Meet your evolving needs with three integrated business lines in one professional services firm.


Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor.

Professional Woman Explaining Computer

Malware is usually the root cause of cyberattacks. Internal controls and other preventive measures can help keep your organization secure.

Preventing Cybercrime

State and Local Governments: How to Mitigate the Risk of Data Breaches

  • 5/23/2016

The list of U.S. governmental agencies that have already been hacked includes the State Department, White House, FBI, Department of Homeland Security, Office of Personnel Management, and Postal Service. If these hackers, who range from sophisticated overseas cybercriminals to snarky teenagers in their parents’ basements, can breach the databases of sensitive federal organizations, then certainly your state or local government is at risk, too. If your organization is not taking preventive measures against cybercrime, you are tempting fate. 

Governments are attractive targets for cybercriminals for many reasons. They hold valuable data like personal identifying information, but they are also testing grounds for those with larger targets ultimately in mind. Some hackers are politically motivated, while others are attracted to a degree of notoriety and the shot of adrenaline that comes with breaching governmental sites and databases. Not only can phishing scams occur, but other areas are susceptible to attack, such as banking transactions. Whatever the area or motivation, the impact on your government can take its toll in cost, security, and reputation. 

There isn’t any single preventative solution to cyberattacks, but there is a collection of protections you can put in place to keep hackers at bay and safeguard private data. It’s important to first understand how hackers can enter your system and to identify which internal controls are your best defense against breaches. 

Malware: the root cause of cyberattacks 

Most hackers enter your system via phishing emails. You cannot smell a phisher from a mile away anymore; contemporary phishing scams are sophisticated and deceiving. Some phishers, for example, go so far as to create fake social media personae, complete with connections and networks that all look authentic and even prestigious. A phisher may stalk an individual in your state or local government to get a feel for his or her role and function, professional and personal interests, and other habits. With all this personal information at the hacker’s disposal, he can then use his online character to make a connection with your employee possibly using a carefully crafted email that precisely appeals to that employee, who is then lured into clicking on a malicious link. Just like that, your network is his playground. 

A common scheme is the phone “call from a vendor working with IT” to help you update your computer for new software versions or patches. But even less artful phishing emails can compromise your security. Studies show again and again that despite years of education, people are still opening unsolicited emails from strange addresses, and clicking on attachments or links without first scrutinizing the message and the sender. 

Control, control, control 

Your government’s best defense against the root vulnerability of malware is to establish internal controls in all IT processes and user functions. The first step in determining what controls to implement is to perform a detailed risk assessment, including a brainstorming session that involves the leaders of the organization. 

Server, workstation, and user controls 

  • Include spam filters in all email processors that flag, alert, or block suspicious messages and attachments. 
  • Minimize user access rights and require passwords on all administrative functions (such as installing software and programs). 
  • Disable, rename, or password-protect all “guest” and “administrator” accounts. These usually come with default passwords that if left unchanged, invite easy access.
  • Mandate complex passwords or passphrases (numbers, symbols, cases, minimum character length, etc.) and require changes every 90 days.
  • Ensure the servers and workstations are updated with the latest software. A validated patch management process is essential in this process.
  • Educate and prohibit employees from emailing or sharing passwords, clicking on links in unsolicited emails, and allowing others to use their government-issued laptops.

Process controls 

  • Communicate to employees about wire transfer scams and call on them for heightened awareness.
  • Be on the lookout for “urgent” requests for payment or sudden changes in business processes, such as a vendor requesting payment outside of the normal protocols.
  • Ensure that online banking procedures, especially those over a certain dollar amount and/or those to foreign banks or suppliers, require vendor call-back protocols.
  • Engage a specialist to perform periodic vulnerability or penetration tests to determine if your system is susceptible to attacks and validate that controls are functioning as intended.
  • Train employees to be skeptical of a request for payment, and instruct them to ask another individual with your company’s finance team to verify its legitimacy.

Regular log reviews 

Reviewing security logs is a cumbersome task, but it is essential to the detection of a breach. These regular reviews should include the logs that track password changes, unauthorized log-in attempts, and unauthorized changes to live data files. If your organization allows remote access into the system, there should be a log that documents individual access and includes the date, time, and reason for access. Best practices include a review by IT personnel and comparison to the remote access log. React quickly to identified anomalies. What appears benign could be a very significant vulnerability. 

Cybercrime insurance 

Insurance is not a control or preventative measure, of course, but it may help mitigate monetary losses from a cybercrime. (Reputation is another issue.) The extra coverage comes at a cost and claims won’t be honored if your organization is deficient in your IT control and prevention structure. If you opt for cybercrime insurance, you will likely be required to have a validated patch management process, documented risk assessments, and periodic penetration testing. If these controls are not implemented fully, your insurance recovery might not be paid in full, or could be denied entirely. Don’t let insurance give you a false sense of security; it is only a partial remedy to damage done. 

How we can help 

CLA’s state and local government practitioners join forces with our firm’s information security professionals to develop best practices for information security policies and procedures. Our IT security consultants are trained and equipped with the most advanced software and tools to perform assessments on your system, perform penetration test to root out vulnerabilities, and make recommendations to shore up security.