Cybersecurity, Data Breaches, and Other Digital Risks: What You Need to Know
The threat of cybercrime continues to rise, and the stakes get higher with each data breach. Nation states, organized crime groups, and individuals are all trying to penetrate online systems through brute force attacks, social engineering (like email phishing), and exploitation of systems’ vulnerabilities. The latest high-profile attacks, which were discovered in December 2020, targeted major U.S. agencies and companies. Rather than causing damage or extorting money, the goal of these attacks was espionage. Worse still, there is evidence that the attack had been ongoing for much of the year, potentially exposing many thousands of sensitive and highly classified files. At the time of publication, FireEye and SolarWinds—the two companies whose software was exploited to facilitate the attacks—have not publicly announced the full list of affected agencies and companies. The Federal government has been similarly quiet about the scope and impact.
In light of these recent events, we want to remind and reassure you that Granicus does not use SolarWinds or FireEye software. At Granicus, we view security as a product, a process, and a culture that spans our systems, our software, our data, and our people. We use internal and external experts to maintain our defenses. We proactively utilize edge-to-edge security, visibility, and carrier-class threat management and remediation. Our software is housed in Tier III data centers and world-class public cloud providers, includes two-factor authentication, data encryption, security scanning, infrastructure redundancy, and monitoring. Across our solutions, we adhere to government grade security standards and regulatory measures like: FedRAMP, ISO27001, NIST, SOC 2 (SSAE 16), and many more. Every Granicus employee is trained and certified in cyber security practices annually. Along with our 24/7 full–time security team, we partner with firms like Booz Allen Hamilton, BSI, CrowdStrike, Coalfire, and NCC Group that enrich our capacity and response.
To supplement these tools and practices, our teams are constantly working to strengthen our approach, actively responding to the heightened security threats that the next few weeks present. However, there is a weak link in many agencies’ defenses:
Even with the strongest security tools in place, one wrong click can expose an organization to threats. That’s why training and caution are so critical. Security threats become more sophisticated every day, but you have the power to help prevent them. Please remember to take an extra few moments before clicking on any links or attachments in your inbox and do some additional inspection. Look at the “from address,” review the wording for suspicious spelling and grammatical errors, hover over any links and verify that everything looks correct. If you aren’t 100% convinced it’s real, then verify directly with the sender via phone, chat, or email. Consider these processes:
- Never share passwords or accounts
- Use a strong password that meets or exceeds security requirements (Pro tip: “solarwinds123” doesn’t qualify as a strong password)
- Ensure users of the software are onboarded with training and are keeping their authorizations current
- Define your administrators
- When staff depart the organization, immediately de-activate their system access
- Test your push-based communications with internal and external sends
- Test your web property updates
- Capture and maintain a map of your webpages and landing pages to ensure you know what the public is seeing
- Remind your team to stay diligent and escalate any suspicious activity
While these precautionary measures may add an extra step, their impact is enormous. Cybersecurity is up to all of us, so thank you for doing your part to keep your organization safe.
As always, if ever you have suspicious activity in your accounts, contact Granicus immediately at firstname.lastname@example.org. We stand ready to support you and ensure smooth civic engagement, no matter what.