Sponsored content by Tyler Technologies

In the current cyber threat environment, city and county managers must not only be vigilant, they must be strong advocates for cybersecurity. At no time is this more important than heading into a presidential election. To successfully prepare for, detect, and mitigate risk, governments must develop their own organization-wide cybersecurity cultures now. A cybersecurity culture cannot exist in a meaningful way without complete support and buy-in from leadership.

To ensure that everyone is on the same page and working to protect government information, city and county leaders should take the following five steps to advance cybersecurity culture in their organization.

1. Create Institutional Memory

Developing a cybersecurity culture begins with building a base with institutional memory—that is, knowledge and information that’s out of someone’s head and into a “living” document. Active organizational documentation includes the following document types that support a successful cybersecurity culture:

• Policies.
• Procedures.
• Guidelines.
• Asset inventories.
• Change documentation.
• Network infrastructure diagrams.
• Data flow diagrams.
• An Incident Response Plan.
• Continuity of Operations Plans, such as Business Continuity Plan (BCP), Disaster Recovery (DR), and Vendor Management.

2. Invest in People

In order for a cybersecurity culture to endure, strategies must include the people who make up a government’s culture. Leaders must lead by example when it comes to cybersecurity; actively participating in and supporting the mission to ensure security.

It is important to communicate your cybersecurity strategy to prospective employees during hiring. Job descriptions should include cybersecurity responsibilities for each role, as cybersecurity is truly everyone’s job. At minimum, new hire information should include individual responsibility for following cybersecurity policy and protecting the organization’s information.

Regardless of role, all staff should receive cybersecurity awareness training and testing at least quarterly. To foster motivation and accountability, include security metrics and performance in employee reviews.

3. Develop Processes

Process plays a critical role in building a cybersecurity culture that will stick. Every process should include learning, improvement, and accountability touch points, as well as provide end-to-end corroboration of the function it represents. Critical process examples include:

• User Equipment and Provisioning. Centrally manage equipment and system access based on user role. Equipment and access should change as roles evolve. Upon termination, all access must be removed.
• Change Management. Make sure to pre-determine controlled change-types according to risk. Document any changes and provide end-to-end corroboration of the function the change-type represents. Tie all changes performed to changes approved.
• Cyber Risk Management. Use organizational risk criteria to guide the risk assessment process, such as: (1) Current vulnerabilities and existing threats; (2) Organizational impact if a vulnerability were to be exploited; and (3) The likelihood of exploitation, given the control environment. Risk assessments should be scheduled and include a programmatic remediation process to deal with risk mitigation and remediation activities.
• Account Review. Centralized management confirms with managers on which staff members truly need access to each system.
• Activity Review. Daily log analysis is important to understand what has passed through preventative control layers and to detect malicious activity.
• Threat Intelligence. An effective threat intelligence process includes: (1) Identifying sources that define and explain the evolving threat landscape;(2) Documenting how the sources will be used; and (3) Assigning roles and responsibilities for collecting, assessing, distributing the information, and acting on it. A key source of threat intelligence is the Cybersecurity and Infrastructure Agency (CISA). Monitor their site daily.
• System Lifecycle Management. Security should be woven into all lifecycle management conversations, from acquisition to destruction.
• Incident Response Plan. It is critical that your Incident Response Plan contain detailed response instructions for responding to common cyberattacks, such as ransomware and denial of service attacks. In additions to detailed procedures, your organization should have a designated Incident Response Team. This team should undergo regular, table-top exercises so that they have a solid understanding of their roles in the event of a cyberattack.

4. Use Technology

Technology—along with people and process—is a central part of any government’s cybersecurity culture. The culture around the firewall, for example, includes:

• Documented business justification for each rule allowing traffic in and/or out. What business purpose does each rule support?
• Patching and updating of the firewall’s firmware.
• Physical security of devices.
• Backups of configuration.
• High availability pairing for fault tolerance.

5. Practice and Test

Practice and testing can help government employees learn without the pressure of performing. Testing can also ensure that controls are working as intended, and includes:

• People—Test your people by doing social engineering assessments (such as network and telephone pretexting) to ensure that employees know how to identify fraud attempts. Phishing emails will also help them with identifying fraudulent emails.
• Process—Audits can help determine if processes are working and operating according to policy.
• Technology—Performing external penetration testing, internal configuration analysis, and vulnerability scanning, as well as disaster recovery testing, will help keep a municipality's technology knowledge and implementation up to date.

Integrating people, processes, and technology (with frequent checks of all three) is the foundation of a lasting cybersecurity culture. The above five steps can give government organizations the tools they need to adequately prevent and defend against cyber attacks.  

A Note on Elections

Public sector security is gaining even more attention today with the national election around the corner. Cybersecurity culture goes hand in hand with election security. Government leaders need to invest in and support a strong cybersecurity culture in order to be secure. Understanding all the potential risks and determining how to best mitigate them is key. While there isn’t a silver bullet that promises 100-percent security, it takes a combination of people, processes, and technology to protect election integrity along with all other government data.

Everyone at every level must understand the risks and know their role in safeguarding information. Processes should be reviewed now, with an eye on security and any gaps that should be filled. Perhaps new policies are in order, or new technology is required. The most important thing is that leaders are confident they can detect if anything goes wrong and be prepared to respond.

For more information, review CISAs “Best Practices for Securing Election Systems."

Learn how to build an effective cybersecurity program in this previously recorded webinar, including best practices for maturing the program and achieving maximum ROI on your cybersecurity investment.