Every hour, 26% of local governments report a cyberattack. But according to a new NLC analysis, done in partnership with the Public Technology Institute, nearly a quarter don’t have a cybersecurity plan that is designed to protect government information systems from attack/provide steps for recovery in case of attack.
Fortunately, we have recommendations for how you can keep your data secure:
Identify one individual to be responsible for cybersecurity programs in that jurisdiction.
This individual should be the “go-to” person when a security problem arises, and also serve as an “ambassador” who promotes cybersecurity awareness within the organization. With this role, they can also serve to enforce your cybersecurity rules and ensure staff receive the necessary training. They should report directly to the local government’s top executive/administrator. Larger municipalities should hire a full time IT executive. For smaller jurisdictions with tight resources, hiring a full-time IT person to help with more complex issues may not be possible. This is when local governments should consider soliciting state/county resources or partnering with a neighboring jurisdiction to address this need.
Make digital hygiene an institutional priority.
For local elected officials, keeping residents safe and secure is no longer just about having an able police force and sound justice system. Today, security encompasses the digital world and ensuring bad global actors cannot take advantage of weaknesses in online systems. Local leaders should work to promote a shift toward cybersecurity as a governing priority, both internally and in their connected communities. This should include emphasizing the importance of cybersecurity in the city budget, instituting best practices around cybersecurity and digital hygiene, recruiting new staff with cybersecurity and technical skills, training existing staff annually, training new staff as part of onboarding, and conducting an audit to identify points of weakness within local government networks.
Educate the local workforce, elected leaders, and residents about cybersecurity.
While investing in sophisticated software is important, towns and villages should take, investing heavily in people is also critical. NLC and PTI recommend that cybersecurity awareness training happen at least once a year, if not more. All new staff, including newly elected officials, should receive cybersecurity training as part of their onboarding processes. Lastly, periodic awareness campaigns should occur throughout the year. Be sure to also think what role city hall can play in reaching out to small and medium size business and schools. These places are also under constant attack. At the annual National Night Out in 2018, the city of Bellevue, Washington, created a venue for IT staff and community relations coordinators to meet with neighborhood groups, residents of low-income housing units and other local groups to inform parents and their children about online safety. The team plans to return next year and even started a monthly newsletter.
Conduct an analysis of local government vulnerabilities.
Before making any significant investments in cybersecurity systems or reinforcements, it is valuable to assess the gaps and weaknesses in your local government’s network. For local governments, this might include identifying any vulnerabilities present in connected infrastructure throughout the city. Simple tabletop exercises for officials to practice their incident response plan can help identify these vulnerabilities, and many state governments can help coordinate these drills. As noted above, MS-ISAC is supported by the federal government to help local governments analysis and recommendations.
Ensure your data is properly backed up.
The number one defense against ransomware is tested, offline (non-connected or cloud hosted) backups. This is an extension of good digital hygiene that is worth emphasizing for its own sake. Even organizations that have policy in place need to ensure that backups are being conducted frequently, that these backups are sufficiently isolated to avoid attack, and that they are technically capable of restoring service and functionality.
Implement multi-factor authentication.
Multi-factor authentication (MFA) is a valuable tool against attacks. MFA requires a user to enter an additional security code or confirmation via their smartphone, e.g., through an app or text message. Cities should implement MFA on all business- critical systems, e.g., email. If an attacker gained the credentials of a city employee through a phishing attack, the attacker would still be blocked from gaining access because they don’t have their employee’s smartphone.
Create policies or plans to manage potential attacks.
Every local government should have a cybersecurity response plan. This can be developed internally or with the help of a private sector firm that specializes in security. The plan should include several key components:
- Employee awareness training, incident response and after-action planning.
- An incident response team, similar to ones created to address natural or man-made disasters.
- Protocols to notify local law enforcement as well as other appropriate officials (state officials, the US Department of Homeland Security, FBI). Almost all states require that local governments contact the state CIO, the state attorney general, and other departments.
- Prioritization of systems to restore in case of an attack. For most governments this would mean making sure safety and health services come back online first or a shifting of resources if services cannot be brought back on immediately
Ensure public communication is part of your attack response plan.
Public trust is essential to local government, and when it comes to potential attacks, public communication is a unique concern. Utilize all of your jurisdiction’s communications channels to share information with the public – the press, social media, television. In the event of a data breach, some state laws require the local government to notify the press if a certain number of personally identifiable pieces of information are exposed.What should you tell the public? Your community needs to know that their local leaders are fully engaged in the situation and are working to resolve it. To maintain the public trust, it is important to be as transparent as possible, keeping in mind that your jurisdiction is involved in a situation that impacts the public safety and full details may not be available until after the situation is resolved.
Consider converting to a dot gov (.gov) domain.
Hackers are not only attempting to target cities, they may impersonate a municipal service in order to target your residents. Identity thieves can easily create websites in the dot com (.com) or dot org (.org) domains that can look and seem like a legitimate web page and direct targets there to pay bills or submit personal information. These scams can be reduced by establishing your municipal systems on a .gov domain, which is much more difficult to mimic.
Work with education partners to create a cybersecurity talent pool.
Individuals with cybersecurity skills are highly sought after in today’s job market, and the public sector often struggles to compete with the higher salaries in the private sector. Local leaders should tap into local community colleges, universities and high schools to help fill cybersecurity gaps. This way students can get hands-on experience and serve their communities, which may encourage to stay in in those positions. Two examples of this already exist. For twenty years, Cisco Networking Academy has worked to help students gain technical and entrepreneurial skills. Students can take courses online in subjects such as the IoT and cybersecurity. Along the way, Cisco will help students seek out job and networking opportunities. CompTIA is also working to create certifications around cybersecurity and keep those in the IT world on a growing path throughout their careers.
Want to learn more? Read “Protecting Our Data: What Cities Should Know About Cybersecurity.“