The COVID-19 pandemic prompted a migration of the American workforce – a migration to the home office. Like many organizations at the time, local governments moved quickly to mobilize a remote workforce.
In this rush, they may have opened themselves to security vulnerabilities. In 2020, 79 ransomware attacks were carried out against U.S. government agencies, costing $18.9 billion in downtime and recovery costs. That same year, nearly half of all global ransomware attacks were aimed against municipalities.
As virtual work became the new normal, entire industries across private and public sectors were vexed by a troubling question: how to mitigate cybersecurity risk with so much of the workforce dialing in from home?
For government agencies looking to shore up their cybersecurity for remote work, these five steps will help to reduce risk and keep their employees, devices and systems safe:
1. Build a Remote Work Policy
When in-office work vaporized practically overnight, government agencies found themselves developing remote work policies after employees had already started working from home. This cart-before-the-horse approach may have been unavoidable during this unprecedented health emergency. However, it resulted in policies that addressed the workaround aspect of new arrangements already in place rather than with a security-first mindset.
To harden their virtual tools and applications, governments should prioritize building remote work policies with an eye toward evaluating current security capabilities and determining use cases. In addition to outlining specific security guidelines, a strong remote work policy will help identify the biggest risks, what each employee needs to be productive and what solutions enable secure virtual work.
2. Train and Retrain Employees
Educating employees about potential risks is paramount to maintaining secure systems. In a recent survey of IT security professionals, 72% said employees believe they are adequately protected and/or are too small to be a target for attackers.
Unfortunately, a divide exists between perceived risk and actual risks – the FBI reports that local governments were the second most targeted group behind academia, and the top modes of attack were phishing emails and exploitation of vulnerabilities in hardware and software.
To close this divide, governments should implement user training programs that include how to recognize signs of malware or a phishing scam, examine links and attachments before opening and employ a strong password management strategy.
Ongoing training exercises will deepen employee understanding of risks and ensure appropriate responses to suspicious activity. Additionally, security guidelines outlined in the remote work policy should be shared and enforced across the organization so everyone is working from the same security-first mindset.
3. Back Up Data
One of the best ways to avoid data loss due to any catastrophic event – whether a cyberattack, natural disaster or server crash – is by creating a data backup plan. In fact, a robust backup plan, like the one adopted by Yuba County, California, is one of the easiest and most cost-effective precautions that local governments can take to mitigate the risks of a cybersecurity incident.
Good backup plans include keeping regular backups at secure locations offsite, encrypting backups and routinely testing backups for data and operational integrity. Cloud backups, like those provided by native cloud service providers, can help ensure continuity of service and minimize downtime in the event of a breach.
Want to learn how to store government records securely on the cloud?
4. Pick Your Team
IT leaders should develop access and chain of command protocols. This includes identifying and outlining roles of people who will be called to respond if a security breach occurs. This might include members of the management, compliance, legal and communications teams, as well as service providers, vendors and insurance companies. Additionally, access to confidential data and critical IT systems should be granted only to those employees who require it to fulfill their work duties.
5. Use the Right Tools
According to a report by Tenable, 74% of security leaders attribute their latest wave of breaches to vulnerabilities in technology implemented during the pandemic. One major risk posed by remote work is the use of insecure, public internet services or poorly set-up home Wi-Fi systems. To mitigate this risk, remote workers should be required to use only password-protected, private Wi-Fi networks and routers. Virtual private networks (VPN) and multi-factor authentication are recommended whenever employees remotely access municipal networks and systems.
Even if a connection is generally safe, cyberattackers still find vulnerable entry points into government infrastructure. A recent U.S. government threat report found that 99% of users of a particular mobile technology were exposed to hundreds of vulnerabilities due to out-of-date operating systems. Municipalities should routinely install security updates and require employees who have access to work systems to regularly update all personal devices and apps. Additionally, software that is no longer supported with updates and security patches should be disabled or deleted to prevent exploitation.
As the Great Resignation of 2021 revealed, the movement favoring flexible work arrangements is here to stay. Local governments responsible for providing public services must meet this moment by prioritizing remote-work security strategies.