The Latest on Cybersecurity in the Public Sector with Tim Walsh

Tyler Podcast Episode 71, Transcript

Our Tyler Technologies podcast explores a wide range of complex, timely, and important issues facing communities and the public sector. Expect approachable tech talk mixed with insights from subject matter experts and a bit of fun. Host and Content Marketing Director Jeff Harrell – and other guest hosts – highlights the people, places, and technology making a difference. Give us listen today and subscribe.

Episode Summary

Join Tim Walsh, a leading expert in cybersecurity at Tyler Technologies, as he delves into the world of cybersecurity in the public sector. In this episode, we explore the ever-evolving landscape of cybersecurity and its impact on government organizations, highlighting the latest trends, challenges, and strategies to protect against malicious attacks. Gain valuable insights into protecting our digital infrastructure in an ever-changing threat landscape. Stay informed, stay vigilant, and stay secure.

Transcript

Tim Walsh: Last year, cyber events, cybersecurity incidents targeted towards the public sector, specifically local and municipal governments were up 37% percent. So, that's the highest of any other industries.

Jeff Harrell: From Tyler Technologies, it's the Tyler Tech Podcast where we talk about issues facing communities today and how like the people, places in technology, making a difference. My name is Jeff Harrell. I'm the director of content marketing here at Tyler, and I'm glad you joined me. Cybersecurity, a hot topic and probably always will be at least as far as we can see. And it is a topic that is constantly changing. So today, we are going talk to one of our experts here at Tyler Technologies.

Tim Walsh, who's going share with us what's happening current in 2023, and what does a landscape look like going forward. It's a great conversation. I think you'll enjoy it. Here's my conversation with Tim Walsh.

Well now joining me on the Tyler Tech podcast is Tim Walsh. Tim. Welcome to the show.

Tim Walsh: Thanks for having me, Jeff. I appreciate it.

Yeah. We're very excited to talk to you. It's a topic cybersecurity that has a lot of interest, so I'm anxious to dive into the questions, but before I do that, I wanna give you an opportunity to tell us a little bit about yourself and a little bit about your background in cybersecurity.

Tim Walsh: Absolutely, Jeff. So, I started my career here at Tyler Technologies.

I graduated with a bachelor's degree in economics. Where I studied primarily in your global markets and trends and things of that nature. I started my career here implementing our solutions I was working closely with local governments. And really what I uncovered just through kind of naturally engaging with our partners with our clients, you know, talking to them that their main challenge regardless of what area I was working in was cybersecurity.

So, When I look to kind of advance my skill set, advance my repertoire of how I could provide value to our clients, one was looking at, you know, getting an advanced degree in something that mattered. And that, you know, I went through exploring the Pandora's box of what that might look like and I landed on cybersecurity. It just kept kind of reeling back to me. So I went back to school.

I got my masters of science in cyber security policy and governance from Boston College. It was a great rigorous program. And what it allowed me to do is really look at things holistically, not just from technical standpoint, but also from a governance standpoint. I think it's important that cybersecurity, it isn't just a conversation that IT should have.

It's a conversation that everyone in government should have. So that's what's landed me here with our cybersecurity group. It's in excellent group of people, highly, highly talented, you know, groups of hackers and analysts and advisors that can really help enhance our customer's cybersecurity capabilities.

Jeff Harrell: It's amazing when I went to school. I won't say how many years ago it was, but They didn't have things like social media marketing, and now there's degrees in cybersecurity. The world has definitely changed over the years and super super cool that you've got that advanced degree in cybersecurity.

And that's what we're gonna talk about today, and we're sitting here now in June of 2023. I can't believe we're almost halfway through 2023 already. Talk to us a little bit, what's the landscape like right now in the cybersecurity space?

Tim Walsh: Yeah, so, you know, unfortunately one of the things about cybersecurity is it's a lot of bad news, right? It's not a lot of positive things that when it rises to the point where we're reading about it on our phones or viewing it in the media, it generally is not a good news. And unfortunately, we've seen just a real tremendous uptick in the number of attacks, as well as the intensity of them. So, for example, we got a lot of the data back from 2022.

