A few months ago, I blogged about eye-opening findings from a cyber loss control project I’ve been working on, which involves risk assessments of over 100 New Jersey municipal governments. Now largely completed, this work underscores why so many municipal governments are so vulnerable to cyber attack.
I’ve found there’s a clear relationship between the size of a municipality’s budget and the strength of its cybersecurity posture. Perhaps the single biggest reason why more affluent municipalities have better security practices is they are more likely to have their own Information Technology staff.
Even if it’s only one person, a dedicated IT resource can make all the difference when it comes to prioritizing and sustaining security-related changes. In-house IT staff usually take responsibility for keeping an eye on security, even if it inconveniences other employees.
But when you outsource IT, the provider’s focus is on giving you what you ask for. They don’t see it as their job to proactively change how you operate—let alone enforce the rules. At best, they are incentivized to suggest and recommend new services.
As a result, municipalities that outsource IT generally have less comprehensive security policies and procedures (e.g., backup and password policies) than those with in-house IT.
How can smaller municipal governments that outsource their IT make cybersecurity a priority when they may have little or no funding to do so, and little or no in-house expertise to drive the effort?
Here are the four most important things you can do as a municipal government administrator, even when funds are limited:
1. Pull the Trigger: Put Controls in Place Now!
Municipal decision-makers are, in general, well aware their organizations are prime targets for hackers. Not only do they store, generate and process large amounts of sensitive data, but their systems are soft spots through which sophisticated cybercriminals can access state-level networks and other large systems.
Want proof? One security-savvy township CFO I spoke with asked the town’s internet service provider for statistics on the origin of hits to their municipal website. 86% came from outside the US, mostly from Europe and China. Probably almost all of these were hackers’ automated probes.
But while municipal managers realize security is critical, many are still in denial about the urgency of implementing security policies and procedures. They often say they’re moving slowly because “they haven’t been breached yet” (that they know of).
This is like not changing your car’s oil because the motor hasn’t seized yet. Sooner or later it will happen and it will be costly and problematic. Now is the time to “pull the trigger” and put controls in place.
How many of the municipalities I worked with have been hacked? Only about 7% acknowledged or reported it. Many undoubtedly chose not to disclose their experiences, and many more are not yet aware they’ve been hacked. (Research shows that up to 90% of business, healthcare and government organizations of all sizes have experienced at least one cyber attack.)
2. Provide Security Awareness Training
Virtually none of the municipalities I’ve been working with have a formal cybersecurity awareness education program in place. Your defenses are only as strong as your weakest link. If a staff member opens a malicious file or clicks a malicious link and you get breached, it’s because that person wasn’t properly trained on what to watch out for.
Joint insurance funds, insurance carriers, and government risk pool members know that it’s to their advantage to train municipal employees because this reduces the frequency and magnitude of claims. Increasingly, these partners are investing in security awareness education for municipalities.
Professional organizations are also encouraging security awareness training. For example, I recently presented on cyber awareness in Atlantic City to the New Jersey Tax Collectors and Treasurers Association. This trend is a good thing and is likely to continue as more municipalities feel a sense of urgency about cybersecurity.
3. Create and Share an Incident Response Plan
Of the 100-plus municipalities I worked with, an astonishing 98% do not have Disaster Recovery (DR), Business Continuity (BC) or Incident Response (IR) plans in place when it comes to the restoration of IT services. Nearly every municipality I work with that outsources IT has the following IR plan: “Call the IT person.”
If your office burns down or you get hit with ransomware, what will actually happen when you “call the IT person”? What will your staff be called upon to do? What’s most important to do first? You need to discuss your Incident Response procedure with your IT provider, make a workable IR plan, and make sure everyone knows the plan.
Because IR is so key to reducing the impact of a disaster or data breach, joint insurance funds and other partners are starting to provide municipalities with “cheat sheets” that tell them who to call and what to do when a breach or disaster occurs. But something that’s more detailed and specific to your organization would be even better.
4. Find a Cybersecurity Champion
Many smaller municipalities are lucky enough to have a manager or employee who “gets it” and is motivated to work with the IT vendor to help drive a stronger security posture. In my experience, this has usually been someone with experience in private sector environments where controls are tighter, such as financial services or auditing firms. Finding and encouraging that person can make all the difference.
I’m glad I can report that there’s momentum behind municipalities recognizing their vulnerability and improving their cybersecurity. Because these entities are under attack every day.
To discuss the right steps to protect your municipal systems and data, including educating employees and making a response plan if a breach occurs, contact Pivot Point Security.