Proofpoint - Cybersecurity Budget.png

That's why there's Proofpoint.


Today’s state and local governments employ and serve millions of people and are tasked with numerous competing goals in supporting and building new systems for their constituents. At the heart of most of these systems is your infrastructure and data of those employees and citizens. Protecting that asset is becoming more important and challenging every day.

For years, government agencies have been investing their limited funds in cybersecurity and are still seeing attacks increase. Why is this happening? The main reason is that while defenders don’t focus on people, attackers do. According to a Verizon report,1 cities and counties are spending 90% of their cybersecurity budget on protecting the IT systems and network. Unfortunately, that is not where the current attacks are targeting. The hackers are not only getting smarter, they are using the largest and weakest link as an attack vector in your organization against you—your people.

With attackers increasingly targeting people, as a state and local government CISO and security leaders, you need to understand and gain visibility into your greatest risk—your people. You also need to get an understanding of the data they have access to and the behaviors that indicate they might fall for a modern, socially engineered attack. This involves protecting people from targeted, very sophisticated attacks or high-volume of attacks. It also entails educating users about attack vectors and tactics and enabling them to protect themselves and your organization. Finally, you need to protect the data people create and access from security and compliance risk standpoint.

Dynamic Threat Landscape

The volume and sophistication of today’s cyberattacks on state and local governments are at an all-time high. Municipal governments accounted for 16 percent of the worldwide total attacks, not including the attacks that may not have been reported.1

Ransomware remains the predominant threat for state and local governments: over 60% of total security incidents are ransomware-related. Phishing and stolen credentials are the leading causes of data breaches, with 60% of all breaches caused by these tactics and techniques.2

Why are the attackers targeting state and local governments at such a high rate? Financial gain is the primary motive, with 75% of attacks launched with the intent to benefit financially. Cyber espionage is the motive for about 20% of the attacks.3

Governments collect a staggering amount of personally identifiable information (PII)—Social Security, Driver’s License, Credit Card numbers, Date of Birth information—on an ongoing basis. This rich PII data is extremely valuable to criminals, with a current price of $75 per record.

Another key item of value is the critical infrastructure that runs todays states, cities and counties. Given the interconnected nature of these systems, they can sometimes be difficult to secure. Criminals are also aware of the public scrutiny that these attacks bring to a government. As a result, they know that these government entities will be more likely to pay a ransom to keep their names out of the news.

To complicate an already challenging threat environment, governments are seeing an increased number of people retiring from senior security positions, along with smaller cybersecurity budgets. Over 48% of governments do not have a budget line item for cyber security.4 Even if you are fortunate enough to have a cybersecurity budget, staffing these positions is becoming significantly more difficult. And the legacy systems that security teams must support makes hiring even more challenging.

Sophisticated Threat Actors

It is important to look at the changing world of cyber crime in terms of who is perpetrating these crimes and their motivations for doing so. The cyber crime landscape can be broken down into four types of threat actors:

  • Cyber criminals
  • State-sponsored actors
  • Hacktivists
  • Insider threats

Cyber crimes can be orchestrated by a few individuals or large, profit-motivated criminal organizations.

State-sponsored actors are nations that use government resources to achieve their national security or economic interests. Their motivation is everything from blackmail to using stolen intellectual property for their national economic gain.

Hacktivists are motivated by social, political or religious ideology. They launch attacks to achieve their notion of social justice. They are typically not stealing data for money but rather exposing that data to cause harm to its owners.

Insider threats come from within an organization. They involve employees that fall into one of these categories: malicious, negligent or accidental. Malicious actors usually pursue monetary gain or revenge. In public administration agencies, roughly 40% of attacks are propagated by insiders.

Getting in the Door

The most widespread way that cyber criminals enter government networks is through phishing emails and stolen login credentials. They are aware that most locations have strong security at the network level, so they have migrated their attacks to a weaker link in the system—people. Once inside the network, attackers can be lurking there for weeks to months at a time, probing and researching your systems for weaknesses or data to encrypt or steal. This amount of time is significantly longer in the public sector than almost all other industries—an average of 231 days. Even more startling is the average amount of time required to contain the attack—93 days.5 The public relations and financial damage can last for years on a government way past the time the breech was detected and removed.

The good news is that state and local governments can significantly improve their security posture by adopting a people-centric security strategy.

