Before COVID-19 started making headlines earlier this year, government departments might have been considered unlikely candidates for making large scale remote working a success. However, with service levels maintained across the public sector despite challenging circumstances, this assumption has been thoroughly disproven.
Since remote working became the norm for many government employees in March 2020, the prevalence of teleworking in the public sector hasn't dissipated. According to a survey conducted for our Government & Election Cybersecurity Threat Index, of over 500 federal and local government employees across the United States, 42 percent said they are still mostly working from home. Since our survey, COVID-19 infection rates continued to increase in some areas and many local government bodies have recently been forced to return to fully remote working arrangements.
With remote working likely to remain a necessity for government departments for a while yet, the public sector cybersecurity landscape remains a very different place than it was pre-COVID-19.
COVID-19 Creates New Opportunities for Threat Actors Targeting Government
Even when the pandemic recedes, many government workers are likely to keep working remotely some of the time. Many federal departments, such as the Labor Department, have already made most of their workers eligible for permanent teleworking. Across the public sector, agencies with remits ranging from defense to science, along with local government bodies, now see remote working as a way to increase productivity while also expanding their hiring pool.
Nevertheless, while fully remote work is necessary for many places right now, a hybrid working environment is more likely to become a reality for government departments over the longer term. Workers that do some of their work at home and some of their work in an office may have organizational benefits, but this setup also creates additional cybersecurity risks.
As workers alternate between home and office working environments, maintaining cybersecurity will mean prioritizing protecting employee devices rather than centralized office spaces. Security stalwarts such as adequate protection solutions, VPN use, and two-factor authentication will need to be universally available for all devices that public employees use for work. Currently, this ideal is far from reality.
Our research indicates that at least 30 to 40 percent of work-from-home government employees do not have access to these kinds of bare security essentials from their remote workspace. Indeed, our past research indicates that as many as 56 percent of at-home workers use their non-hardened personal computers for work-related purposes. These figures are worrying because, even before the pandemic, cyberattacks on government agencies and departments had been steadily increasing. Indeed, since 2017, cyberattacks on state and local governments rose by over 50 percent.
Endpoint Security Will Remain Vitally Important
Future threat landscape predictions point to the continued growth of endpoints as primary attack vectors for cybercriminals. Whether motivated by politics or profit, threat actors targeting government bodies and agencies are likely to use increasingly targeted endpoint attacks to gain access to data and deploy crippling malware. According to Verizon's Data Breach Investigations Report for 2020, ransomware is now a significant threat to public administration bodies nationwide. To protect themselves from data breaches, lost productivity, and ransom payments, government departments need to adapt new security strategies.
As the COVID-19 pandemic moved public employees away from institutional firewalls, keeping endpoints secure rose to the top of many organizations' priority list. For some state departments, such as defense agencies with large amounts of classified information, remote working necessitated emergency changes in how sensitive work was conducted. However, as trends catalyzed by the pandemic become long-term norms, government departments will need to find sustainable solutions to endpoint security that don't disrupt employee productivity.
While our survey found that many public sector workers are using antivirus software and VPNs to protect themselves and their networks, this is unlikely to be enough to safeguard their networks from targeted attacks. Modern malware is increasingly delivered through fileless methods that even so-called "next-generation" antivirus software cannot detect. Remote and hybrid environments will also place continued strain on government IT teams and, with more devices than ever connected to government networks, make endpoint telemetry solutions redundant.
For government bodies, long-term endpoint security will mean combining things like VPN use, multi-factor authentication, and threat-focused security training for all employees alongside effective endpoint protection solutions such as moving target defense. As they continue to work outside the office, every government employee needs to be on the first line of a national cyber defense posture that doesn't break down when they work from home.
A survey conducted by OneStep last year found that only 14 percent of public sector employees considered themselves "well prepared" for IT risks compared to 26 percent of their private-sector counterparts. As we enter the post-COVID-19 world, and the cybersecurity landscape remains a very different place, this number needs to become a lot higher.
A proactive approach to cybersecurity for government departments is set to become a necessity. In a world where a full-time return to the office isn't going to come back any time soon, if ever, cybersecurity starts in employees' homes.