We saw that, you know, I think it's important to look back before we look ahead and kind of what we've seen in the first six months of the year. But I think the statistic that, you know, keeps me up at night, especially regarding local governments, is that last year, the data just came in middle of this quarter was that last year, cyber events, cybersecurity incidents targeted towards the public sector's specifically local and municipal governments were up 37%. So that's the highest of any other industry. So when we look around and we think, oh, banks are getting targeted, big box stores. That's true. You know, I'm not going to discredit that. But I'm certainly going to say that we're looking at down the barrel of some pretty significant attacks facing local governments for a variety of different reasons. They're an attractive target because they don't have necessarily not always staffed 247, perhaps there's budgetary constraints etcetera.

So, they certainly are targeting you all because of the fact that it's an attractive target. They're seeing that local governments are paying out these ransoms, which on average are eclipsing over half a million dollars year over year. But it's certainly something that is increasingly targeting these local government agencies. So you know, what have we seen in the first part of 2023?

Well, the statistics are not all in yet, but really what we're seeing in our security operations center here at Tyler, as well as just tracking the threat intelligence trends Ransomware is back and it's back with a bang. And it's not just the what I call spray and pray approach ransomware where they're sending it out to as many places as possible. That's still there. That's still a valid top tactic in target, but we're seeing targeted ransomware at where they're actually looking at these types of agencies that are susceptible.

They're looking at specific vectors and they're recycling old tactics. So ransomware is on the rise. You know, they're encrypting the data. We're also seeing unfortunately the combination of exfiltrative malware with ransomware.

So what does that mean? It means that we're getting good at backing our data up. We're getting good at having backups, things like that available to us. So oftentimes, we might say no to the attacker.

We're not paying your ransom to get our data back. So what they're doing is they're actually cleaning a copy of the data before they encrypt it. So in the event that you say, I'm good. I have my backups that they have a double extortion method to go after you and say, well, okay, you might not need us to get your data back. But if you don't pay us $450,000 by ex date, it's going to go up $50,000 every day.

Then we're going to release the Social Security numbers of your employees. We're going to release sensitive student data, health information.

So unfortunately, we're seeing quite a bit of ransomware.

In addition to that, we're also seeing DDoS attacks. So, the distributed denial of service attacks. So what those are is flooding the network with traffic. So in a sense, I kind of like to describe it to folks who maybe don't have a detailed understanding of what it might be is I'm playing I'm playing a game of baseball. I have a pitcher and I have a catcher. One ball going back and forth. That's the normal traffic of your network and the Internet.

Well, a DDoS attack is that same process happening of valid traffic back and forth. But then instead of just one pitcher, we have a pitcher with three hundred batting, you know, pitching machines. And they're all pointed at the at the catcher. And maybe there's even a hitter that comes up as well.

And they go for a swing. Now not only are they not going to be able to catch or hit all the balls, but they're also not going to be able to know what's real, what's coming from the picture, and what's coming from the automated traffic or the automated pitching machine. And oftentimes, someone's going to get hurt because they can't juggle all of that. So in a nutshell, what that is and how it pertains to a DDoS attack.

Is it's the traffic flooding your network. They want to take your website. They want to take your servers offline. And the goal is to initially take your service offline, cause disruption, maybe it's some form of hacktivism or something like that. But then we're seeing that not only that they're doing that just to take it offline and disrupt it, they're trying to flood with even more traffic to try and damage, overheat the servers, overload the network so that it's unrecoverable.

So those I think are the top two, you know, the primary vectors that we're seeing ransomware, malware, Many of these attacks get in are through email phishing.

 

Last year, 82% of all cyber attacks, cyber breaches or a direct result of human failure. The primary failure point is humans opening an email, opening a webpage that they shouldn't we're seeing that humans are the weakest link that are letting the attackers in the door.

So no matter how many defenses you put up, it's unfortunately becoming more and more of a challenge for these folks to -- for folks on the government side to be able to protect against that human component?

Jeff Harrell: Yeah, it sounds like the bad actors are getting even more sophisticated we thought they're we know they're sophisticated.

There sounds like they're pivoting to become even more so in finding those areas of opportunity. And I've heard you say before, Tim, that it's it's not if but when. I think the days of just hoping that you miss an attack are over. What do you mean or say a little bit more about not if but when?

