For good reason, not every public organization is eager to share details about becoming the latest victim of a hack.
Nonetheless, it happens.
And Lou Peccoralo, chief operating officer at technology company Colotraq, said it’s happening more often at schools, libraries and other municipal facilities than you think.
“If these departments were totally honest with their constituency, you’d find out that they’re actually being hacked on a daily basis,” he said.
The Parsippany-based firm, which partners with cybersecurity providers as an offshoot of its colocation and cloud management services, has been looking to work with public-sector entities to help seal the many holes allowing hackers to routinely cause havoc for these organizations.
Mark Goebel, vice president of cloud and cybersecurity program management, said it’s an especially important problem to resolve for something like a police department, which can host more valuable information than most other municipal offices.
“And yet, hackers have been attacking them more than any other entity today,” Goebel said. “Hackers have found them to be easy targets for ransomware attacks. … Because of that, it’s amazing to see how many people are working on cybersecurity protections at police departments now, not for the community they cover, but just for their own protection.”
The confidential data often involved means not every hack gets publicized, so the scale of these ransomware attacks — in which hackers hold data hostage for ransom using malware — or other cybersecurity threats is difficult to quantify.
“What we do know is that large industry has funding to put in place many pieces of cybersecurity protections in their organizations, while schools, municipalities or police departments don’t have that kind of funding or even the knowledge base to understand what’s going on,” Peccoralo said.
This situation — organizations with sensitive data that’s regularly being messed with — has led to the private sector trying to find the right solutions for tight-budget agencies that can’t afford to hire cybersecurity personnel themselves.
For its part, Colotraq represents about a dozen different cybersecurity protection providers that it pairs with entities that need to shore up their defenses. The firm also just partnered with Porzio Compliance Services, a division of Morristown law firm Porzio, Bromberg & Newman P.C., to provide guidance on cybersecurity needs, specifically of schools, school districts and higher education institutions.
“Porzio has the in with the school systems, as they represent many in their law practice,” Peccoralo said. “They have focused very heavily on hacking, how to protect against it, how to deal with it once you’re hacked and all of the legal ramifications.”
Peccoralo added that the Porzio connection has yielded some preliminary talks with local school systems about partnerships that would involve Colotraq.
Among other things, the firm offers to agencies the potential of having vulnerabilities explored by white hat hackers — or good-guy hackers that use their skills to expose weaknesses before malicious hackers do.
The idea is that identifying specific vulnerabilities helps the budget for cybersecurity at an organization go a lot farther.
“That’s because it’s very possible to respond to an attack with a great deal of investment that actually doesn’t address the risk profile itself,” Goebel said. “You have to have a good idea of where your strengths and weaknesses are to know where to put your money.”
However, businesses in the cybersecurity space tend to be careful not to bill solutions as having the potential of 100 percent protection from threats, even with friendly hackers on their side.
“There’s never a guarantee it won’t ever happen, but you can improve your odds — like going from being 40 percent vulnerable to an attack to being 10 percent vulnerable,” Peccoralo said.
The level of sophistication of these attacks can vary greatly, Peccoralo said, as does the intended goal. Sometimes, hackers are out for credit card information or identifying details such as Social Security numbers. Other times, the only goal is to disrupt the organization or play a prank.
In a strange example of an attack on a local public-sector entity from last year, the Bloomfield Public School District announced that it had its website breached after there were pro-ISIS videos displayed on it.
There are a number of ways school districts and other public-sector organizations have become easy targets. But with interplay between the private and public sector, Goebel doesn’t expect that to last.
“What we’re hearing from municipalities is they’re understanding this today,” Goebel said. “They’re finding that (private-sector) solutions can help them manage costs and bring in hard-to-find talent to protect their important data.”
NJSBDC can help with cybersecurity
Just as the public sector is tapping private sector resources for cybersecurity issues, the opposite continues to happen as well.
And the New Jersey Small Business Development Centers does it for local private enterprises free of charge.
Deborah Smarth, chief operating officer and associate state director of the NJSBDC, which is administered by the national Small Business Administration, said her organization is constantly pointing business owners to tools for learning more about how to combat hackers, such as regular conferences and symposiums.
The organization has been expanding its focus in this area for small businesses — which, like cash-strapped public entities, may not be able to afford strong cybersecurity protections.
“When you’re a smaller company, you have to be extra vigilant about this,” Smarth said. “They have to prepare the best way they can. We try to help with that.”