Like any other organization, those in the public sector must protect themselves from all manner of cyberattacks. And protection begins with an understanding of the vectors these attacks employ.
According to one law firm operating a data privacy and cybersecurity practice large enough that it conducts research on its own cases, 37% of recent cybersecurity incidents were triggered via malware-laden phishing (and, by the way, 30% of those events resulted in a takeover of a Microsoft Office 365 account), while network intrusion caused another 30% of incidents.
These findings are supported by other research, too:
The public sector: a favorite target
What’s more, public sector organizations have become a favorite target of bad actors.
In 2019, too many of these incidents involved ransomware — so much so that last month the Department of Homeland Security once again issued an alert. At the end of last August, more than 70 cities and towns had suffered ransomware attacks, including 22 Texas communities hit with a coordinated ransomware attack.
Four incident response steps you can take
Here’s what you can do to help prevent and cope with cybersecurity incidents in general and ransomware attacks in particular:
- Protect your IT infrastructure, data, and endpoints with automated, real-time monitoring (e.g., security information and event management [SIEM] and intrusion detection systems) as well as firewalls, spam/malware/phishing detection, data backup following the 3-2-1 rule (three copies of your files on two different types of media with at least one off-site), automated patch management, multi-factor credentialing, and so on.
- Consider deploying a defensive network that forgoes comparatively flat network designs for segmented networks with subnetworks and VLANs within the environment that enable you to quarantine and isolate zones.
- Formalize an actionable incident response plan so you don’t waste valuable time determining what actions to take and then seeking authorization to perform them. This plan should be tested regularly and updated often. It should also include a collection of incident response playbooks tailored to particular types of attacks — malware, network intrusion, ransomware, etc.
- Create a ransomware incident response playbook that will steer what you do — with steps that include preparation, detection/identification, analysis, containment, eradication, remediation, recovery, and lessons learned. This playbook should also appoint an IT leader with automatic authority to immediately undertake remediating actions (such as quarantining/disabling affected assets) and to communicate with appropriate stakeholders concerning action timelines and anticipated impacts.
If you don’t want to try all this alone (and who does?), an experienced cybersecurity consultant — especially one with a trusted Security Operations Center — can help you.