Local governments are in the crosshairs.
As larger organizations harden their cybersecurity defenses, criminals are turning to softer targets. Recent incidents like the hacking of Hendersonville, NC, or the cyberattack on the Kansas state court system only reinforce a trend that’s been growing for years.
Unfortunately, local governments are often ripe for the picking. With limited resources and aging technology infrastructure, they’re perfect targets for threat actors—both domestic and foreign.
How can you protect your systems, data, employees, and citizens?
While there’s no magic bullet for cybersecurity management, local governments can take steps to improve their security posture today. Here are 10 keys to doing so.
1. Don’t expect a hardworking IT department to handle cybersecurity
If you work in local government, you know how challenging it can be for IT to support the organization. There’s always another laptop dying, a network issue, or a problem with Active Directory. With capabilities limited by budget, IT has to make tough decisions every day when deciding what to work on.
An IT team that’s already in overdrive doesn’t have the bandwidth to handle cybersecurity. It takes multiple experts in specific cybersecurity disciplines to implement and maintain the necessary controls. These professionals command high salaries, which makes it challenging for local governments to hire and retain them. In fact, affordable access to experts is one of the biggest reasons that governments typically hire a partner for cyber security managed services.
2. Conduct a compliance gap assessment every year (at least)
Are there cybersecurity regulations that apply to you as a local government entity? If so, you should conduct a gap assessment at least once a year.
Regulations or frameworks that may apply include:
- NIST Cybersecurity Framework—This is a standard developed by the US National Institute of Standards and Technology to empower organizations to assess and address their cybersecurity risks.
- CMMC (Cybersecurity Maturity Model Certification)—This cybersecurity certification was developed by the Department of Defense for its upstream contractors. It’s a useful standard for any government organization.
- PCI-DSS (Payment Card Industry Data Security Standard)—This certification provides a stamp of approval for organizations that handle credit card data.
- CJIS (Criminal Justice Information Services)—This compliance standard applies to organizations that handle criminal justice data.
- State-level cybersecurity regulation—Your state may have cybersecurity regulation that applies at the local government level. See this list of recent state-level cybersecurity laws to get started.
Even if your organization isn’t legally required to comply with regulation, standards like the NIST Cybersecurity Framework can provide the structure and guidance you need to achieve a stronger security posture. At the very least, every organization should consider doing a NIST gap assessment once a year. A cybersecurity managed services provider (like Corsica Technologies) can assist with this process.
3. Conduct a cybersecurity risk assessment every year (at least)
This sounds a lot like a gap assessment, but it’s actually quite different.
A gap assessment reveals gaps in compliance with a given standard. This can make it seem like a local government must completely close all gaps—which may be impossible due to 1) cost, or 2) the operational friction that would result.
A risk assessment isn’t about closing all gaps, but rather mitigating risk sufficiently. The risk assessment process offers a methodology for assessing risks—plus quantifying them and defining acceptable risk levels.
Ideally, you’ll want to perform compliance gap assessments and risk assessments side by side. This way, they can together to strengthen your security posture.
4. Train your employees every 6 months
Say one of your employees gets an “urgent email” from a county commissioner with a well-known name. The message has an alarming subject line, and it asks your employee to contact the commissioner immediately at a certain phone number.
Is this a legitimate email, or some type of phishing scam?
Without proper training, your employees won’t be able to tell. Depending on the type of attack, replying to the email, clicking a link, downloading an attachment, or calling the phone number may be enough to compromise your security.
Your employees need cybersecurity training. Ideally, local governments should repeat this training every 6 months.
Why?
Because trends in cybercrime really do evolve that fast. Yesterday’s attack strategy quickly becomes outdated as more and more people learn how to spot it. You have to stay one step ahead of cybercriminals by conducting regular cybersecurity awareness training.
5. Level up your email security
Do you have MFA (multi-factor authentication) enforced on all email accounts?
MFA requires an email user to verify their identity two ways (or more) before gaining access to their account. For example, a user may have to enter their password, then input a code in an authenticator app on their mobile device to finish authenticating.
MFA is a huge improvement over password-only access. If your email configuration doesn’t require strong passwords, you may have a few employees using “password” or other insecure phrases to log in. The sooner you implement MFA + strong passwords, the better.
6. Start moving toward Zero Trust
The idea behind Zero Trust is simple. You should never trust a user or device by default. Rather, you should require every user and every device to authenticate separately to any system they try to access.
Likewise, you should limit user and device permissions using the principle of least privilege—i.e. granting only those permissions that are necessary for the person in question to do their job.
The Zero Trust Maturity Model was developed by the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA). The agency’s whitepaper helps Federal Civilian Executive Branch agencies implement Zero Trust architecture—but Zero Trust is useful for organizations at all levels of government. Learn more here: Zero Trust for Smaller Organizations.
7. Get a SIEM solution
Do you have a single application that shows you everything related to cybersecurity—in real time?
That’s the thinking behind SIEM (security information and event management) software. This type of application pulls together data from a wide range of sources to show you all things cybersecurity in a single interface.
SIEM is essential for local governments—yet your IT team probably has enough on their plates already. They may not be able to monitor your SIEM or respond to incidents. That’s why local governments typically hire a managed SIEM provider.
8. Get an MDR solution
Can you detect intrusions on your network via specific endpoints (connected physical devices)?
If not, you need a solution for EDR (endpoint detection and response) or XDR (extended detection and response).
For local governments, there’s only one problem. Monitoring this type of software and responding to incidents takes up too much bandwidth—and IT already has their hands full.
This is where MDR (managed detection and response) comes into play. You get a team of cybersecurity experts who implement and monitor your detection and response software. (Hint: Your provider should also be able to remediate any incidents they detect, which is what we do here at Corsica Technologies.)
9. Integrate cybersecurity and IT operations
Chances are, you already have an MSP (managed service provider) who either handles all your IT needs or works alongside your IT staff.
This is great, as you can cover your IT needs—but there’s only one problem. Legacy IT operations (and legacy MSPs) may not take an integrated approach to cybersecurity. In particular, legacy MSPs are notorious for IT outsourcing services and cybersecurity to a third party.
Under this arrangement, the cybersecurity subcontractor notifies your MSP of cyber incidents—but they can’t do anything to remediate the situation.
And since that MSP doesn’t have domain expertise in cybersecurity, they can’t properly integrate cybersecurity into every aspect of your IT systems and operations.
It’s better to choose a combined MSP/MSSP (managed security services provider). This way, you get a single partner who weaves cybersecurity into all things IT. When things go bump in the night, you have one partner who not only designed, implemented, and supports the system—but also knows the relevant cybersecurity controls from top to bottom.
For local governments, integrated IT and cybersecurity is a no-brainer.
10. Choose your combined MSP/MSSP carefully
Corsica Technologies isn’t the only combined MSP/MSSP in the world. However, you’ll want to choose your partner carefully, as combined MSP/MSSPs aren’t created equal. Here’s what you should look for.
- A provider who not only notifies you of incidents but remediates them.
- A provider who’s familiar with any applicable regulation.
- A provider who’s worked with other local governments.
- A provider with a great reputation and excellent reviews.
- A provider who can fill gaps in your IT staff without taking over.
- A provider who offers vCIO consulting, including a 3-year technology roadmap.
- A provider who offers a Service Guarantee covering any financial losses from cybersecurity incidents.
Keep these criteria in mind as you evaluate providers. They’ll help you find the very best MSP/MSSP for your local government needs.
Want to learn more about TOPIC?
Reach out to schedule a consultation with our security specialists.