Despite differences in size and resources, local governments everywhere should be aware of the cybersecurity risks and challenges that living in a highly interconnected, Internet-driven world presents. Whether it’s a cyber breach, a police walkout, or a snowstorm, local governments routinely secure their facilities and control physical access, and they need to control electronic access as well.
During “Communicate to Convince: Prioritizing Cybersecurity in State and Local Government”—a viewcast hosted by ICMA media partner Route Fifty to coincide with National Cybersecurity Awareness Month—ICMA’s Richard Brown, town administrator, Somerset, Massachusetts (pop. 18,000), a longtime professional local government manager; and Keith Young, enterprise information security official in Montgomery County, Maryland (pop. 1.01 million) agreed that when it comes to cybersecurity, an organization’s greatest strength—and its greatest vulnerability—is its people.
While at two ends of the population spectrum, Brown and Young offered remarkably similar perspectives on the risks, approaches, and challenges of today’s cyber environment, including
- Educate employees about the risks that lurk in their email and online, the common scams (those out-of-country bankers and people asking for personal information), the importance of security practices (don’t plug USBs into your computer unless you’re sure about their safety), and the consequences that can result from security breaches.
- Explain cybersecurity vulnerabilities and risks to stakeholders (e.g., senior managers and elected officials) to guide decisions about what level of risk is appropriate for the jurisdiction and what level of resources will be devoted to addressing it.
- Adopt sound policies and controls, ensuring that they are in place and making sure they’re supported and enforced from the top down. Some controls reside with technical staff (firewalls, antivirus software), but many depend on actions by people at all levels of the organization: e.g., password policies, guidelines for using government devices. And control access to sensitive data to the minimum possible number of people.
- Learn and share. Internally, it’s important for any department that experiences a cyber incident to share that information within the organization so that others can learn from it. In terms of external resources, Brown cited information from ICMA and the Baldrige Cybersecurity Initiative as examples. Young mentioned the Multi-State Information Sharing & Analysis Center (MS-ISAC) as a great resource for state, local, and tribal governments.
- Get creative when resources are limited. Somerset has no in-house IT staff but relies on private-sector partners for its IT and cybersecurity needs. Montgomery County works with small vendors who are building up their local business, and Young said he saves 75-80 percent of the expense compared with using large vendors. Cloud-based solutions also can shift some IT maintenance costs to external sources.
- Be as open as possible if a breach occurs about what happened, what you’re doing about it, and what you’ve learned. Some states require notifications when a cyber breach has occurred.
To hear the entire discussion, access the October Route Fifty viewcast and then download Route Fifty’s Prioritizing Cybersecurity ebook. Also link to the related article on ICMA’s website for a list of valuable resources.
ICMA, the International City/County Management Association, advances professional local government worldwide. Our mission is to create excellence in local governance by developing and fostering professional management to build livable communities that improve people’s lives. ICMA provides member support; publications; data and information; peer and results-oriented assistance; and training and professional development to more than 11,000 city, town, and county experts and other individuals and organizations throughout the world. The management decisions made by ICMA's members affect millions of individuals living in thousands of communities, from small villages and towns to large metropolitan areas.