by Margaret Hallbach, VP of Public Sector Sales at Verizon Business Markets
When you think cyberattack, do you picture a criminal mastermind launching a carefully planned attack on the White House? Can you hear the dramatic music and feel the tension building as the good guys find themselves with only seconds to spare before the country descends into unmitigated chaos.
It’s a successful Hollywood formula. But the reality is much scarier because it’s not just central government and big businesses that are the intended victims of cybercrime — everyone is at risk. You expect that police security camera overlooking your apartment complex to be operational. But is it? What if it had been infected with malware weeks earlier and was “offline for maintenance” during an assault?
Cybercriminals are often motivated by financial gain, but you could fall foul of hacktivism and cyber-espionage. Cities and municipalities have become targets because of limited resources, insufficient expertise, and unknown vulnerabilities.
Attacks that are simply launched for fun can have a devastating impact as well. What happens if your emergency response systems are overwhelmed by a telephony denial of service attack swamping your inbound call takers at your public safety answering centers?
Manage the risk of more tech
Cities are constantly competing against each other. Do people feel safe? Are the schools good? Are companies thriving and providing jobs? To improve constituent experiences and quality of service, while driving cost efficiencies, local governments are leveraging technology. Many cities are now looking to the Internet of Things (IoT) for smart street lighting to reduce energy consumption, and for intelligent traffic systems that cut congestion — there are even systems that detect potholes. The potential benefits are huge.
But as local government becomes more reliant on digital technologies, the consequences of cyberattacks grow. You’re holding more personal data. Your critical systems depend on technology. That means security can’t be an afterthought. When you’re developing new systems, you need to think security first. Imagine your facilities organization is refurbishing a municipal building with a new HVAC system. The automated detectors for sensing employees in the building allows the system to be remotely controlled, managing energy consumption and cutting operating expense. But it could also provide a new entry point for a cybercriminal.
Understanding the threats
Many municipalities and cities are budget constrained. New sources of funding are hard to find and these funding sources are difficult to maintain. IT professionals are aware of the threats, but they don’t have the support from City Councils to earmark dollars. Cybersecurity funding should be no different than traditional public safety.
The 2017 Data Breach Investigations Report (DBIR) draws on the analysis of over 40,000 security incidents and almost 2,000 confirmed data breaches to bring you an unparalleled source of information on cybercrime. The nine attack patterns we first identified in 2014 still cover almost 90% of data breaches. Understanding them can help you gain insight on where and how to invest your limited resources. We are all trying to stay ahead of the bad guys. Ask for advice and guidance – from a colleague, from another city, from a partner, from the industry. And most importantly, take action. Don’t regret the decision that you did nothing.
Think your business is too small to be a target of hackers? Think again.
43% of all cyberattacks are targeted at small businesses*. You could be the victim of cybercriminals targeting your customer and employee data, which they can sell or use for identity theft. You might find yourself locked out of your systems and facing a ransom demand to get back in. You might be a stop on the route to a bigger target, or you might simply be the victim of some kid having some fun by defacing your website.
The bad news is it’s likely you’re an easier target than the large enterprises that have spent millions on cybersecurity. Most cyberattacks are opportunistic—cybercriminals spot a vulnerability they can exploit. If everyone else has stronger defenses, you could be next on the hit list.
What can you do? As a small company, you probably don’t have the expertise to handle cybersecurity in-house, so you’re most likely going to look for external help. But you can’t just offload the problem and then forget about it. Protecting your company isn’t just a job for IT security experts. Many data breaches are the result of human error on the part of employees. And if you are the victim of a cyberattack, handling the aftermath could involve employees across your business.
If you want to improve your chances of staying secure—and recovering fast if you’ve been compromised—it’s vital that you understand the threats you face without having to wade through a dry report full of technical jargon.
Learn from real-life investigations
The Verizon Data Breach Digest makes cybersecurity more approachable by telling the stories of investigations from actual cyberattack incidents. Each of the scenarios in our 2017 report is told from the perspective of key leaders from across the business, which means they can help you understand the critical decisions you’ll need to make if your business suffers a breach.
Read about the regional water supplier defrauded by a trusted partner. Discover what happened when janitors accepted money to plug infected USBs into a company’s systems. Find out how we helped a software-as-a-service company recover from a distributed denial of service (DDoS) attack. We walk you through each case, from initial incident detection and validation, through response and investigation, to resolution and lessons learned.
Each scenario includes an at-a-glance summary in the form of Attack-Defend cards. These explain: typical amount of time for threat discovery and containment; who you’re up against and their motivation; the industries most at risk; key stakeholders in the breach response; and the countermeasures you can take.
The Data Breach Digest isn’t just for IT security experts. It’s written in plain English to make it easy to understand. We hope you enjoy reading the latest edition and, in doing so, learn some key lessons on how you can protect your company’s assets and reputation.
*Internet Security Threat Report, Symantec, April 2016