Before we start talking technology, let’s instead consider the security of your municipal buildings. Many years ago, it’s likely that your security would consist of a few physical keys and locks, some window locks, and maybe a security guard if you were lucky. In a mostly paper-based world, that level of security worked.
Today, that level of security is often not reassuring enough. Instead, we see security systems, keyless entry (such as key fobs), and security guards as a requirement, not an option. As society changed and theft grew more sophisticated, physical security changed.
Just as many organizations have adapted their physical security over time, a similar shift has recently occurred with the security of electronic information. Unfortunately, many cities currently secure their information with the mindset of a pre-internet world while cyberattackers have a field day. No wonder so many cities are falling prey to ransomware and failing to protect sensitive, confidential information.
In this blog post, we want to help you assess your compliance by using the metaphor of our physical security example above. Each compliance element below relates to the following physical elements:
Without cybersecurity best practices implemented at your municipality, you are fending off sophisticated “burglars” with the equivalent of an old-fashioned lock and key. To say that hackers can easily kick down your door is an understatement. Examples of items needed for your "cyber security system" include:
In addition, it’s important to regularly train employees about cybersecurity hygiene and best practices, as people are often the weakest link in a cyberattack. Our article, “How to Create Effective Cybersecurity Training for Cities,” goes into more detail about what you need to train employees. You can also review more detailed frameworks from NIST and CISA.
As you know, security systems are a deterrent but not perfect because they lack a human element. That’s why many businesses and building owners hire security guards. They not only act as a further deterrent but also add a person to the security mix who can respond proactively to an incident. Plus, a good security guard not only watches the front door but also patrols the property occasionally.
Similarly, towns and cities need proactive, ongoing monitoring and maintenance of IT systems. These IT engineers are like your “security guards” as they:
Just like people must have an authorized way to enter your city buildings, people must be authorized to electronically access your data and information. Many cities have the electronic equivalent of a simple lock and key that is easy for unauthorized employees, vendors, and hackers to overcome. Strengthening logical access is like strengthening the way people can “enter” your IT systems. Policies include:
Because you also need to protect physical equipment, it’s good to have policies addressing who can access rooms along with deterrents such as security cameras.
Perhaps you’ve got your information security in good shape. But what happens when you get a new computer, server, or software? What happens when someone buys a new wireless router from a retail store and sets it up? What happens if an employee downloads software from an untrustworthy source?
Like the Trojan Horse sneaking something bad into your environment, these kinds of threats may emerge because you are not careful about what’s added to your IT inventory or how your IT inventory changes over time. Some concerns include the installation, configuration, and setup of:
If we continue our real-world analogy, you cannot make exact clones of everything in your building and get them back if someone steals them. But in the “magic” of cyberspace, you can! A data backup and disaster recovery solution needs to become part of your policy and compliance strategy. To help protect your data, you need:
---
By following the best practices above, you will decrease risk, improve your internal policies, and more easily comply with the law. If you need help improving your policy and compliance strategy, reach out to us through the form below.