From our friends at MRSC: Mike Kaser, IS Director for the City of Mercer Island, weighs in on protecting local governments from cyber attack. You can read the original here.
The use of technology to support service delivery by local government continues to grow. Whether it’s a 911 dispatcher, firefighter, patrol officer, utility crew member, or an elected official, all of these local government employees use technology as part of their everyday duties.
IT departments are expected to maintain operations with little to no downtime while cybersecurity incidents, like the recent global ransomware attack dubbed “WannaCry,” are one of many risks we face. Even the most sophisticated and well-funded organizations are finding their data unceremoniously dumped onto the Internet.
How can small jurisdictions with so few resources have a capable cybersecurity program in the face of today’s many risks? Simply put, determine what can be done within current resources and skill sets, then communicate honestly and openly with your organization’s leadership about where the gaps are. You must share and decentralize the risk beyond IT.
Cybersecurity risks have been around for a long time. Organizations employ different technologies like permissions, IDS/IPS, logs, firewalls, anti-virus, encryption, backups, etc. in response to that risk.
What is new is the scope and impact of security issues to the organization, the sophistication and quantity of the bad guys, and the need to get every employee thinking about their role on the organization’s “security team.” Imagine explaining why your utility customer’s payment information was sold on the dark web or not being able to answer 911 for a few hours.
Some percentage of resources must be dedicated to cybersecurity to maintain the trust of your organization, your elected officials, and the people your jurisdiction serves.
The Mercer Island Approach
A great first step is to discuss this risk with leadership and define what success looks like within your organization’s resources. For the City of Mercer Island, “success” at a high level includes Communication, Policies and Plans, Training, Technology, and Assessments.
Talk to your organization and let them know what’s up with this whole “cyber” thing. This step is simple. Let people know that you believe there is risk. Give tangible, not hyped, examples of possible events (maybe they have already happened).
Explain what the current IT capabilities are and discuss the gaps. For smaller agency IT managers, this is key. You must explain where the risk is to the organization’s leadership. Simply repeating you are understaffed or don’t have enough money isn’t enough. By highlighting specific gaps to leadership, the responsibility is now in the hands of those most responsible for managing an organization’s risk.
Policies and Plans
Love them or hate them, they are critical. Policies can identify risk and explain everyone’s roles and responsibilities. Create or update your policy together with members from all departments and your leadership. Have the CEO sign it. The discussion alone will highlight for everyone what the issues are. It doesn’t have to be complex, either. Keep decentralizing the risk!
Document your technology at a high level and work with each department to establish ownership of the digital information staff collect, process, store, and transmit, as well as responsibility over the technology used to manage that data. Create and exercise a high-level incident response plan that isn’t 65-pages long. Use frameworks like the NIST cybersecurity framework to guide your planning.
Train all employees on cybersecurity measures, beginning with IT. They are the front line and need a solid understanding of the issues. And I don’t mean CISSP training. I mean real, hands-on, learn-how-to-hack, break-into-systems training (using test labs, of course). They need to know what the bad guys know to be able to defend your organization well. OSCP, certain SANS courses, and other hands-on training are recommended.
Make your training fun for employees! Get departments other than IT involved in developing the training. We used departmental staff to develop the phishing emails in our phishing training campaign. They loved being a part of it. Train on your incident response plan!
Get some technology! Use both open-source (free or free-ish) and commercial technologies. Your agency already has employed some technology (hopefully) like firewalls, but there are lots of new and interesting ways security technology is evolving. A key and powerful tool to help prevent ransomware, AppLocker, is built right into recent versions of Windows.
Reach out to your vendors but be skeptical of “all-in-one” solutions. Build security language into contracts! You need a toolbox for this cyber stuff. This is where money and time become a real issue for small jurisdictions.
Identify the combination of products and services your organization can afford and decide which can be operated in-house and which requires vendor support. Whatever your capabilities are, there will be a gap. Just remember to communicate this gap to leadership and decide, together, how to address it. Consider insurance as an option or maybe outsource security entirely: these services exist!
Bring in qualified and credentialed third parties to do assessments. This is invaluable as a third party will highlight the problems that you have missed. This gives you a baseline for improvement, for highlighting the gap, and for communicating cybersecurity concerns within your organization.
Another important step is building relationships. Cybersecurity is complicated. Talking to people at the local, regional, and state, and even federal level is helpful.
Learn where the free resources are. You might be surprised how much help is out there. For example, the state’s Office of CyberSecurity, the Center for Internet Security’s MS-iSAC, and the United States Computer Emergency Readiness Team (US-CERT) all come to mind. Go to regional or local cyber security events and exercises. Learn and share with others.
This recipe has strengthened Mercer Island’s security posture but we will continue to identify, communicate, and address the gaps as new ones arise. After all, cybersecurity is now an everyday part of doing business.