Cybersecurity for Small Jurisdictions: What You Need to Know and Do
By Mark Krawczyk
A growing amount of data shows that small governmental jurisdictions are increasingly being targeted by cybercriminals for profit or disrupting infrastructure systems. From attempts to try and poison an entire town’s water supply in Florida (they were unsuccessful) to a county in Oregon being a victim of a ransomware attack that brought their computer systems down for a week, there are increasing numbers of cyber-attacks being directed at small governmental jurisdictions. It is a fact of life that small government jurisdictions have limited budgets and staff to adequately protect their systems from “bad actors” intent on profit (demanding a ransom to “unlock” their systems) or service disruption (“backdoor” system intrusions designed to cripple infrastructure systems.)
Fortunately, there are many resources available to provide small jurisdictions with some protection against cybercriminals.
Raise security awareness to combat the risk of cyberattacks across the whole jurisdiction. This effort would include increased emphasis on proper handling of sensitive data; limited ability to introduce un-authorized software in system computers; stressing the need to report any suspicious emails or messages to IT; and ongoing “phish” testing to determine which employees are more likely to not be as diligent in questioning the validity of a suspect email or text.
Defend the network to make it harder for “bad actors” to gain access to the entire network. Simple steps can be taken, such as network segmentation where the network is divided into several subnets, separating guest Wi-Fi from the rest of the network, and use of firewalls (both hardware and software) to filter both incoming and outgoing communications.
Implement secure remote connections. Many employees will connect to the intranet from other networks (at home, in a hotel room, etc.) A virtual private network (“VPN”) provides a solution to protect your system. A VPN provides an encrypted path between the remote access point and the intranet, ensuring the connection is safe to use without concern for compromise.
Authenticate by more than one measure. Multi-Factor Authentication (“MFA”) works by requiring additional verification information called “authentication factors” to ensure that digital users are who they say they are. These factors are considered proof of a user's identity, also known as credentials. MFA requires a combination of at least two factors, each of them coming from a different category:
- Something they know (knowledge), such as a password, a passphrase, or a PIN code.
- Something they have (possession), such as a device (smartphone, laptop, etc.), physical tokens, key fobs, and smartcards
- Something they are (inherence), such as a fingerprint, voice or facial recognition, and any other kind of biometrics
The biggest drawback to MFA is the increased cost to implement, but, if possible, MFA should be implemented and become the “new normal.”
Deliberately limit user privileges. Utilize the principle of “least privileges” so only minimal, specific actions (privileges) are provided that allow the employee to do their jobs. Individual employees outside of the IT staff should NOT have any administrator privileges on their computer, as it makes it easier for bad actors to attack that computer and get entry into the jurisdiction’s IT system.
Back up all data. The jurisdiction should have a well-thought-out process to back up any data deemed essential to the operation of the city, county, or agency. It is a good idea to follow the basic rule of 3-2-1, meaning three copies of critical files on two media types and one copy maintained off-site. Additionally, regular backup of data is critical should there ever be a need to recover from a breach or system hack.
Implement endpoint security. Each computer or workstation on the network should be equipped with an enterprise-wide security solution to block aggressive malware and emerging threats. While this strategy is effective, deployment costs could be prohibitive for smaller jurisdictions. An alternative would be to build and deploy security policies built into the operating system.
Implement a cyber-security policy. The primary purpose of a cybersecurity policy is to set the organization’s standards of behavior for activities such as encryption of email attachments and restrictions on the use of social media. This policy will most likely require an underwriter who might consider providing cyber insurance to the jurisdiction (if that is an objective to help offset any potential dollar impact from a breach and hack by bad actors.)
There are many other considerations for small jurisdictions with regards to cybersecurity, which might include joining MS-ISAC (“Multi-State Information Sharing & Analysis Center) and determining whether their capabilities could be utilized in the implementation of some of these steps we have discussed (such as endpoint security and the use of an ALBERT sensor to identify potential bad actors BEFORE they get into your system.)
A list of resources (for both governmental and for-profit entities) is provided for your consideration – with no endorsement of capabilities or services provided. This is merely information that would allow you, the reader, to read more about cybersecurity and how best to provide increased levels of protection for your system(s.)
Cybersecurity policies will be among the topics discussed at our next SGF webinar Creating a Cyber Safe Workforce, on May 18. During the webinar, the participants will further understand why “the human factor” can explain many of the cybersecurity threats faced by small governments. Participants will hear a firsthand viewpoint on how a cybersecurity attack can impact a small government.