Organizations have at their disposal a number of actions and practices that are known to help improve their levels of cybersecurity. However, in a recent study conducted by ICMA and the University of Maryland, Baltimore County (UMBC), it was found that many local governments never take on any of these cyber actions in their organization. These included:
- cybersecurity awareness training for citizens (71.4 percent never take them, with 20.6 percent saying that they do not know)
- cybersecurity awareness training for contractors (61.9 percent never and 19.9 percent do not know)
- cybersecurity awareness training for local elected officials (50.1 percent never and 13.8 percent do not know)
- forensic services after incidents or breaches (42.9 percent never and 20.7 percent do not know)
- cybersecurity exercises (40.8 percent never and 11.8 percent do not know).
As the nation experiences more and more cyber attacks, it's more important than ever that local leaders create and maintain cultures of cybersecurity within their local governments. The key component of this is to ensure all end users receive appropriate cybersecurity training (not once but regularly) and must be held strictly accountable for their actions. You might be asking, what should I be looking for and what are the elements of a sound cybersecurity awareness plan/program? Here's a list to consider.
- Assign a senior staff member to be in charge. This person might be the chief information officer, the chief information security officer, or other designee who is both technical and people-oriented. A high-level administrator or HR professional can also fill this role.
- The best plans are on-going and not just an annual event of a few hours of training.
- Practice the elements of the plan and conduct drills to make sure everyone understands and complies.
- Make sure there are stated consequences for careless behavior, depending on the levels of any violation.
- While making sure you hold to your stated policies and procedures, you also want to make sure that you create a positive environment that encourages staff to report things at once if they believe they may have come across something wrong.
- Conduct regular, focused sessions aimed at exploring various types of cyber attacks. This will help demonstrate your organization’s commitment to keeping systems safe as well as to keep the topic front and center with employees.
- Consider role-playing to help demonstrate how criminal elements use the phone, or social media to manipulate staff into providing valuable data that get into the wrong hands.
- Employees should be trained to recognize an attack; to know not only what it looks like, but who to call and when to report the attack.
- Always encourage employees to come forward with anything that they feel does not look or feel right. There have been many cases where an alert employee reported something as it was unfolding and as a result was able to minimize damage and loss.
- Overall, training must be relevant and should be fun – like playing detective or guarding the “palace” as in a video game.
Throughout October, ICMA, in partnership with the Public Technology Institute (PTI), will offer a variety of cyber-checklists specifically aimed at the public manager. The goal of this partnership is to help you better understand the importance of cybersecurity and provide you with the tools to make your organization a safer and more secure environment. View last week's post on Simple Steps to Online Safety: A Checklist For You and Your Staff.
There are many resources one can turn to for more information and assistance on cybersecurity. Some are a bit more technical, so if you think it is useful simply pass it on to your technical staff, it shows your interest. Remember Cybersecurity Awareness is about awareness!