Tim Walsh: The data doesn't lie in the sense that last year, over 2,000 local government entities succumb to ransomware attacks succumb to some sort of malicious actor gaining access into their network.

So, you know, it's hard to dispute and nearly impossible to dispute that everyone is at a target. So what we operate on here at Tyler Cybersecurity Division, and really what security professionals focus on is that it's not if an attack happens, but when? So what does it mean? It means taking a bit more of a proactive stance against the attacker to accept the fact that we very well might get some sort of an infection, some sort of a malicious actor, a malicious event.

But that's okay. Because we're going to build in resiliency.

And we're going to build in the ability to detect that when it does happen so that we can mitigate the scope and impact of that attack. Gone are the days that we can kind of put our heads in the sand and say, well, it's not going to happen to me. It's just going to happen to my neighbors. We'll look around. All of the neighboring organizations, cities, even state, and even higher up governments are are susceptible.

So to think that we're not susceptible is kind of kidding ourselves. So thinking of it as it's not if but when allows you to be a little more prepared and really prepare the organization as a whole that it's okay if something happens, but what is our preparedness to respond to it so that it's not a network wide incident. It's an isolated event.

Jeff Harrell: And I wanna I wanna dive into some of the the ways that public sector can prepare themselves But before we do that, you you mentioned something a minute ago that I wanna dive into a little bit deeper and that is it typically is a human failure. There's a there's a human element to these attacks. Can you dive into that a little bit more and perhaps share some ways that those people that are listening right now can go, okay, these are some things I need to alert my team to.

Tim Walsh: Absolutely.

Gone are the days of the friends that kind of reaching out to you and saying, I need money or I need you to click on this link. It's just not what phishing emails are today. And it's not just phishing emails. It's also people calling in.

If we think of the public sector, there's a number of data points that are available? Who are your contractors? Who are, you know, the people in which you work with? So when I'm crafting a fishing email campaign or I'm crafting a a phone email campaign or a phone voice fishing campaign, I can really glean information that's publicly available to attempt to trick your end user into giving me the information I want.

Or downloading some sort of malicious software. So what they're doing is they're creating these beautiful emails that look like they're coming from the city manager. They look like they're coming from your third party IT company. And they're saying just click on this to reset your password.

And instead of actually resetting your password, it just gleans your credential so that they steal them. Or it might download a piece of malware that could potentially lead to ransomware. So how do we mitigate it? I mean, that's the core question that we all have.

Is how do we mitigate human failure point?

Well, unfortunately, and this is the unfortunate case not only for the human components, but all aspects of security is that there isn't a silver bullet. So a layered approach is critical. And that layer needs to include the three core components of cybersecurity.

And that's people, process, and technology.

So obviously with phishing, whether it's voice phishing or email phishing or even on-site someone walking in and gaining access to a computer and plugging in a USB drive.

It's important to secure your people. So when we're securing our people, we think of training.

You know, you need to have a robust training program. And there are some great computer based programs out there to do annual trainings and things like that. But also to make it interactive, maybe bring in a real live trainer, do a webinar. Create a game of it I've seen some organizations do. You know, the most cyber secure really immerse your whole staff because anyone that has access to your network in any capacity is a potential vulnerability.

So educate them on new types of threat. Make it aware when a phishing email comes in, add in softwares and services to report email phishing. As well as adding technologies to detect when someone might open a malicious link or download some sort of malicious software. So there's many different layers that you can add in, but highlighting that training is going to be critical awareness is gonna be critical.

And then finally, some sort of detection mechanism for if that does occur if they do open it what is our way in which we can detect and contain it? And that's really to me the three core points to how do we mitigate the human aspect of potential failure.

Jeff Harrell: That's good stuff. And something you said I want to dive a little bit deeper on too because in my role here hosting the Tyler Tech podcast, we've done a number of cybersecurity episodes and I think my awareness meter is pretty high because of that, right? We're talking about it quite a bit.

Tim Walsh: Sure

Jeff Harrell: I've heard the the fishing techniques and things. Don't click on that if you don't know who it's from. But I think for a lot of us, it's we're not aware.

Tim Walsh: Sure

Jeff Harrell: We don't know what the things are. So, dive into awareness a little bit more. What are just some of the the tricks of the trade or or some basic fundamental things that people listening right now can take away.

