By Aviv Grafi, CEO of Votiro

Perennially strapped for cash, understaffed and underfunded, local and even state government offices in the United States are sitting ducks for cyber-attacks. While not necessarily the first targets we think of when considering where hackers will strike next, government offices offer plenty of opportunity for profit – and provide a surprisingly large and easy to reach the target.

How so? Simple. The vast majority of malware attacks are delivered via email, in links or attachments. Offices such as the tax department, the motor vehicle bureau,  the Board of Education, and many more get thousands of email messages a day. Any – or even many – of these could be laced with attachments that include viruses and malware that will let an intruder take control of a system.

The state of cybersecurity at many local and state government offices isn’t that great to begin with. A study by the Washington  DC-based  International  City/County  Management Association (ICMA)  on cybersecurity asked local governments and agencies how frequently their information systems are subject to attacks, incidents, and breaches. Twenty-six percent said they were victims of attempted attacks once or more per hour, and 18% said at least once per hour – while 27.6% said they had no idea.

The reports on the breaches did not generally provide details on how they were accomplished, but it’s not hard to guess how. As many as 95% of security breaches have their origins in phishing attacks, which feature sophisticated messages designed to practically force the recipient to open up an attached document that could be carrying malware.

Because of a lack of resources, agencies aren’t necessarily checking everything that comes through for malware – and in some cases, even if they do have sufficient resources and trained personnel, the malware cannot easily be found by standard security systems.

While top-level hacks get the headlines, both in the public and private sector, there are plenty of cyber-attacks on state and local government offices as well, even if they don’t make the national news. There have been numerous cases of hackers playing havoc with local administration computers and networks; cities like Atlanta, Denver, Allentown PA, and various state agencies in Connecticut, among many others, have been victims.

And because of their economic and personnel straits, many local and state government agencies do not have sufficient resources – trained personnel, software, etc. – to sufficiently examine the flood of files that enter their systems. According to top experts who studied cybersecurity issues in local government, “data from our more recent survey strongly suggest that at least some, and perhaps even a large fraction of local governments may be unable to respond to electronic intrusions,” citing financial, personnel, and resource issues.

And hackers have a great advantage when it comes to hacking local and state government offices. In general, hackers use social engineering to get victims to open email messages. For example, a message purportedly from a worker’s manager with a stern title (“open now, urgent, top priority!”), sent from  a  spoofed  account,  would  be more than enough to get an employee to read the message and open any “urgent” attachment inside – thus unleashing the malware hidden in them.

But in this case, hackers don’t even need to bother with social engineering. Messages sent to the state licensing bureau or requests for permits from local city councils usually include a form – a PDF, Word, Excel, or other files – that the sender uses to make the formal request. In other words, the messages these agencies receive are supposed to have attachments – and who’s to say that hackers won’t use these run of the mill requests to spread malware, ransomware, or other agents of destruction?

Attachments are difficult to examine – malware, like a javascript code  or a  macro, is often hidden deep inside an attachment – and the lack of resources at agencies to  inspect each and everyone that comes in, combined with the inability of standard anti-virus systems to examine what is going on inside the depths of attachments, means that these agencies are basically sitting ducks. Sandboxes, which are often used to keep attachments away from systems altogether, would likewise be useless here, as those attachments are exactly what the agency needs to operate.

The only way for these organizations to protect themselves is to utilize a cybersecurity system that can do a “deep dive” on attachments, examining them for hidden malware. The system can remove the threatening component of an attachment if one is identified. Once it’s been cleaned up, the system releases it for processing, restoring it to its original state, sans the bad code.

For agencies required to work with attachments, this is an ideal solution. Many of the cyber-defense systems in place are designed to keep attachments out. That won’t work for agencies that utilize attachments to do their work. Examining, dissecting, and rebuilding attachments after they are cleaned up is the only way for these agencies to rest assured that their networks and servers remain safe. Public agencies know they need to be very careful in their spending, and they need to ensure they are getting the most for their money. Whatever other cybersecurity systems they have in place, a system like this is a must for these organizations.

About the Author

Aviv Grafi is the CEO and Co-founder of Votiro. Aviv helped build Votiro from a two-man startup into the global company it is today. Aviv has accumulated over 10 years of experience in the fields of telecommunications,     embedded technologies, and information security. Prior to co-founding Votiro, Aviv served in an elite intelligence unit of the IDF, nurturing his passion for finding simple solutions to complex security issues.