By Dmitry Shub, IT network infrastructure and security manager, Evanston, Illinois
The shifting focus of technology implementations in governmental agencies and municipalities around the country have one thing in common now more than ever: an increasing awareness of potential gaps in cybersecurity threat prevention and incident mitigation. Thanks to recent and well-publicized data breaches incurred by such high-profile public and private enterprises as Yahoo, Target, and Equifax, there has been a tacit shift in most organization’s appreciation for the necessity of implementing a thoughtful cybersecurity program. The old approach that a firewall was enough to keep out the bad actors and that further security controls are simply a “nice to have” has been replaced with a general understanding that security controls are now a “must have.”
Government agencies large and small are in no way immune from the growing cybersecurity threat landscape.
With that reality in mind, ICMA has recently partnered with tech giant Microsoft to release a publication entitled Cybersecurity: Protecting Local Government Resources. This report, just one in a series on leveraging technology in planning day-to-day operations for local government, serves as a playbook for implementing robust security controls for communities of any size. Its greatest asset may be that it aggregates a collection of survey data, case studies, and generally accepted best practices for the design of a holistic security program, making that information digestible for senior management and technical staff alike.
A major point that the document attempts to reinforce is that threats originate from within an organization and that we can no longer count on an approach where the network perimeter is simply secured. Attackers routinely compromise networks with a combination of social engineering, spear phishing, and toolkits easily acquired on the web. Once they get inside, would-be attackers may spend up 200 days inside your network before their activities are detected. These two pieces of information guide much of what makes up a targeted cybersecurity program. First, those insider threats pose the greatest attack surface for a bad actor. And second, it is imperative that a detection mechanism is in place to recognize activity that appears anomalous.
The publication does a nice job of rolling up survey data from hundreds of participating local governments and paints a picture of the current cybersecurity landscape that is consistent with what is being experienced in the private sector. About a third of reporting agencies acknowledge known security breaches with another quarter that simply do not know if they have been hacked due to a lack of tools or personnel. More than two-thirds of respondents say that a lack of funds is a modest to a severe barrier to their own implementations of a robust cybersecurity program. Although these numbers are a bit disheartening, it is certainly not for a lack of trying as at least two-thirds of participants say that they have the support of management to improve their security controls.
Municipal governments can face spending limits but there are several facets of implementing a cybersecurity program that can be most impactful.
Such actions as suggested by the publication include cybersecurity awareness training for staff, elected officials, and contractors alike, engaging with a forensics firm to use as a remediation partner after an incident, and execution of cybersecurity exercises in the same manner as routine testing of disaster recovery plans. Roughly 60 percent of organizations provide some form of security awareness training today. This is a most effective way to reduce your susceptibility to internal threats by providing personnel with the tools to recognize suspicious emails and attachments.
For those organizations with mature security budgets in place, there are several areas to focus on. These include anti-virus, anti-malware software to identify and quarantine malicious payloads; intrusion detection and intrusion prevention systems that can monitor the ingress and egress of data on the network, which a great indicator of a breach; multi-factor authentication can greatly restrict access to network resources and is a space with many vendors offering consistently reliable service; and the implementation of next-generation firewalls that fully inspect packets rather than simply apply access control rules based on IP addresses.
A recurring theme in the document is one of building a culture of security across the organization. An approach that is not simply a collection of black boxes and log aggregators but rather a more holistic viewpoint where security is everyone business, not just the fiefdom of the CISO. It is policy and training that can help mitigate risk when used in concert with software. That combination is what can provide more vision into the activities that occur in and on a network.
ICMA and Microsoft have delivered a knowledge-filled publication that has many actionable items for the implementation of a new cybersecurity program or for the refinement of existing programs.
The survey data can help organizations see how they compare with others, and an included cybersecurity maturation graph can help organizations quickly see where they reside on the roadmap. Perhaps the most useful collection of data resides in the provided list of annotated online cybersecurity resources, which collates dozens of resources with links. Readers of the ICMA report on cybersecurity will find plenty of actionable items as they continue to mature their own security programs no matter their starting point.
To learn more, download your free copy of "Cybersecurity: Protecting Local Government Digital Resources."