When it comes to cybersecurity, an organization’s greatest strength—and its greatest vulnerability—is its people. That was one of many points of agreement between participants in the recent Route Fifty viewcast “Communicate to Convince: Prioritizing Cybersecurity in State and Local Governments.”

The panelists represented local governments at two ends of the population spectrum: ICMA member Richard Brown, town administrator in Somerset, Massachusetts, a community of about 18,000; and Keith Young, enterprise information security official in Montgomery County, Maryland, a jurisdiction of more than 1 million.

Yet despite the difference in size—and resources—they offered remarkably similar perspectives on the risks, approaches, and challenges of today’s cyber environment:

• Educate, educate, educate: Teach employees about the risks that lurk in their e-mail and online, the common scams (fake invoices or those out-of-country bankers and people asking for personal information), the importance of security practices (don’t plug USBs into your computer unless you’re sure about their safety), and the consequences that can result from security breaches.
• A risk is a risk is a risk, whether it’s a cyber breach, a police walkout, or a snowstorm. Local governments routinely secure their facilities and control physical access; they need to control electronic access as well, because their systems hold a great deal of personal and other sensitive information. Explain cybersecurity vulnerabilities and risks to stakeholders (e.g., senior managers and elected officials) to guide decisions about what level of risk is appropriate for the jurisdiction and what level of resources will be devoted to addressing it.
• Adopt sound policies and controls, ensure that they are in place—and make sure they’re supported and enforced from the top down. Some controls reside with technical staff (firewalls, antivirus software), but many depend on actions by people at all levels of the organization: e.g., password policies, guidelines for using government devices. And match the level of access to the sensitivity of the information, limiting access to the minimum number of people necessary.
• Learn and share. Internally, it’s important for any department that experiences a cyber incident to share that information within the organization so that others can learn from it. In terms of external resources, Brown cited information from ICMA and the Baldrige Cybersecurity Initiative as examples. Young mentioned the Multi-State Information Sharing & Analysis Center (MS-ISAC) as a great resource for state, local, and tribal governments.
• Get creative when resources are limited: Many basic cybersecurity safeguards can be put in place at low cost (education, training, policies and controls). But the panelists also had creative ideas for managing the technical side. Somerset, for example, has no in-house IT staff but relies on private-sector partners for its IT and cybersecurity needs. Montgomery County works with small vendors who are building up their local business, and Young said he saves 75-80 percent of the expense compared with using large vendors. Cloud-based solutions also can shift some IT management costs to external sources.
• If a breach occurs, be as open as possible about what happened, what you’re doing about it, and what you’ve learned. Some states require notifications when a breach has occurred.

You can access the viewcast to hear the entire conversation.

Additional Resources

Here are some additional resources:

• Cybersecurity: What’s Your Risk? Six questions managers should ask.
• Cybercrime @ City Hall. A PM magazine article discussing steps a local government can take to prevent data breaches and protect the community.
• Technology at the Administrator's Side: Empowerment or Security Risk? This article by Dr. Costis Toregas for the National Association of County Administrators (NACA) discusses the technology tools that make the public administrator's job easier--and provides cautions about the security risks each one presents.
• Cyber Security: Developing Threats. Another article from NACA highlights several ransomware attacks on government websites.
• Cybersecurity for Local Governments. This webinar, presented May 30, 2013, is available on CD-ROM.
• Local Government Guide to Cyber Security. Guidance for local appointed and elected officials.
• Cyber Disruption Response Planning Guide. Resources provided by the National Association of State Chief Information Officers (NASCIO), equally useful at the local level.
• How You Can Protect Your Community from Getting Cyber Hacked. See the quick reference checklist for cybersecurity tasks.
• Cyber Disruption Response Planning Checklist. An expanded checklist is drawn from the NASCIO guide.