I must admit, the title of this article was meant to catch your attention and require a second look. Whether or not the attempt was successful, the topic and content that follows has most assuredly caught everyone else’s attention.
Survey after survey reveals that the top concern and priority for the majority of information technology leaders is cybersecurity. For the past few years, the news has been plagued with breach after breach in both the private and public sector. According to the most recent survey conducted by the Public Technology Institute (PTI), cybersecurity ranked as the top technology priority for local government technology executives for a second year in a row (pit.org, #247, 2015).
As local governments, we often find ourselves targeted by cyber threats both inside and outside of the U.S. daily. The impact that a cyber-related breach would have on a city, county, or town could be crippling. Local governments all over the U.S. own, manage, and operate critical infrastructure such as water, sewer, dams, transportation systems, and emergency communications through the use of technology.
So what do we do with this massive responsibility as local governing authorities to protect the critical infrastructure and assets entrusted to us while still required to balance limited time, resources, and funding? The answer is to start from wherever you are today. There are steps you can take regardless of any of the aforementioned limitations you may be facing. The list that follows contains five recommended steps that you can take today to at the very least move your organization toward a more secure environment.
Take an honest look at where you are:
Often times discovering the cause of the problems we face is as simple as taking a good hard look in the mirror. Much like stuffing overdue bills in a drawer, the threat of a cyber-breach exists whether you choose to acknowledge it or not. The most important step you can take right now is to act. Don’t make the most common mistake of thinking that your organization is too small to be a target because that is one metric that is irrelevant to this conversation. Size has nothing to do with the subject of cyber security and yet I have heard that phrase many times over.
Would you be able to answer the following questions if someone were to ask you today:
- What are the assets deemed as critical infrastructure your locality is responsible for today?
- What technology is required for this infrastructure to successfully operate?
- Who is responsible for the security of this technology (passwords, service, maintenance,patching/updates, physical and logical access)?
- What would be the impact to the organization and/or constituency if a security breach wereto occur and this technology become compromised?The fact is, often times the questions are not even considered until after a threat is realized. Do not wait until an event occurs before you have answers to these questions. You must understand all aspects of the information systems you manage and are required to secure.
Start with the free resources you have at your fingertips:
One of the marvelous things about working in the public sector is the sharing of information and willingness by most to provide assistance to intergovernmental agencies that face the same issues. There are several free resources such as white papers, guidelines, templates, and tools made available by federal government and nonprofit agencies that can be found by simply visiting the following sites:
There are also many state and local associations and/or organizations that will provide a “helping hands” type program to smaller governments who may not have adequate IT staff to address cyber security. The National Association of Counties (NACo) offers free resources and programs such as webinars, publications, and connections to other intergovernmental agencies that can be of assistance.An education and awareness campaign is free:
It cost absolutely nothing to bring awareness to the seriousness of vulnerabilities facing your organization. Many elected officials and executive leadership are not aware of the threats or how a cyber-breach might impact the types of critical infrastructure and information systems that they are ultimately responsible for. It is absolutely your duty as the information technology leader in your organization, whether CIO or County Executive, to make these risk abundantly clear and provide potential solutions to mitigate such risk. Remember that ignorance of the law is no excuse.
Establish and implement baseline security standards internally:
Once you have identified your assets and areas of vulnerability, take action to begin with the most basic steps. For instance, if your organization does not have the IT expertise or resources on staff, then by all means request the necessary funding to hire a third-party security consulting firm to audit your computing environment and provide recommendations. Put in place best practices through instituting organizational policies that address information security such as passwords, physical and logical access, asset tracking, least privilege, and
Investigate the merits of cyber insurance:
Cyber Insurance has been the topic of conversation in recent information security venues often bringing about more questions than answers. Cyber Insurance could still be considered a relatively new product in the market but is quickly gaining steam. Many CIO’s have serious concerns around whether these policies provide adequate coverage, would actually cover claims when needed, and even question the need for the coverage at all. One thing is for certain, a lack of decision on this topic is a decision in and of itself; by default you are “self-insured”.
The most basic definition of what Cyber Insurance is can be taken from the Department of Homeland Security’s website, “Cybersecurity insurance is designed to mitigate losses from a
variety of cyber incidents, including data breaches, business interruption, and network damage.”
Unfortunately, traditional commercial liability insurance policies do not include any form of coverage in this area.
Each organization must take several items into consideration and ultimately make the decision of whether cyber insurance becomes a part of our overall cybersecurity program. Some key considerations to
- Determine the appropriate level of insurance based primarily on how much your organization is willing to pay out of pocket if an incident were to occur.
- With no real standards developed in the industry yet, careful consideration must be given to each coverage type along with careful terminology review.
- Great care in understanding what is covered, how it is covered, and for how long. Some policies have disclaimers around what should trigger each claim, how a claim is defined, how a claim is reported, and exclusions that could ultimately lead to the denial of a claim,
- The type of data and/or assets covered by the policy. How are digital records defined? Are paper records covered in the event of theft or “dumpster diving”.
- Coverage should include both Third-party insurance liability options as well as First-party coverage.
- Ensure the company is admitted by your states department of insurance for extra assurance.In closing, cybersecurity must be taken seriously and all efforts made in utilizing the resources we have to eliminate as much risk and exposure as possible.