IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Leaning on Partnerships Shores Up City Cybersecurity

Local government IT teams often don’t have the resources close at hand to ensure their systems are ready to stand up to new threats, but can take advantage of state and federal resources to boost their cyberposture.

Cybersecurity lock on a background of passwords
Shutterstock
The global pandemic has significantly raised the security stakes for CIOs, CISOs and IT decision-makers. Unfortunately, bad actors know well that our workforce is now more vulnerable due to the increase in the number of remote workers, many of whom have never worked anywhere other than in the office. IT teams are stretched thin due to COVID-19 as we work around the clock to support remote users and urgent digital transformation, and even assist with pressing community needs such as digital inclusion. Various budgets are under pressure as revenues have fallen dramatically, and many expenses have increased. This moment calls for us as technology leaders to conduct a thorough review of our cybersecurity posture.

One of the leading cybersecurity organizations available to government technology teams is the Center for Internet Security (CIS). Many people are familiar with the Multi-State Information Sharing and Analysis Center (MS-ISAC), one of CIS’s key contributions. Another vital CIS program is its Top 20 Controls and Resources, a sort of cybersecurity version of Maslow’s “hierarchy of needs” for IT security staff. The 20 controls are organized into three categories: Basic, Foundational and Organizational. This framework provides a terrific starting point and checklist to ensure best practices.

In the Basic category, IT teams should have full vision into all enterprise hardware and software. We’ve witnessed both device and software sprawl over the past decade. We cannot keep our organization safe unless we have a complete inventory and accounting of our hardware and software. Are your technology assets logged, tagged and accurately assigned to staff? Do you utilize a mobile device management solution? Does your team employ a vulnerability scanner to search for weaknesses on at least a weekly basis? Are you leveraging automated software updates and patches where appropriate? Government agencies often lag behind the private sector on timely patching, and it is one of the best ways to harden our defenses.

The Basic category also calls for a review of administrative privileges. Users and accounts with elevated permission levels offer an attractive target for hackers. Too much sharing of credentials and re-using passwords fosters a dangerous situation. Further, does your staff have a standardized, secure configuration for hardware and software systems? Are you running logging on all systems, and do the logs feed into a centralized system for review? Automation and AI can offer substantial improvements for teams already short staffed or underfunded.

The next group of CIS controls is the Foundational category, which includes recommended protections for email, data and network devices. The controls provide guidance on email security, leveraging email security protocols to reduce spoofing and cyberattacks — especially critical these days. The controls also discuss automated port scanning and ensuring ports and protocols are only in use as business needs dictate. Another crucial element in this category is data protection. Does your organization have data governance practices in place? Has staff received appropriate training on HIPAA, CJIS and PCI compliance? These courses are often included with more extensive cybersecurity awareness training programs.

The third group of CIS controls is the Organizational category. In addition to a cybersecurity awareness program, are you actively running simulated phishing tests? Have you considered social engineering and vishing tests? Do you have an incident response plan? Do you know whom to contact the moment you confirm your organization faces a severe attack? We need to work closely with our emergency management partners, as a cyberattack is probably more likely these days than some other traditional hazards.

The overall scope and responsibility of cybersecurity operations can feel overwhelming and never-ending. However, many resources are available at the state, federal and nonprofit levels. Many services are subsidized or even free. There appears to be bipartisan support building in Washington for new funding for state and local cybersecurity needs. Now is a good time for us to collectively lobby our legislators to make this proposed funding a reality. 

Luke Stowe is CIO and interim director of administrative services for Evanston, Ill. One of Government Technology's Top 25 Doers, Dreamers and Drivers of 2018, he works to bridge the gap between technology and business practices.