Tim Walsh: Yeah. No. That's a that's yeah. That's a great great point, Jeff. Is that, you know, oftentimes, we think, oh, don't click on the link.

Well, if I knew the link was bad, maybe I wouldn't have clicked on it. But oftentimes these are looking good. They look legitimate. They look like the email signature of the person you know.

But what I find is that if you can get buy-in from the top first, that's really gonna drive the culture of your organization.

So what does that mean? It means that it can't just be IT saying, we need to train our folks. We need to have these services in place. We need to have executive leadership, city managers, town councils, to actually go in and say, this is a strategic goal of ours. And the reason why we're doing it underscore the reason, what is the reason why we're doing it well, because our neighboring entity, you know, accidentally, but a malicious actor was able to steal three million dollars through an email phishing campaign.

Give real life tangible examples because generally employees are concerned. They want it they want to do the right thing. But they need to have some bias to why we're doing it, some tangible things to because oftentimes we think, well, I would never do that until it's us.

Jeff Harrell: Absolutely right. And we've been talking about where we are, what we've seen thus far in 2023. So I love the fact people, process technology, all important.

How do we then as we're looking forward into 2023 and beyond think about that. And I know you're looking forward too. We want to learn from the past and look forward to the future.

What are the things you guys are thinking about in the cybersecurity space relative to the rest of 2023 and beyond.

Tim Walsh: It's people process technology. That hasn't changed for the last twenty years since before cybersecurity was even worse. They're still the primary vulnerability points, but also your greatest asset.

If you can secure your people, secure your process and secure your technology. So, to me, it starts with first knowing your vulnerabilities. What are the vulnerabilities that I have? And be realistic.

Conduct a risk assessment, understand where do we stand today, and where do we want to be tomorrow? Thirty days, sixty days, six months from now a year from now, where do we wanna be as an organization?

I think oftentimes we're seeing that policies and procedures are not updated accordingly. So we see that, you know, they might not reflect the times of today, right? So as we see new technologies at venting, are we addressing that in our acceptable use policies?

Are our users aware of what is expected? You know, ten years ago, it was, should we allow folks to use radio online radio on the on the computers? Now we really need to address the conversation of are we allowing non sanctioned uses of ai [artifical intelligence]? And how are we incorporating ai into our platforms to actually detect and mitigate threats as we see them.

So we see a lot of that, and we're also seeing that that in the future, the attackers are automating their attacks even more, which is somewhat good news in the sense that automation still to this day leaves a signature. So we still can utilize some of the signature based detection combined with human analyst to identify the new types of threats. So I see in the future AI is going to be our biggest asset, and it's also going to be one of our greatest adversaries.

Jeff Harrell: I love this, Tim. And if someone's listening right now going, okay, I understand how important this is. I'm sure the best time to start would have been in the past, but the next best time to start is now.

Tim Walsh: Exactly

Jeff Harrell: If someone wanted to learn more and say, hey, I know Tyler's thinking about this. Tyler's got some great solutions. How could they find out more?

Tim Walsh: Absolutely. So, you know, Tyler, we have a full cybersecurity suite, which includes professional services of guidance, governance, as well as technical testing, We also have a managed detection response solution where we can do much of that machine learning AI powered and human analyst powered detection of those anomalies in your network. So if anyone wants to learn more, feel free to reach out to myself or someone on my team. I'm at cyber security solutions @ tylertech.com.

Jeff Harrell: Awesome. Tim, this is great. I'm sure this is not a one time conversation. This is an ongoing conversation. So I'd love to have you back on the Tyler Tech Podcast in the future. And thanks again so much for your expertise and your passion around this topic and for joining the show.

Tim Walsh: Thank you so much for having me, Jeff. Have really had a great time.

Jeff Harrell: Well, I appreciate Tim's expertise on this topic and I know it's one we'll be talking about for quite some time. So look for more episodes on the topic of cybersecurity and look for more episodes from the Tyler Tech podcast. We are working on episodes throughout the rest of 2023 and on into 2024. So please subscribe. Again, my name is Jeff Harrell. I'm the director of content marketing here at Tyler. And thanks for joining me.