People-Centric Security

People-centric security extends beyond deploying technology to detect and block threats. It involves understanding who in your organization is being targeted the most and then deploying adaptive security controls to protect them and your organization. It also entails engaging your people and arming them against real-world cyber attacks. Finally, it involves protecting your people’s cloud credentials and the vital data stored in cloud applications.

Protecting your people against targeted attacks and email fraud

Email fraud involves two types of threats. One is business email compromise (BEC), where an attacker pretends to be you. The other one is email account compromise (EAC), where an attacker becomes you. BEC and EAC are so intertwined that the FBI has been tracking these scams as a single crime type. What they have in common is that they target people. They both rely on social engineering and are designed to solicit fraudulent wire transfers or payments or to steal information

Recent headlines show that if email fraud scams are being used on a regular basis to target the public sector—and the consequences are costly.

The average cost of a breach is approximately $2.3 million.

North Carolina County: $2.5 million paid in a BEC/EAC scam6

Town of Erie, Colorado: $1 million in BEC scam

Ocala City, Florida: $742,000

There is no “silver bullet” that will protect you from BEC/EAC attacks. The best way to protect your government from these issues is through a comprehensive approach to security.

Securing against BEC requires an advanced email security gateway with Targeted Attack Protection (TAP), as well as deploying email authentication to protect you from identity deception-based attacks. To protect from EAC attacks, you need to safeguard your cloud applications and your people from credential theft.

Once you have these in place, you will need to have visibility into the Very Attacked People (VAPs) in your organization—people who are being heavily targeted. If you know who your VAPs are, you can deploy adaptive security controls—such as stepped up authentication, browser isolation and other methods—to better protect your VAPs and your entire organization.

Enlisting your people in the fight against real-world cyberattacks

Educating your employees about security and real-world identity deception tactics used by threat actors is a critical piece of the of people-centric security strategy. That way, they can become a strong last line of defense against phishing and other cyber attacks.

An effective security awareness plan encompasses identifying your highest risk users, training them and changing their behavior and reducing your exposure. Start by identifying who is being attacked and evaluate their ability to protect themselves. This can be done through simulated phishing attacks or other methods to assess their ability to recognize attacks and take the appropriate measures. Once you’ve identified your VAPs and understand how they respond to attacks, you can change their behavior if needed.

You can change behavior through training modules that focus on specific areas of improvement for the user using actual threat data and behavior tracking. This focused training can increase your users’ knowledge so they can identify threats before they attack your network. To reduce your overall exposure, you need to enable users to be able to report suspected threats so that you can reduce your overall attack surface.

Protecting your employees’ cloud credentials and data stored in cloud apps

The key pillars to protecting your cloud applications from a people-centric model are threat protection, data security, cloud governance and access control.

Threat protection includes both malware and compromised account detection. Compromised accounts have become a major threat to today’s government and not can only lead to significant issues in security, but also can take a significant amount of staff time to remediate. If an attacker successfully compromises a cloud account, there are a number of things they have access to and can do. For example, they can upload malware to cloud file shares or send BECs internally as well as externally. Data security encompasses both visibility and data loss protection (DLP) across all channels: email, cloud and endpoints.

Cloud governance involves the ability see “Shadow IT,” as well as apply protections to third-party applications like Microsoft Office 365 and Google G Suite.

Access control allows for adaptive controls and risk-based authentication. This enables you to apply more granular control to your users that may have access to sensitive data or applications.


Proofpoint is dedicated to improving the security of state and local governments by taking a people-centric security approach. We have a dedicated team of experts to support your unique needs and help you to be more secure.

Proofpoint systems handle a significant amount of the world’s email every day. We see billions of emails flowing through most the largest internet security providers (ISPs) and domain registrars. With this unique perspective, Proofpoint Threat Researchers, quarter by quarter, consistently confirm that over 99% of cyber attacks are human activated, which means they need a human being to activate the attack by opening a file, clicking a link or being tricked into taking some other type of action.

People have become the weakest link in the cybersecurity chain. The trend also undeniably points to the stark reality that people are attacking people. Unlike past years, today’s threat landscape is showing fewer high-volume, fully automated attack campaigns, like the Nigerian letter scam or bots and Trojans.

In other words, attackers are not just botnets sending massive spray-and-prey campaigns at scale or using ransomware to automatically encrypt data in order to hold it hostage. Modern threat campaigns are lower volume, highly targeted and focused on humans. Proofpoint’s people-centric security strategy is best positioned to protect you against these next-generation threats.

Written by Andrew Wright, National SLED practice director for Proofpoint

For more information on Proofpoint, reach out to our sales team at [email protected]