Who is a member?
Our members are the local governments of Massachusetts and their elected and appointed leadership.
Today’s world of electronic transactions, mobile employees and cloud computing presents a range of efficiency and operational benefits, but also a great potential for security breaches.
Many cities, towns and other government entities now routinely gather private information from citizens during various transactions, and the safeguarding of this information is an essential part of an effective liability mitigation plan.
How can a government entity be affected by a breach? Consider the myriad information gathered and stored in each department on a regular basis, such as credit card data for paying tax bills or parking tickets, names and passwords for summer camp registration, or the medical records of former prisoners. Although cyber-criminals may not be targeting your town in particular, many are experts in finding – and taking advantage of – vulnerable systems.
Impact of a breach
Criminals often use “robotic hacking” to scan large blocks of the Internet quickly and locate holes, according to Mark Greisiger, president of NetDiligence, a cyber-risk management company. Or they might go through your system to attack others, thereby covering their tracks.
In addition to malicious threats by criminals or disgruntled ex-employees or vendors, simple mistakes such as a lost laptop or resident contact information leak can cause problems even more often, Greisiger says. And when a third party is contracted for data storage (“the cloud”), he says, “points of failure are multiplied.”
A data breaches study by Risk Based Security Inc., a leading security and threat intelligence company, found 2,164 incidents across various sectors during 2013, up from 778 just five years earlier. The 2013 breaches resulted in exposure of 823 million records, from credit card numbers to Social Security numbers to passwords.
From a liability and loss standpoint, the effects of a cyber-breach can be staggering. According to a joint study conducted by Greisiger’s firm and insurance industry partners, claims from 2013 ranged from $25,000 up to $20 million, with the average at just under $1 million.
“On average, for a small organization it can be a million dollars – and sometimes that’s even before they are sued,” Greisiger says. “When a breach occurs, typically a forensic investigator is brought in right away to determine the facts, then there may be notification mailers, a call center set up to field questions, and the cost of anything you’re offering those that are affected, such as free credit card monitoring for a year. These crisis steps can add up to significant costs.”
Preventative measures
To protect computers from cyber threats, the FBI’s Cyber Division recommends several baseline yet critical steps, such as ensuring that firewalls are operating, installing and updating antivirus software and spyware, keeping operating systems up to date (e.g., patches to fix security holes), being cautious about downloads, and turning off computers when they are not in use.
Greisiger adds that employee laptops should be encrypted, so that if one is lost or stolen, it is rendered useless when it falls into the wrong hands. A simple network vulnerability scan test can be run – either by in-house information technology staff or by an outside consultant – that tests servers for their ability to repel a threat. “It’s like jiggling the doorknob to see if someone can get in,” he says.
At the risk management planning level, state law mandates that “every person that owns or licenses personal information about a resident of the Commonwealth” develop a comprehensive written information security plan (WISP) that outlines “administrative, technical, and physical” safeguards. Many resources (such as law firms) provide WISP templates, and more information and guidelines can be accessed on the Consumer Affairs and Business Regulation website (www.mass.gov/ocabr).
Beyond these measures, Greisiger recommends having on file at all times a complete inventory of all computer assets, including (by serial number) the type of personal information in storage (e.g., Social Security numbers, addresses, passwords), and where it physically resides on servers. In cases where information is stored by a third party provider, it’s critical to examine contracts ahead of time in order to fully understand liability and indemnity.
Finally, various staff training courses focusing on proper use of computers and cyber-risk management best practices can be accessed either online or in-person through hiring a consulting company. These trainings can aid the establishment of a more cyber-secure culture in the workplace. MIIA sponsored a cyber-security workshop during the MMA’s Annual Meeting in January, and the association continues to pursue resources to assist members with their exposure to cyber vulnerability.
Cybersecurity checklist
The following considerations should be part of internal risk management discussions:
• Have you ever experienced a data breach or system attack?
• Do you collect, store or transact any personal, financial or health data?
• Do you outsource any computer network operations?
• Do you allow outside contractors to manage your data or network at all?
• Do you partner with other entities, and does this involve data sharing?
• Does your posted privacy policy align with your actual data management practices?
• Have you had a recent cyber-risk assessment?
Source: NetDiligence
Article written by Joe Callahan, Marketing Manager for the Massachusetts Interlocal Insurance Association.