Last Updated on April 28, 2017
For the past several months I’ve been working on a cyber loss control project performing risk assessments for over 100 New Jersey municipalities. I’m winding down the first phase of the project, which was assessing and identifying vulnerabilities within their IT practice.
The findings have been tremendously interesting. In this post, I’ll briefly enumerate six of the many observations this work has made possible.
1) Municipalities Usually Don’t Have a Disaster Recovery Plan
Over 80% of the municipalities do not have a robust, well-documented disaster recovery or business continuity plan in place. This makes them extremely vulnerable to data loss of any kind, including ransomware attacks, and makes it a tossup whether they will be able to serve their constituents effectively in the event of a disaster. Most have some form of backup system in place; however, this in many cases would not be enough to restore full functionality.
2) There Are Very Few Local Government Third-Party Risk Management Programs
Many municipalities (at least 60%) outsource some elements of their services. Yet very few have a third-party risk management (TPRM) policy in place to assess the risks and vulnerabilities that these outsourcing arrangements introduce.
For example, many municipalities outsource their payroll services. Yet they largely have not done due diligence on the security posture of the service provider. Nor do their contracts reflect any contingencies if that provider suffers a data breach where names, birth dates, social security numbers, salaries, etc. can be compromised. What is the security posture of these 3rd party entities? Have their practices been audited by a known standard or have they gone through a certification process? Do they perform background checks on their employees? Most municipalities have no idea.
Similarly, many municipalities outsource credit card processing to third-party services. A big reason for this is that towns are prevented from passing on credit card service fees to residents, whereas a service provider can recoup the fees. But is this vendor PCI-compliant? How secure is their IT environment? Again, most municipalities never inquired.
3) Local Municipalities Need Password Management Policies
Most municipalities don’t have an adequate password management policy. Some have no policy, while others rely on practices that are long outdated. Modern password cracking technology makes it trivially easy to crack eight-character passwords, for instance. Any password found in a dictionary can be easily cracked in a few minutes. Today a password needs to be at least 10 characters long and should expire every 60-90 days to reduce the amount of time a hacker has to crack it.
4) Local Municipalities Need Security Awareness Training Programs, Too
Only a very small percentage of municipalities have an effective information security awareness and education program in place to train their employees around how to defend against ransomware, phishing attacks, etc.
Funny story: At one of the municipalities where I did a gap assessment, the employees were told that if they think they’ve fallen prey to malware or if they suspect that something “just isn’t right,” they are to immediately and without hesitation yank, rip, cut or otherwise disconnect that system’s data jack from the wall. That’s better than no training at all, but it could certainly be improved upon.
5) Local Government Emails Are Not Encrypted
The great majority of municipalities don’t encrypt emails when sending sensitive information beyond their organizations. For example, a workman’s compensation form may be sent as an attachment containing (PHI) Protected Health Information to an insurance company via regular email without encryption. Making it vulnerable to packet sniffing and other forms of data interception.
6) Computer Recycling Used Infrequently by Municipalities
20%-30% of municipalities don’t know what to do with their old computers, so they just turn them over to Public Works for storage. The quick fix here is to simply call a computer recycler. If funds aren’t available for recycling, removing the hard drives and drilling a minimum of three holes in each one with a drill press is a lot better than leaving them lying around unprotected and packed with sensitive data.
Of course, it’s often more difficult for small, rural townships with under 15 employees to live up to the same security standards as larger communities that can fund IT departments. Yet both face similar risks and are subject to similar compliance requirements.