– Executive Summary –
Today’s cyber threat landscape presents an unrelenting challenge for organizations across the globe. Cyberattacks that were once sporadic and simple have now become frequent and intricately complex. Organizational defenses are under constant pressure, with one attack taking place every 39 seconds.1 Despite the tireless efforts of security experts to strengthen cybersecurity defenses, cybercriminals continually devise new methods to circumvent these barriers. Organizations have traditionally focused on the technological aspect of cybersecurity. However, human vulnerabilities have persistently proven to be a significant risk factor. Humans are regarded as the weakest link in cybersecurity and often targeted by cybercriminals who use psychological manipulation and social engineering tactics to extract sensitive data.2 The lack of effective security measures designed to counteract human exploitation creates a critical gap that leaves organizations susceptible to cyberattacks.
Given this realization, the thesis explores how this threat applies to the Fire Department of New York (FDNY). The FDNY’s reliance on mission-critical systems, such as computer-aided dispatch, radio communications, and patient databases, makes it particularly vulnerable to network disruptions. Historical cyber incidents in other organizations illustrate the potential impact such attacks could have on the FDNY. The FDNY, like many other organizations, has focused primarily on technological defenses. Although these measures are indispensable, they fall short of addressing the human error aspect of cybersecurity. As the largest fire department in the United States, responsible for a city of over eight million residents and an annual 911 call volume exceeding 1.5 million, the FDNY must protect its critical infrastructure from technological and human vulnerabilities.3
A. METHODS
The primary objective of this research was to evaluate the current cybersecurity measures of the FDNY and to explore how an “all-hands-on-deck” approach could strengthen the department’s cyber defenses. To better evaluate the FDNY’s cyber preparedness, the research employed a comprehensive research methodology that combined descriptive, evaluative, and prescriptive approaches. The descriptive analysis focused on gathering background information through literature reviews and case studies treating the evolution and current state of cybersecurity threats and security measures. It homed in on attacks that could disrupt FDNY operations and the limitations of present-day security measures. The evaluative component included an internal FDNY red-team exercise that simulated a social engineering vishing attack. This campaign offered a realistic assessment of existing vulnerabilities related to human error specifically among boots-on-the-ground personnel. The final element of the study focused on formulating strategic cybersecurity recommendations. These recommendations were based on insights gained from both the descriptive analysis and evaluative exercise.
B. RECOMMENDATIONS
The evaluative red-team exercise revealed significant vulnerabilities within the FDNY that highlight its susceptibility to social engineering tactics and need for awareness, training, and reporting. FDNY personnel consistently divulged sensitive data, underscoring the need for a more inclusive and comprehensive cybersecurity approach that encompasses all members of the department, from frontline personnel to senior leadership. The current FDNY cybersecurity framework falls short in addressing and mitigating human error, which is the primary cause of data breaches.4 To enhance the FDNY’s cybersecurity posture, this work proposes seven strategic recommendations, each aimed toward actively engaging end users, integrating field personnel in the security process, and obtaining buy-in from all ranks.
C. CONCLUSION
This research advocates an all-hands-on-deck cybersecurity approach within the FDNY. It underscores the importance of extending cybersecurity beyond the sole responsibility of the information technology team and making it a collective responsibility among all FDNY personnel. In addressing both the technological and human vulnerabilities by incorporating all personnel into the cybersecurity framework, the FDNY may significantly enhance its overall cyber posture. This comprehensive approach will better prepare the FDNY to defend its critical infrastructure against current and future cyber threats. Though this approach is tailored to the FDNY, it provides valuable insights and methods that can be adapted by other organizations to strengthen their cyber preparedness as well.
- Jacob Fox, “Cybersecurity Statistics for 2023,” Cobalt (blog), December 27, 2022, https://www.cobalt.io/blog/cybersecurity-statistics-2023. ↩︎
- Mousam Khatri, “The Human Element Is the Weakest Link in Cybersecurity,” LinkedIn, August 2, 2023, https://www.linkedin.com/pulse/human-element-weakest-link-cybersecurity-mousam-khatri. ↩︎
- Evan Scoboria, “How Big Is New York City: Its Size in Miles, Acres, and Population over Time,” SKNY, August 30, 2023, https://www.skny.io/fun-facts/how-big-is-new-york-city; Jonathan Dienst and Tom Winter, “NYC 911 Calls Fall to Multi-year Low Weeks after Record High: FDNY,” NBC New York, May 1, 2020, https://www.nbcnewyork.com/news/local/nyc-911-calls-fall-to-multi-year-low-weeks-after-record-high-fdny/2398808/. ↩︎
- Fox, “Cybersecurity Statistics for 2023.” ↩︎