Whenever we hear about Cybersecurity in the news, especially
when it comes the government, it is always what happens in DC that comes our
first in the news, and for that matter, gets the most attention. For example, when Biden announced his
Executive Order for Cybersecurity some time ago, everybody was all for it.
But the verdict is still out if it all has come to any
fruition or not yet. Then there were I
believe one or two more major ones that Biden signed off one, plus a plethora
of others that the House has tried to introduce, but I don’t has gotten
anywhere substantial yet.
But what about the local governments? When do we hear about them? Unfortunately we don’t really hear anything about
them until some sort of disaster has impacted them. For example, last year which was deemed to be
the year of Ransomware, there were a bunch of cities and towns that were hit by
such attacks.
Some had their water supply choked off, there were attacks
on their energy grids, and even IT/Network Infrastructures were infiltrated into.
Unfortunately, it is these local governments that are left
hanging out on their own trying to figure what to do if they have been hit by a
security breach. Some have paid the ransom,
and some have not (good for them, actually).
The Federal Government does seem to help out, and many of the Cyber
vendors don’t offer too much help because there is not enough money to be made
off of local government contracts.
So, what is a mayor to do to help their defend their town or
city? Here are some ideas:
1)
Try to get hold of a Cyber Vendor who can
work with you:
Ok, this may sound like that I am
going back against what I just earlier said, but there are Cyber Vendors that
focus, or at least partially, on the local government sector. These are not easy to find at first, but
after enough digging and Google searching, you should be able to find a few
vendors. But just don’t take the first
one that you meet, try to get some choices lined up. After all, they have to meet your needs, and
fit within your budget also. After you
have selected one, it is important that they stay with you for the long haul, and
not bail out on you. In this regard, try
to get a long-term contract going. Now,
as the leader of your town or city, if you are completely new to Cyber (and
there is nothing wrong with that), one of the best pieces I can offer to you is
to first hire a vCJSO. These are CISOs that
have many years of experience in the field, but are now working on a
contractual basis for fixed term projects. Having one on your staff even for a short
term can be a big benefit, as they will most likely have the contacts to help
you find that Cyber Vendor to work with you for the long haul. But timing is of the essence here, as it
Ransomware attacks on US local governments have reached a staggering cost of almost
$19 Billion.
2)
Don’t be a miser:
For the most part, everybody knows
that local governments all over the US are hard pressed for money, and are under
constant pressure to keep watching their budgets. In fact, the lack of money is an excuse that is
often by used by mayors or other leaders, for totally ignoring Cybersecurity. But don’t you make that kind of excuse
either!!! The moment you start doing
that, you are setting up yourself for failure.
While you may not get all of the money you need, there is always some to
be found somewhere. For example, you can
always have fund raisers, or if need me, set up a Go Fund Me account on
Facebook. Also, the Federal Government,
while of course not doing a very good job at advertising it, has money set
aside, believe it or not, for the local governments. At the height of COVID-19, the American Rescue
Plan was signed into law. In it, there has
been about $350 Billion allocated to the 50 states and their local
governments. Now it does not specifically
dictate how that money should be spent once its allocated to a state, but that
should give you more reason to spend more than you do for Cybersecurity. In fact according to a recent study by
Deloitte, it has been discovered that
spend only 1% - 2% of that money for Cyber related needs. More about this report can be seen here at
this link:
Heck one study even found that at
least 45% of Ransomware attacks are hit upon the local governments and their
corresponding municipalities. More on
this can be seen at this link:
https://blog.barracuda.com/2020/08/27/threat-spotlight-ransomware/
In fact, don’t be afraid to even approach
your local SBA offices. Although there
are designed to work SMBs, they can help local governments as well.
The moral of the story here is that
while you may not get all of the money you need, there is availability at least
for some of it. You just have to be
creative in finding them. And once you get some extra money in your wallet, think
strategically as to how it will be spent for what Cyber purposes. In other words, just don’t give a blank check
to your IT Security Administrator, get the bare minimum that you need, and
figure out the best optimal way to deploy those new gadgets. Remember, two firewalls can be just as effective
as having ten of them, provided that they used in the most optimal way.
3)
Conduct a Risk Assessment:
Once you have found a Cyber Vendor
that you can work with, it is first very important that you conduct a Risk
Assessment. This simply means, on a general
level, you are taking an inventory of all of your digital and physical assets,
and ranking them on some sort of vulnerability scale. Of course, those that are found to be the most
vulnerable should receive the immediate attention of your IT department. From there, you then need to figure out the controls
you will need to put into place. There
are many frameworks out there that are available for free to help you do this. For example, they include the ones from the
CIS and NIST. Follow these links to get
more information on them:
https://www.cisecurity.org/controls/cis-controls-list
(FOR THE CIS)
https://www.nist.gov/cyberframework
(FOR NIST)
After this, the next step would be
to conduct a deep dive Penetration Test, in order to discover any other gaps or
weaknesses that have not been seen yet.
Then follow a path of security where eventually at some point you will
be able to deploy the Zero Trust Framework.
This is where absolutely nobody is trusted. Sound extreme? Yes, it is, but has yielded some results to
the businesses that have implemented this methodology.
My Thoughts On This:
Another line of thinking is to find out those resources that
are freely available to the SMBs in your city or town. I know there are a lot of them, especially
when Trump signed into law this kind of allocation before he left office. You don’t have to have deep pockets to adequately
mitigate the Cyber risks that are posed to your city. You just have to think strategically, especially
when it comes to doing the Risk Assessment.
And to the Cyber Vendors:
Yes, we are all businesses and have to make money. But Cybersecurity is also a team effort for
everybody. Forget the bottom line for a
little and offer your services even pro bono to a local government for a small
period of time. Doing so could yield you a lot of fruit in the end.
No comments:
Post a Comment