By Joe Howland, VC3
Cybersecurity is complex and can be confusing. For many local governments, security consulting is often a new investment that has not been done before. As a result, we have seen many cities and towns struggling to identify a workable solution for securing county and municipal systems. How can you prioritize investment in cybersecurity and come up with a plan that meets your organization's needs? Let's see if we can begin to answer that question.
Basics of Cyber Attack Prevention
Cybersecurity basics include
running a reputable anti-virus package on all systems;
practicing good user controls;
not giving all users full administrative access to their workstations;
applying security patches regularly;
running firewalls at all locations with an internet connection; and
leveraging anti-spam technology.
Employee Cybersecurity Awareness Training
Beyond implementing basic infrastructure prevention, executing a strong cybersecurity plan requires more than your IT department or IT provider. Most successful attacks start with an email to an employee. These emails often trick employees into sharing credentials, initiating fraudulent wire transfers, and unwittingly launching ransomware attacks. An organization cannot merely protect the city's hardware and systems, it must also protect the employees.
In order to protect employees, it's critical to regularly train on cybersecurity. Employees need to be capable of spotting fraudulent email messages. Two tools to assist employees include an email banner for messages coming from outside the organization and phishing simulations.
First, email banners that identify a message as coming from outside your organization are a simple way to raise awareness. A note from a coworker asking for sensitive information with a banner across the top identifying as coming from an external source should immediately raise a red flag. Almost every email system can support this feature at no additional cost.
Second, phishing simulation platforms are prevalent and inexpensive. A simulation allow IT staff to identify employees that click on suspicious links and provide targeted training to those individuals. When used repetitively, these training platforms shift the culture of the organization to caution. Employees start questioning the request in the email and begin asking themselves, "Does this message make sense? Is the action I am being asked to take reasonable? Did John really just email me out of the blue and ask me to redirect his paycheck to a new account?"
Response and Recovery
After putting some of the basic prevention measures mentioned above in place, it's time for an organization to plan for how to respond to and recover from a security incident. The reality is that investing in security can dramatically lower the likelihood of an event, but there is no guaranteed way to avoid one. Having a response and recovery plan in place before an attack occurs allows a city to quickly respond with a reduced disruption of services to residents. Cyber liability insurance and data backups are two key elements to a recovery plan.
Backups Are Your Best Friend
The importance of data backups to an organization's ability to recover from a disaster is not new. The value of backups was recently put to the test after Hurricane Dorian traveled up the east coast. The organizations with properly configured backups reaped the benefits of faster, easier restoration to normal operations. While a cyber attack is very different from a hurricane, the same principles of disaster recovery apply. In either case, backups are critical to recovery.
There are a few problems we regularly see with the configuration of data backups. First, it's common to discover that only a portion of your data is being backed up. This means that you can't undergo a full recovery. Second, it's typical to discover the backup data isn't replicated to a remote location and does not have enough separation from your production network. There have been several recent instances of organizations whose production data and backup data was encrypted in the same ransomware attack. Ask your IT department or IT provider when the last test restore was performed of your data. Testing your restore capability is the only way to know for certain that your backups are functioning properly.
Speaking of restores, organizations typically underestimate the amount of time it will take to restore their data. With the right backup solution in place combined with a strong recovery plan, systems can be restored in several hours or days. Without proper backups and a tested plan, cities can spend months on recovery efforts. The only way to know for sure of how long it takes to restore your environment is to perform a full system restoration test. It is also important to note that not all data is of equal value. Some systems require that they are rapidly restore to continue services for cities and towns while others can be down for weeks or months with little impact.
Importance of Cyber Liability Insurance
The costs of cyberattacks are increasing. Large and small cities have been in the news many times recently regarding fraudulent wire transfers of hundreds of thousands of dollars and ransomware payouts totaling more than a million dollars. Cyber liability insurance can protect an organization from the costs of a ransomware attack — covering the ransom itself or the costs of a recovery effort. An added benefit of cyber liability insurance is the expertise that the carrier can bring to the table in the event of an incident. Coverage providers can offer forensic expertise to untangle how a breach occurred and expertise in dealing with a ransomware attacker.
Changing Landscape of Cybersecurity
There are other technologies and processes to consider for a long-term cybersecurity plan including multifactor authentication, incident response plan and regular security scans. Cybersecurity is complex and the landscape is constantly changing. New solutions and products are frequently introduced and new types of attacks surface just as often.
Cybersecurity is a specialized component of IT. Even cities that feel they have a robust plan in place should seek outside expertise. A security gap analysis or security assessment from a reputable organization is another opportunity to determine vulnerabilities. When selecting an outside organization to assist with cybersecurity, keep in mind that cybersecurity is not a one-time effort. Cybersecurity plans need to be reviewed, tested, and updated regularly.
Joe Howland is the chief information security officer at VC3, the Municipal Association's technology partner.