Cities can do more to help underserved residents avoid cyberthreats, research says

A University of California think tank recommends that cities offer basic cybersecurity education to their low-income, elderly and non-English-speaking residents, who are at higher risk of being targeted online.

As state and local governments around the country invest big in cybersecurity, some jurisdictions are taking steps to ensure their constituents are also safeguarded against attackers who look for victims to scam and exploit.

A few large cities, like New York and Chicago, have launched programs encouraging their residents to practice better password security and other basic cyber hygiene to protect against online threats. But in spite of those initiatives, low-income individuals, seniors and foreign-language speakers face far greater risks of being affected by a cyberattack than the general population, according to research published this week by the Center for Long-Term Cybersecurity at the University of California, Berkeley.

The concerns come at a time when more and more government services are delivered over the internet.

“Thanks to the rise of mobile devices, the ‘digital divide’ has been shrinking,” the report’s author, Ahmad Sultan, writes. “Yet as the adoption of digital services becomes more widespread, a new divide has emerged between those who can manage and mitigate potential cybersecurity threats and those who cannot.”


Sultan, who is also an associate director of the Anti-Defamation League’s Center for Technology and Security, conducted a 48-question survey of “underserved” San Francisco residents to measure their awareness of basic cybersecurity practices and how likely they were to be the victims of online attacks. Participants were either people with a household income of less than $25,000, 65 years or older, or whose primary spoken language was Spanish or Chinese.

In Sultan’s survey, those underserved communities displayed high levels of unawareness of online threats. Twenty percent said they were unfamiliar with internet crime, 26 percent did not know about computer viruses and 31 percent were unaware about the availability of antivirus software.

Many also said they did not practice relatively simple steps when reading emails to avoid threats like phishing. Thirty-five percent of respondents said they do not inspect a sender’s address to see if it suspicious, while 57 percent do not hover their cursors over links to see if they lead to safe web addresses.

By comparison, just 5 percent of people in a control group — comprised of Berkeley grad students and employees of San Francisco-area nonprofit agencies — said they don’t bother checking a suspicious email address, and only one-quarter don’t inspect links before clicking.

Many respondents in the underserved group also reported poor password management. One-third said they have shared a password with a family member, 12 percent shared passwords with friends and 6 percent shared passwords with coworkers.


The upshot is that members of underserved populations are far more likely to report having been victims of cybercrimes. Twenty-six percent said they have been the victim of an online scam at least once, while 40 percent said their computer or phone has been infected by a virus. Among the control group of grad students and nonprofit staffers, only 15 percent said they had been hit by internet scammers.

But the true rate of low-income, elderly and non-English-speaking people affected by cyberattacks may be far greater thanks to a lack of awareness about online threats, Sultan writes. Forty-one percent of those surveyed said they did not know if their personal devices had ever been infected by a virus, and 44 percent said they believe they had provided personal identifying information to strangers online.

Sultan suggests that technology and information security officials in city governments can improve upon those figures by going into underserved communities and conducting surveys and workshops of their own to assess residents’ cyber hygiene skills. He also recommends that cities offer digital literacy training programs that stress how to be alert for online threats. Such an approach, he writes, could also boost participation in digital services.

“A customized cybersecurity awareness program that is tailored to the specific needs of your community — with topics and content prioritized based on a research-based understanding of the local community’s specific needs — could help improve the knowledge and skill level of participants, which would improve security outcomes and increase internet service engagement,” he writes.

Sultan calls out a few major cities that have embarked on such initiatives, including New York, where officials last year launched the NYC Secure program, which includes a mobile app that tells users if they are connecting to unsecured Wi-Fi networks or websites. Chicago worked with Microsoft to develop a program called DigiSeniors to train elderly internet users, which has since been replicated in San Francisco. And in 2017, the city of Los Angeles launched the LA Cyber Lab to share threat intelligence between the public and private sectors, and to issue alerts and advisories to the city’s 4 million residents.


“Investing in programs that improve cybersecurity hygiene could have far-reaching social and economic benefits,” Sultan writes. “Citizens will be more cognizant of their web browsing behavior if they know what a cyber scam is and are aware of the types of cyber scams that exist.”

Benjamin Freed

Written by Benjamin Freed

Benjamin Freed was the managing editor of StateScoop and EdScoop, covering cybersecurity issues affecting state and local governments across the country. He wrote extensively about ransomware, election security and the federal government’s role in assisting states and cities with information security.

Latest Podcasts