Skip to main content
What can we help you find?
main content, press tab to continue
Article

Cybersecurity for the public sector: Navigating the evolving threat landscape

By Tamika Puckett | October 10, 2024

The public sector faces rising cyber threats, requiring robust practices like MFA, strong passwords, vulnerability management and training to protect essential services.
N/A

In today's digital age, public entities are increasingly vulnerable to cyber threats. While cyber-attacks were once primarily associated with large corporations, governmental entities, agencies and organizations providing essential services such as utilities, public safety and social services are now frequent targets. According to the FBI, government entities ranked as the third most-targeted sector for ransomware attacks in 2024, driven by financial, geopolitical and disruptive motives.

Public entities face unique challenges in cybersecurity due to bureaucratic structures, budget constraints and numerous access points, often resulting in outdated systems and aging infrastructure. These vulnerabilities can lead to significant service disruptions, affecting public services such as water and wastewater services, emergency response and judicial processes.

Cybersecurity best practices

To mitigate these risks, public entities must adopt robust cybersecurity practices. Two fundamental measures include:

  1. Enabling multi-factor authentication (MFA): MFA requires more than a username and password to verify the user’s identity. Authentication factors typically include something you know (password), something you have (code provided via smartphone which is either texted, emailed or provided via an authenticator) and something you are (fingerprint scan or face recognition).
  2. Implementing strong password requirements: Strong passwords should be difficult to guess. Strong passwords should be unique, complex and include a combination of upper- and lower-case letters, numbers and symbols. Passwords should be changed regularly and used in coordination with MFA.

As an additional resource, please see below for tips on implementing MFA.

Beyond these basics, public entities should focus on comprehensive cybersecurity hygiene. This includes asset management, backup procedures, access management, segmentation, detection capabilities and third-party cyber risk management. Additional primary controls include:

  • Vulnerability management: Vulnerabilities are the open doors and windows into an organization's systems, networks and applications. It is important that entities manage its vulnerabilities by identifying, assessing, categorizing and managing them before they can be exploited by threat actors. Vulnerability management involves deploying fixes or “patches” that can remediate exposures or “bugs.” It is very important to monitor vulnerabilities that have no fix and/or present no apparent danger of exposure. In these cases, the vulnerability should be mitigated (reduce risk of exploitation) or accepted (risk acknowledged but not fixed – typically happens where there is no known fix or the cost to fix outweighs the potential damage).
  • Providing comprehensive cybersecurity training: Cyber security training helps to train users to identify problems of social engineering, phishing and ransomware. In addition to training, effective cyber security training also incorporates simulated emails to test employees on recognition and avoidance of phishing attacks.

Conclusion

Public entities are inevitably exposed to the evolving landscape of cyber risk. Unfortunately, threat actors are constantly creating new ways to exploit security controls. Public entities must remain vigilant and informed about the evolving cyber threat landscape. By implementing these best practices and maintaining a proactive approach, they can significantly reduce their exposure to cyber risks and ensure the continuity of essential public services.

Disclaimer

Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).

Download
Title File Type File Size
Tips on implementing multi-factor authentication (MFA) PDF .3 MB
Author
Tamika Puckett
Public Entity Co-Lead, North America
email Email
Related content tags, list of links Article Cyber Risk Management Public Sector and Education

Related capabilities

Public Sector and Education
Cyber Risk Management
Contact us