How can you ensure that an appropriate cybersecurity system is established at your municipality and verify that it is functioning effectively? Although you might not know every detail regarding IT security, as a municipal leader, you should understand your infrastructure and know if your policies and procedures are in place and working as intended.
County and municipal networks are a prime target for hackers as they are like a pot of gold at the end of a rainbow. Government entities have massive amounts of data stored on their networks, and a lot of it contains personally identifiable information or other confidential material. Permits, utility bills, birth certificates, social security numbers and property tax information are just some of the information that is common at local government offices.
Properly implemented security controls can reduce the risk of human error, but not eliminate it. Humans remain the weakest link in any organization when it comes to municipal security risk. Cybercriminals are smart and they know who to target. Hackers target municipalities as they typically have limited budgets to invest in cybersecurity and often have not set aside the necessary resources to train their employees on this very topic. Most security breaches occur because of an internal mistake. A perfect example is that a small Florida city paid hackers almost $600,000 to get its computer systems back, all stemming from an employee who opened a corrupt email.
Below are four key factors to determine how prepared you are.
Security risk assessment – the first step is to understand where the gaps are in your security and recognize vulnerability. This applies to systems, vendors and processes as well as people.
Common weak points: Wi-fi access, hardware, software, and network equipment.
Security updates – one way to significantly improve your fight against attacks is to stay current with security updates. This should be done routinely and as soon as security patches are released.
Common weak points: These patches and updates need to be done on all devices and software. It takes only one missed patch on a device for the hacker to get in and compromise the government’s entire network, just like it only takes one “unlocked door” for a thief to enter your house.
Routine backups – One way to ensure you will not encounter data loss is to create regular backups and store them off-site. This is one of the cheapest and easiest ways to be prepared in the case of a ransomware attack or even a fire.
Common weak points: Backups should be done routinely and stored at a secure off-site location. The backups should be encrypted and tested often. This is necessary to verify that the information can be restored. Often backups are being done but never tested.
Education and Training – One of the biggest risks of cybersecurity attacks in any organization are its own employees. Cybercriminals are great at sending phishing emails that are specifically designed to get employees to click on a malicious link or release sensitive information. These types of emails look legitimate and are hard to detect.
Common weak points: Most organizations focus their cybersecurity initiatives on external threats; they should also address the internal threats, which would be their employees. The most significant benefit would be to train the employees on these threats.
One of the best ways to combat cybersecurity is effective training and testing. Educating the employees on the types of threats to watch for is crucial in protecting your municipality from cybercriminals. This training should include such items as risks related to downloading attachments from unknown emails, identifying phishing scams, ransomware, and malware. Sharing passwords, using networks that are not secure, and flash drives are other risks that should be included in security awareness training. This training should be ongoing, and constant testing has proven to keep employees on their toes as well as identify where additional training and education may be needed.
Please contact Yeo & Yeo Computer Consulting at (989) 797-4075 or firstname.lastname@example.org for information about protection for your email infrastructure, a Cybersecurity Assessment for your organization, and Security Awareness Training for the staff -- train your employees to be human firewalls, preventing attacks to your organization.