The COVID-19 pandemic triggered a massive increase in the frequency of cyberattacks against businesses, individuals, and governments. With so many workers switching quickly from in-person to work-from-home arrangements, the number of opportunities for hackers to leverage cyberattacks has risen sharply. In our new reality, where cybersecurity is a top priority for businesses and regulators, education and training are more important than ever. But what role does cybersecurity play in occupational licensing?

Professional licensing bodies, like many other regulators, have access to a wide range of sensitive information regarding businesses, professionals, complainants, regulatory staff, and others. Hackers targeting regulators may see an opportunity to harvest social security numbers, insurance information, payment information, phone numbers, or any other piece of information that could be sold or leveraged for a profit. How can regulators ensure they are prepared to face and/or respond to a potential breach?

Types of cyberattacks

First and foremost, regulators must educate themselves on the types of cyberattacks that may befall them. In Verizon’s Data Breach Investigations Report (DBIR) from 2021, researchers pored over data concerning nearly 30,000 different cybersecurity incidents, classifying them into eight basic categories:

• Social engineering.
• Web application attacks.
• System intrusion.
• Miscellaneous errors.
• Privilege misuse.
• Lost and stolen assets.
• Denial of service.
• A catch-all last category: everything else.

The same report lists social engineering, miscellaneous errors, and system intrusion as the top three types of attacks in 2021, accounting for about 92% of breaches. The most frequently compromised data in these attacks usually includes user IDs and passwords. This information was compromised in 80% of breaches, according to the report.

Today, social engineering attacks are among the most pervasive and threatening cyberthreats because of the way they prey on trust and other human emotions. These attacks often involve an email that has been sent from a seemingly trusted source requesting personal information or asking the recipient to click a link. The most effective of these attacks prey on human anxieties to emotionally compromise the recipient and encourage the surrender of sensitive information.

System intrusion is probably what most people think about when they hear the word “cybercrime.” It involves the use of stolen passwords or malware to further breach an organization’s security system. System intrusion often follows the use of social engineering, since social engineering attacks usually target recipients for user IDs and passwords. The issue with cybersecurity is that, since many of these attack types are used in tandem, organizations need to take a multi-pronged approach to ensure their safety and security.

How can regulators respond to cyberthreats?

Experts say most cyber-intrusions can be avoided by implementing a set of basic controls. Regulators may also hire specialized consultants or coaches to help make sure these controls are implemented and that best practices are followed. Approaches to cyberattack prevention can be divided into two basic categories: technical and human.

Technical

Regulators can hire contractors or IT staff to put in place a series of technical preventative measures to bolster cybersecurity. Some technical measures regulators can take include:

• Automatic updates to existing software.
• Security patches.
• Two-factor (or multi-factor) authentication.
• Anti-virus software.
• Anti-phishing programs, such as those that capture suspicious emails.
• Firewalls.
• Mandated password changes for staff.

A prominent development of the last decade has been the migration of many regulators’ systems to the cloud. Cloud-based technology involves the use of networks to store information, rather than keeping this information on one server or hard drive. The tech companies that provide these services are responsible for the security of their networks, so regulators that use them are effectively outsourcing part of their cybersecurity system, saving money and time that would usually be spent with contractors.

Human

Perhaps the most important cybersecurity measure regulators can take is educating and training all staff on various types of threats, signs of intrusion, and preventive/mitigative measures. Because, for example, social engineering attacks are as pervasive and human-based as they are, it takes only a basic knowledge of best practices for regulators to curb the threats they pose. Telling employees how to identify and avoid suspicious emails, for example, can significantly cut down the number of intrusions an organization suffers every year. Often, IT staff will test employees with fake phishing emails to make sure everybody understands how to avoid them.

Cybersecurity is no longer an afterthought

The time when regulators and businesses could put cybersecurity on the backburner has long passed. Especially since the start of the pandemic, the threat of cyberattacks is now everywhere and ever-changing. Regulators can experience serious consequences from cyberattacks, including compromised information and loss of public confidence. But by implementing some basic technical and human measures, combined with mitigative incident response measures, regulators can protect themselves from the worst of these threats and help themselves continue fulfilling their mandate to protect the public interest.