Stephanie Helm, director of the MassCyberCenter, updates the Local Government Advisory Commission on Nov. 12 about the state’s efforts to fight cybercrime and educate local communities on the issue.

Written by Stephanie Helm, Director, MassCyberCenter at the MassTech Collaborative

As we modify our work practices to operate remotely, cybersecurity must continue to be an important element of municipal safety and security.

Cyber adversaries look for opportunities in uncertain times to launch a scam or sneak into a network. For example, we have seen false links purporting to be related to the COVID-19 crisis to lure a “click,” which downloads malware, and we have seen distributed denial of services (or DDOS) attacks against key government websites.

While our attention is focused on responding to the immediate needs of our citizens, we should recognize these realistic cybersecurity risks.

As your workforce transitions to remote working, below are some tips to help municipal leaders and your employees establish sound practices to support cybersecurity. We’ve included links to trusted resources that you and your staff can look to for further guidance.

Municipal leaders
Clearly articulate the importance of maintaining cybersecurity best practices during remote operations. Encourage vigilance and good cybersecurity hygiene in this new operating environment. If you make this part of your expectations, you will continue to support the Commonwealth’s commitment to cybersecurity resilience.

Keep in contact with employees to ascertain “how is it going?” from a technical perspective. Ensure that contact information for your “helpdesk” or IT support personnel is available.

Encourage “see something, say something” to promote cybersecurity vigilance. This will avoid employees trying to solve problems themselves, which may introduce practices dangerous to cybersecurity.

Engage your IT team early to support hardware, software and licensing requirements. Ask about cybersecurity risks specifically.

Public records requirements are still valid for municipal business done remotely. Ensure that your employees understand these requirements and maintain continuity on the remote systems.

Employees
• Use government-issued devices that are compliant with municipal IT systems and applications.

Do not use personal email accounts, instant messaging or texts to conduct municipal business. Public records requirements are still valid for municipal business.

Continue to abide by municipal cybersecurity precautions. Continue password management, avoid clicking on links that may download malware, and be on alert for social engineering scams.

Protect your government-issued equipment and secure it when not in use.

Do not loan your government-issued equipment to others.

References for teleworking support
CIS Controls Telework and Small Office Network Security Guide, from Center for Internet Security

Computer Security Resource Center Telework Cybersecurity Tips, from National Institute of Standards and Technology, updated March 19

NIST Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security

Telework.gov: The Guide to Telework in the Federal Government, outlining practical information to assist federal agencies

Telework.gov: Security and IT

About the MassCyberCenter
The MassCyberCenter was launched in September 2017 with a vision to enhance opportunities for the Massachusetts cybersecurity ecosystem to compete as the national cybersecurity leader while strengthening the resiliency of the Commonwealth’s public and private communities. Visit www.masscybercenter.org.