public sector organizations. Similarly, the public sector sees 10 times more espionage attacks across all industries.
• Lots of Vulnerable Devices and Software: Numerous studies show that public sector organizations have the highest number of security flaws in their applications with hundreds of unpatched, vulnerable and exposed devices (ICS devices, medical devices, network devices,). Threat actors can easily leverage zero-day vulnerabilities in these devices and applications to attack organizations.

How Can Public Sector Organizations Mitigate the Risk of Cyber Attacks?

Following best practices, public sector organizations can reduce the risk of cyberattacks and data breaches.

1. Focus on Root Causes: Instead of focusing on things like espionage, APTs and ransomware (which are symptoms), organizations should spend time understanding the real reasons causing these incidents. For example, the top three methods threat actors use to gain access into organizations are phishing, stolen credentials, and exploiting vulnerabilities. In other words, people are a weak link and efforts need to be made to plug security gaps and loopholes related to human error.
2. Double Down on Training: Human instinct is the strongest defense in any organization.

Cyberattacks can be caught early if organizations can teach employees to be vigilant and report anomalies or suspicious things the minute they are encountered. Using in-person coaching, regular communications and phishing simulation exercises, organizations can cultivate a sense of security intuition amongst employees and support a culture of security. Along with awareness training, it’s also important to have clear-cut policies and processes in place, so that employees know how to respond to a threat when an incident occurs.

3. Deploy Robust Security and Patching: In addition to training users to identify social engineering and phishing scams, organizations must deploy advanced security controls (endpoint detection and response, intrusion prevention system, mobile device security, etc.) as a counter-defense for the most common types of attacks. To mitigate the risk of social engineering and password theft, organizations can consider using phishing-resistant multi-factor authentication (MFA). It’s also recommended that organizations patch software, firmware and operating systems regularly and secure remote access tools. For organizations that develop their applications, they should use secure software development practices to bake security into products from the ground up.

The FBI and CISA have issued repeated warnings about ransomware actors and APTs that are increasingly targeting the public sector and critical infrastructure.  Public organizations must take these warnings seriously and implement end-user training and other security best practices to stand a fighting chance against these insidious and disruptive threats.