Who is a member?
Our members are the local governments of Massachusetts and their elected and appointed leadership.
Organizations in every industry are worried about information security. Attacks take place nearly every day, often resulting in the exposure of vital personal records or attackers using data to extort money.
The FBI’s Internet Crime Complaint Center reports that cyberattacks have roughly quadrupled since the COVID-19 pandemic began in early 2020. The shift to remote work increased the number of possible failure points and created a large, distracted workforce vulnerable to cyberattacks.
Erich Falke, chief information security officer for ePlace Solutions, a cyber risk management company that works with MIIA members, said building a strong security culture within an organization is essential to protecting against threats and mitigating attacks. An organizational commitment to cybersecurity, he said, must start at the top.
“Cybersecurity is a business issue that city and town leaders must manage,” Falke said. “An attack can shut down your municipal website and all online functions. Any data that is stolen or accessed could result in financial and reputation loss.
“While a community could potentially pay the ransom, systems may still be down for days, oftentimes weeks. And even if a city or town doesn’t pay the ransom and uses a backup, it can still take weeks for the municipality to restore operations.”
A culture of security means that all employees feel accountable and the organization has prudent practices and policies to ensure resilience in the face of cyberthreats, Falke said. Humans are the weakest link in an organization’s cybersecurity shield. If an employee is compromised due to social engineering (coercion such as phishing), the entire cyber environment could be exploited by malicious users.
Two key aspects to fostering a strong cyber culture are:
• Building an understanding among employees and ensuring that they recognize their role
• Regular education and training
Employee understanding and relevance
Cybersecurity relies on more than just the IT department doing its job. Everyone in the organization must see themselves as responsible for ensuring data security. Leadership should understand employees’ attitudes and behavior toward security protocols and issues. Do they see data security as the sole responsibility of IT and not something under their control? What are their work-from-home habits (such as password reuse or letting family members access work devices)? How often do they hear directly from municipal leaders about the importance of cybersecurity and are provided updated information?
A survey of 3,000 remote workers and IT professionals by CyberArk found that 77% of remote employees use unmanaged, insecure devices to access corporate systems, while 37% save passwords in browsers on their corporate devices.
Falke recommends protecting all remote access with multi-factor authentication. Privileged users such as the administrator and IT staff should have to go through multiple security layers before being able to access critical data.
Regular education and training
Falke said employees must be educated about their responsibilities so they can willingly help build a strong security culture. Organizations should develop the context for employees, and be transparent about the risks, implications and cascading effects of inferior security practices.
Educating employees is not one size fits all. All employees need to understand their specific responsibilities and how their roles and behaviors can help or hinder the city or town’s overall security. This includes developing cybersecurity procedures that integrate into daily work routines and procedures.
Ransomware is the biggest cyberthreat, followed by email fraud such as phishing, and wire transfer/invoice fraud. Falke recommends providing social engineering training to help employees understand the techniques used by cyber criminals.
Training should happen all year, with simulated phishing attempts (conducted by IT) taking place during the year to help keep employees alert. Employees also need to know how to respond when something happens.
MIIA offers its members an online e-learning platform called CyberNET, which they can use to train their employees on cybersecurity best practices. Among other resources, the platform includes phishing simulation services, access to expert cyber risk advisors, and online training courses in the form of individually targeted training modules.
IT best practices
Falke recommends three critical practices for IT departments – two that can be used to prevent problems, and a third to use in the event that a criminal gains access.
First, make sure all systems and software are up-to-date. New versions of software are often released daily to fix known vulnerabilities. IT staff should also test updates before deploying them to avoid business interruption.
Second, have “endpoint” protection that identifies potential issues before they start. Endpoints are desktops, laptops, mobile devices, printers, etc., that are connected to the central network. Endpoint protection works by examining files, processes, and system activity for suspicious or malicious indicators.
Third, have trusted backups and make sure at least one backup is isolated to prevent criminals from accessing/destroying that copy.
The long-term view
Over the coming years, government agencies and other experts that track cyber issues say the problem can be expected to continue intensifying and becoming more complex. The evolving “internet of things” landscape will surpass the traditional network in use today, further intensifying privacy and cybersecurity challenges.
Municipal leaders are advised to continue to beat the cybersecurity drum and prioritize collaboration and education for all employees. They should look to implement pragmatic solutions that address cybersecurity throughout their organizations, and be sure to recognize success at every turn.
Resources
There are some great resources available to help.
The MassCyberCenter has developed a range of online online training materials to help local leaders implement cybersecurity best practices, and developed a Minimum Baseline of Cybersecurity for Municipalities.
The U.S. Department of Health and Human Services offers free cybersecurity awareness training.
The U.S. Cybersecurity and Infrastructure Security Agency offers a range of free services to help cities and towns protect against cyberthreats.
The Federal Virtual Training Environment (FedVTE) provides free online cybersecurity training to federal, state, local, tribal and territorial government employees, federal contractors, and U.S. military veterans.
MIIA offers training and grant options to its members, as well as phishing simulation.
Written by Martha Keeley, freelance writer