Cybersecurity - Technology Fitness

What is Your Municipality’s Cybersecurity Posture? What Elected Officials and CAOs Need to Know About Technology Fitness Part 18

Authored by Marc Pfeiffer, Sr. Policy Fellow and Associate Director, Bloustein Local Center for Urban Policy Research, Rutgers University

When it comes to cybersecurity, there are no easy or perfect solutions because the threats constantly evolve. The goals, however, are twofold. The first is to ensure that your security control environment is adequate to meet the risks your municipality faces. The second is that you have a sound incident response and recovery plan. This article focuses on controls, i.e., the practices and technology used to protect your digital environment. We will cover preparing for a security incident in a future article.

There is no one-size-fits-all set of controls for every technology environment. Just being online requires a minimum level of tech-environment awareness. Recent news reports of the chaos created by hacker intrusions and technology supplier errors  make that clear. In some cases, cyber insurance providers mandate that minimum standards or specific services be included in your control environment.

The key is to be  proactive. Just as you wouldn’t let  just anyone wander into your home, don’t inadvertently leave your IT infrastructure “unlocked.” 

Too Many Choices

There are many frameworks, schemas, risk control models, certification programs, and other approaches to guide (and sometimes confuse) technologists about the choices they make. They are important resources. It is also critical that elected officials and senior managers understand how well-prepared your organization is to deal with threats. 

There may be disagreements between experts on what solutions should be used. These disagreements are often tempered by budget considerations. These discussions are critical, and organizations need to have them. That’s where your tech expert team should step in. 

There are many ways to define these controls. They include the  minimum standards you need to meet along with the tools and  practices required to meet them.  They will be driven by your agency’s budget, your exposure to risks, and the sophistication of your plans to  recover from a successful attack. Things can go upside down very quickly; assuming it will not happen to you is irresponsible. 

This is why you must have confidence and trust in your tech expert. 

What to Ask the Tech Team 

The following sidebar, Cybersecurity Control Practice Minimums, showing groupings representing the importance of each of the controls relative to one another.

Cybersecurity Control  Practice Minimums

Can’t Live Without Them:

  • Secured, encrypted, and routinely tested backups.
  • Employee cybersecurity awareness training and phishing testing looking for social engineering vulnerabilities.
  • Cyber incident response plans (When were they last tested?).
  • Multifactor authentication (MFA) for remote access to your network and for privileged or administrator access.
If Not Done Well, We Are At Serious Risk:
  • Use automated filtering to look for malicious content in incoming email, web content, and network traffic.
  • Privileged access management to ensure workers only have access to the services they must use.
  • Monitoring of all devices that are physically connected to the network (aka, endpoint detection and response).
  • Ongoing patch and vulnerability management (i.e., making sure software is up-to-date and device access points are secure).
It’s Hard to Get These Right:
  • Ensuring that device configurations are as secure as possible (aka, hardening) to prevent intrusion.
  • Logging and monitoring of network traffic to identify suspicious activity (if they get in, you want to detect them).
  • Replacing or protecting older, but critical hardware and software  that cannot be upgraded to current standards.
  • Managing digital supply chain cyber risks (ensuring that your service providers are keeping their products and services secure).

 

The practice minimums are rough measures based on actions that give the greatest protections against the two primary cyber threats: criminals breaking into your systems because of mistakes made by undertrained employees, and hackers breaking into your network via software or hardware flaws. All the items are important but their weight varies based on the risk factors of individual agencies.  

How do you find out where you stand? Ask your tech expert to report about your “minimum cybersecurity  control practices.” They should  answer the following questions:

  • Are we doing enough of everything on the list? If not, what else do we need to do?
  • What are our options to meet those deficiencies?
  • What are the risks of not fully doing them? 

Knowing the answers allows for informed decision-making. This should be an annual exercise ahead of the budget cycle as cybersecurity threats and responses constantly evolve. 

What the Tech Team Needs to Do

Your tech team needs to understand your agency’s work in relation to your tech environment. As they understand the municipality’s  ever-evolving business processes  and outsourcing needs, they can maintain a control model. That is the basis for management of user accounts and use configurations, implementing and maintaining  up-to-date security tools, managing and regularly testing data recovery plans, and training employees in security awareness. By being part of leadership when tech decisions are made, they can move ahead with  confidence to determine what is  needed for each control. 

Finally, these discussions involve network, confidential data, and  computer security. Most public  information access laws have exceptions for public disclosure of these records. Care must be taken to  ensure confidentiality. At the same time, it is necessary to document  your actions. That will provide data and audit trails in the event of a breach and allow your insurer and liability attorneys to have the information they need to respond to the event and its aftermath. 

The key is to be proactive. Just as you wouldn’t let just anyone wander into your home, don’t inadvertently leave your IT infrastructure  “unlocked.” 

Technology Fitness is a semi-regular department published in NJ Municipalities magazine.