Over the past several years, municipalities, universities, schools, and hospital institutions – or the MUSH Sector for short – have become an attractive hunting ground for cybercriminals. Comprised of entities that receive government funding, but that are not controlled by government, the MUSH sector also important civic institutions like police forces, long term care homes, and things like school boards. So what do all these entities have in common to make them high-value targets?
You guessed it – data.
Each one of these institutions hold a treasure trove of personal data and citizen activity on countless users. Second, unlike for-profit businesses, these institutions — particularly in smaller towns or remote regions — regularly face greater financial, technological and talent constraints for cybersecurity. As David Masson, Canada’s former senior manager for Public Safety Canada, explained in a recent ITWorld Canada article, “until municipalities can develop and maintain strong preventive measures – on a budget, no less – the number of reported security incidents is bound to increase. And now, after a successful streak of payouts being made for ransomware attacks in the MUSH sector – including publicly known ones by Canadian cities such as Stratford, Midland, and Wasaga Beach, as well as the University of Calgary – criminals have become more emboldened to continue in their efforts.
While the majority of attacks gain entry through phishing emails due to their widespread proliferation, ransomware cyberattacks are constantly evolving in sophistication. There are numerous other less well recognized ways to infiltrate a network, including vulnerabilities around SSL Certificate management.
Here are a few key principles local and MUSH sector institutions can adopt to minimize risk:
Automate with High Visibility
One attack vector used to compromise a network is through an expired digital certificate. Digital certificates exist to ensure end-to-end encrypted connections. As a built-in security measure, SSL certificates have a finite lifespan — lasting no longer than 27 months. If the certificate is not renewed before it is expired, the network will become vulnerable to intrusion. How vulnerable? In the case of Equifax in 2017, the data of over 140 million people were exposed.
Manually managing one or even a handful of certificates is feasible, and something many teams can handle in house. However, when an organization has numerous certificates – as many cities, universities and even hospitals often do across their different departments and services – professional help from an expert team like Webnames Corporate or even potentially automation tools, like that of a certificate manager, can reduce the time and susceptibility to error in managing the certificate lifecycles.
Think your team could benefit from an SSL certificate security review and strategy consolation. Contact Corporate Webnames to schedule a consultation.
Have Easily Verifiable Identities
Impersonations have long been a tactic used to get passed the gatekeepers. Unfortunately, the faceless nature of online interactions presents extra challenges for authenticating the identities of email senders and/or website owners, especially for the untrained eye. A common phishing email tactic is for a fraudster to impersonate someone from an organization and make a request as a “colleague” through email. If the unsuspecting colleague does not verify the sender’s identity, he/she could be duped into providing compromising data or even wiring funds to the fraudster.
Thankfully through digital certificates and their authentication processes, the identities of people and businesses can be made transparent and allow for simple identity verification. Business SSL certificates, such as Organizational Validation (OV) and Extended Validation (EV), allow site visitors to easily verify a company’s details. For emails, S/MIME certificates allow email readers to verify the identities of the senders through special visual cues.
Learn More: SSL Validiation Levels Explained: Everything you need to know to make an informed purchase decision
OV (Organization Validation) SSL is the preferred validation option of entities, governments and corporations that want to provide an extra layer of confidence to their visitors. Talk to our SSL experts about upgrading to OV SSL, or to learn more about how S/MIME email certificates increase the security of email communications.
Store Data Back-ups Offsite
Data disrupting events can have dire consequences for an organization. While cyberattacks are a definitive threat to organizations, the online stored data can also be disrupted by a user error or a hardware malfunction. Regardless of how a data disaster can occur, your organization’s data should be backed-up outside of your main servers. Additionally, there should be frequent back-ups going back at least 120 days as most initial malware intrusions may have taken place many weeks or months prior to the discovery of their presence.
Certain back-up systems even offer data scanning solutions to notify the admin anytime source code is changed, allowing for immediate remediation if needed. In the event of a data disaster, a well-maintained back-up solution can bring the organization back online in a relatively short time frame.
Contact Webnames Corporate for recommendations about automated data backup services for your municipality or organization.
Through proactive measures, cyberattacks on local and public institutions can be prevented, and if they do happen to occur, minimized and systems restored quickly. With ransomware attacks increasing in sophistication, MUSH sector organizations need to be playing non-stop offence. This means keeping tabs on emerging threats, nurturing threat awareness in their employees, practicing good digital hygiene organization-wide, and of course, setting up the right security measures and maintaining them vigilantly.
Be sure to also check Webnames’ Cybersecurity Resources page for more tools and resources that MUSH sector organizations can leverage to educate their teams and fortify their defenses against cyber threats.