Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

Public entities with outdated computer systems are prime target for hackers

Security staff struggle to win increased funding to protect information

Reprints

Cash-strapped public entities face serious problems related to legacy data systems no longer supported by their current software providers, leaving them vulnerable to hackers.

Public entities were the No. 1 target of hackers in 2013, according to a Verizon Communications Inc. analysis of U.S. data breaches.

Public entities accounted for 75% of the more than 63,000 U.S. hacker attacks in 2013, but were No. 2 at 13% of the more than 1,300 cases of confirmed losses of data, according to the Verizon analysis.

The finance industry was No. 1 in 2013 data losses due to hackers.

While the high numbers for public entities likely were due to agency reporting requirements rather than higher targeting, “everyone is vulnerable to some type of event,” according to the analysis.

Steps that public entities can take to address the issue include closely monitoring their systems, experts say (see story, page 17).

“During times of budget cutbacks, security is an afterthought,” said K. Mig Hofmann, information security officer at San Francisco State University. “People “really resent it when I'm asking for millions” for cyber security. “It's perceived sometimes, as selfish,” not as reducing risk, she said.

“You can't go a week without seeing (public entities) in the press having some kind of a cyber-breach event,” said Mark Greisiger, president of Gladwynne, Pennsylvania-based NetDiligence, which provides cyber risk management and information security services as the marketing arm of Network Standard Corp.

Public entities have extensive personal information, whether it is related to health services, prisons or the taxpayer system, and “they don't have the most sophisticated (information technology) departments,” he said.

“The risk of having legacy systems is very high because, in many cases, the servers, the systems are not being patched; the vendor has gone away or has been acquired or is out of business, and there's no support available for the software of the system; or the historical knowledge of the system is very minute,” said Cary Sholer, an information security professional at Seattle-based consultant Farallon Risk Group L.L.C.

As a result, “you have the combination of unpatched, unsupported systems with no internal insight or knowledge.” If there were a breach or attack, “it would take a very long time to get it back on-line,” Mr. Sholer said.

John Coletti, New York-based underwriting manager of cyber liability at XL Group P.L.C., said even when there is support, it's comparable to playing Whac-A-Mole as software providers try to keep ahead of hackers.

Public entities, “some of the largest IT owners in the country, are always going to struggle with legacy issues associated with their database infrastructure, so it's obviously a challenge as technology changes,” said Joe Blasi, Houston-based executive vice president at broker McGriff, Seibels & Williams Inc. “How do you remain current? How do you finance that?” he asked. Antiquated systems highlight “"the need for some sort of risk management, some sort of risk transfer solution.”

Microsoft Corp.'s withdrawal of support for its Windows XP program in April, for instance “is just one example of the challenges of utilizing an early-model IT system,” he said.

Following complaints, Microsoft relented and offered an XP patch, but some experts still recommend that users would be best served by switching to Windows 7.

Public entities' vulnerability varies, said Philip Bell, executive director at Clemmons, North Carolina-based County Reinsurance Ltd. “My own take is that the larger entities,” including state governments, “probably have the greatest risk because their data capacities are so large and their data needs are so large.”

“It's not a top-priority problem at the moment” among public entities, said Mr. Blasi. “I don't believe elected officials and the top administrators within governmental entities are directing their administrations to pursue solutions as aggressively as perhaps they should be.”

Read Next

  • Workplace violence prevention starts with comprehensive employee training

    A comprehensive program to prevent workplace gun violence begins with vigilance and teaches employees to know whether to run, hide or fight back. Workplace violence prevention experts recommend that employers train employees to be aware of security breaches, aberrant behavior and other potential threats, and require that they report such incidents to a centralized repository where a cross-functional threat assessment team can review them and recommend risk mitigation measures to implement.