Increased Cybersecurity and Fraud Risk for Government Organizations due to COVID-19

As local governments continue to face economic and social instability, nefarious individuals may identify more opportunities to commit and get away with fraudulent activities. Malicious individuals won’t want to let these crises go to waste. Local governments should expect an increase in fraud attempts and incidents as they navigate other challenges such as decreased revenues, higher unemployment and civil unrest.


According to the Association of Certified Fraud Examiners, fraud is committed when three factors are present: pressure, opportunity and rationalization. Many individuals in local governments (employees, vendors, constituents and other stakeholders) are under increasing pressure. A fraudster taking advantage of this increased pressure will look for opportunities to commit fraudulent activities and concoct any number of acceptable rationalizations.

The ever-changing workplace dynamic may create this fraud opportunity. This dynamic has changed significantly, and at least for the next few months, workers may not be collaborating in an office setting, asking each other questions about vendors, discussing ongoing projects or alerting one another about current issues. Some local governments may still rely heavily on paper (for necessities like work orders, invoices and purchase orders) that employees may have reviewed together or easily shared during the approval process before working remotely.

The workflow and approval processes of many local governments have likely changed. Approvals may not be flowing through the system like in the past. It’s also possible that one person has assumed additional responsibilities to provide coverage for coworkers who have also taken on more tasks. Furthermore, workers may be more distracted in their new home-working environment. These issues have the potential to reduce workers’ productivity  levels. Lastly, workers may be altering their hours to accommodate for childcare and other tasks that break up their workday, which can hamper the workflow and the controls that were in place when they were in a controlled environment with colleagues accomplishing similar tasks.

These factors, coupled with the many technical issues local governments are now facing given the number of people working remotely, has put a never-before-seen burden on our technology resources. As a result, there is a much higher risk of fraud and other types of misconduct.


The rapid transition to a remote workforce has also created additional IT security concerns in defending against cyber criminals. Employees are now operating on home networks while accessing organizational data to perform their duties. During this extended remote-work environment, there has been an increase of phishing emails using COVID-19 themes. Unfortunately, many of them have been successful which has led to email account compromises and ransomware events.

As new security challenges arise due to the ever-increasing remote workforce, it is vital for government organizations to implement stronger security controls and protect their private information. Using a virtual private network (VPN) for secure connection by remote staff is not enough. Instead, we recommend that IT teams implement multi-factor authentication (MFA) tools to help combat attacks which target staff email accounts and other remotely accessed systems. This second layer of authentication provides a strong defense against weak or reused passwords and password cracking tools used by hackers to compromise these types of accounts. MFA provides an additional authentication process separate from the employee’s work device. While an outside attacker may gain access to the work device, it is unlikely the additional device, such as a personal cell phone, would also be compromised. This leaves the attacker unable to execute the secondary authentication process, thereby keeping them out of your systems.

To better defend against ransomware, government organizations should also be reviewing and testing backup procedures to ensure that backups are safe from compromise in the event an encryption tool is introduced to the network. Organizations should not rely on paying an attacker as a ransomware solution because on average, only 60 percent of those who pay are successful in recovering their data. Off-site backups provide your organization with the ability to restore systems without paying an attacker with a minimal loss of data.


Given the new workplace dynamic and challenges confronting employers, it is now more important than ever for organizations to perform a new risk assessment.

  1. Start out by mapping your organization’s current process. Then, look for gaps that create an opportunity for a fraudster.  We recommend that your organization starts fresh when it comes to developing new processes instead of relying on the workflow that was designed when everyone was in the office.  The routine has changed, and new controls are needed.
  2. Educate and train staff on the importance of internal controls, their individual roles in the controlled environment and the newly implemented controls themselves.
  3. Make sure that external parties, including contractors, customers and clients, are up to date on the controls that are in place to reduce the opportunity for fraud.
  4. Monitor the effectiveness of the internal controls over time.  Like your risk assessment, this should be an ongoing process to see if the controls working and what controls may need to be enhanced.

If you’d like to learn more about fraud and cybersecurity risk for government organizations in the current environment, please contact us at any time. Feel free to check out our COVID-19 Resource Center, which has additional guidance for organizations during this crisis.

Visit the Resource Center

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author