Heightened awareness about IT security and the dangers of cyberthreats for municipal governments has prompted state and local governments to band together to discuss cybersecurity and share best practices.

Among the services offered by the Office of Municipal and School Technology in the Executive Office of Technology Services and Security is helping communities build networking groups so members can share best practices, hot points and needs, according to Municipal and School IT Manager Susan Noyes. These information-sharing spaces include regional IT director networking groups and the State and Local Information Exchange.

Regional networking groups
There are currently four regional IT director groups: North Shore, South Shore, Greater Metro Boston, and Western Massachusetts. There is no cost for a community to join. Each group has its own listserv, where members can post questions, inquire about vendors and products, and share information that may be useful to members.

Each group meets regularly, either virtually or in-person, and is invited to participate in quarterly meetings held with the MassCyberCenter and Homeland Security.

At a recent quarterly meeting, the group discussed community “cyber posture,” or overall defense readiness against cyberattacks, Noyes said. They also discussed requirements for cyber insurance, noting that the requirements continue to evolve each year.

Another recent discussion covered multi-factor authentication, or MFA, which was a condition for cyber insurance this year, Noyes said. Multi-factor authentication requires a user to provide two or more verification factors to gain access to a resource, such as an application or online account. Rather than just asking for a username and password, MFA requires one or more additional verification factors, such as a code sent by text or email, which decreases the likelihood of a cyber breach.

Noyes said many communities were caught off-guard by this new pre-requisite for cyber insurance.

“MFA often presents a challenge for smaller communities with simple environments and/or limited IT resources, as opposed to organizations with multiple vendors and more complex environments where a single solution isn’t palatable,” she said.

A lack of MFA, however, “leaves these communities without the ability to get cyber insurance, potentially making the effects of an attack even more devastating.”

There are many two-factor authentication tools available, often at minimal cost, but there is no one-size-fits-all solution. The best bet is to consult with the municipal IT team in your community and/or one of the regional IT groups to identify the best option for your community.

Other topics recently discussed include cyber training, the use of American Rescue Plan Act funds for critical infrastructure, incident response planning, and establishing a minimum baseline for cybersecurity to help communities and schools be more prepared and avoid attacks.

Noyes said the regional IT groups help build the agendas for the meetings with the MassCyberCenter and Homeland Security.

“We want to be as helpful as we can be,” she said. “They are on the ground, so their input into discussion topics is invaluable.”

The regional IT groups have more than 100 members overall, and the number continues to grow, Noyes said. Municipalities and school districts aren’t required to join their regional group, but Noyes said there are only benefits to doing so. Membership is also not limited to IT directors.

“Whoever is responsible in the community for IT is welcome to be part of a group,” said Noyes. “Those with less IT experience, but who have managing technology as part of their work duties, have plenty to gain given the amount of free and valuable information that is shared.”

Noyes said she welcomes inquiries from any community or school district about joining a group. She can be reached at susan.noyes@mass.gov.

Other state programs
Another opportunity to get and share information is the State and Local IT Information Exchange, a listserv offered by the Executive Office of Technology Services and Security. The statewide group is open to any municipal or school employee who is responsible for IT and may seek advice on several IT topics.

The competitive Municipal Cybersecurity Awareness Grant Program helps local governments improve their cybersecurity through end-user training, evaluation and threat simulation. The program, including procurement and coordination, is managed by the Executive Office of Technology Services and Security, and Noyes is optimistic it will be offered again this fall.

Local governments can access basic cybersecurity evaluation services at no cost through the Office of Municipal and School Technology’s Cybersecurity Health Check Program. These services can be a good first step in discovering, assessing and identifying cybersecurity gaps that could impact IT systems that support essential business functions.

For more information about the state programs, contact Noyes at susan.noyes@mass.gov.

Written by Joyce McMahon

+
+