Sunday, May 22, 2022

Thinking Strategically Is Far More Valuable Than $$$ To Cyber Protect Your Town

 


Whenever we hear about Cybersecurity in the news, especially when it comes the government, it is always what happens in DC that comes our first in the news, and for that matter, gets the most attention.  For example, when Biden announced his Executive Order for Cybersecurity some time ago, everybody was all for it. 

But the verdict is still out if it all has come to any fruition or not yet.  Then there were I believe one or two more major ones that Biden signed off one, plus a plethora of others that the House has tried to introduce, but I don’t has gotten anywhere substantial yet.

But what about the local governments?  When do we hear about them?  Unfortunately we don’t really hear anything about them until some sort of disaster has impacted them.  For example, last year which was deemed to be the year of Ransomware, there were a bunch of cities and towns that were hit by such attacks. 

Some had their water supply choked off, there were attacks on their energy grids, and even IT/Network Infrastructures were infiltrated into.

Unfortunately, it is these local governments that are left hanging out on their own trying to figure what to do if they have been hit by a security breach.  Some have paid the ransom, and some have not (good for them, actually).  The Federal Government does seem to help out, and many of the Cyber vendors don’t offer too much help because there is not enough money to be made off of local government contracts.

So, what is a mayor to do to help their defend their town or city?  Here are some ideas:

1)     Try to get hold of a Cyber Vendor who can work with you:

Ok, this may sound like that I am going back against what I just earlier said, but there are Cyber Vendors that focus, or at least partially, on the local government sector.  These are not easy to find at first, but after enough digging and Google searching, you should be able to find a few vendors.  But just don’t take the first one that you meet, try to get some choices lined up.  After all, they have to meet your needs, and fit within your budget also.  After you have selected one, it is important that they stay with you for the long haul, and not bail out on you.  In this regard, try to get a long-term contract going.  Now, as the leader of your town or city, if you are completely new to Cyber (and there is nothing wrong with that), one of the best pieces I can offer to you is to first hire a vCJSO.  These are CISOs that have many years of experience in the field, but are now working on a contractual basis for fixed term projects. Having one on your staff even for a short term can be a big benefit, as they will most likely have the contacts to help you find that Cyber Vendor to work with you for the long haul.  But timing is of the essence here, as it Ransomware attacks on US local governments have reached a staggering cost of almost $19 Billion.

2)     Don’t be a miser:

For the most part, everybody knows that local governments all over the US are hard pressed for money, and are under constant pressure to keep watching their budgets.  In fact, the lack of money is an excuse that is often by used by mayors or other leaders, for totally ignoring Cybersecurity.  But don’t you make that kind of excuse either!!!  The moment you start doing that, you are setting up yourself for failure.  While you may not get all of the money you need, there is always some to be found somewhere.  For example, you can always have fund raisers, or if need me, set up a Go Fund Me account on Facebook.  Also, the Federal Government, while of course not doing a very good job at advertising it, has money set aside, believe it or not, for the local governments.  At the height of COVID-19, the American Rescue Plan was signed into law.  In it, there has been about $350 Billion allocated to the 50 states and their local governments.  Now it does not specifically dictate how that money should be spent once its allocated to a state, but that should give you more reason to spend more than you do for Cybersecurity.  In fact according to a recent study by Deloitte,  it has been discovered that spend only 1% - 2% of that money for Cyber related needs.  More about this report can be seen here at this link:

https://www2.deloitte.com/content/dam/insights/us/articles/6421_Ransoming-government/DI_Ransoming-government.pdf

Heck one study even found that at least 45% of Ransomware attacks are hit upon the local governments and their corresponding municipalities.  More on this can be seen at this link:

https://blog.barracuda.com/2020/08/27/threat-spotlight-ransomware/

In fact, don’t be afraid to even approach your local SBA offices.  Although there are designed to work SMBs, they can help local governments as well.

The moral of the story here is that while you may not get all of the money you need, there is availability at least for some of it.  You just have to be creative in finding them. And once you get some extra money in your wallet, think strategically as to how it will be spent for what Cyber purposes.  In other words, just don’t give a blank check to your IT Security Administrator, get the bare minimum that you need, and figure out the best optimal way to deploy those new gadgets.  Remember, two firewalls can be just as effective as having ten of them, provided that they used in the most optimal way.

3)     Conduct a Risk Assessment:

Once you have found a Cyber Vendor that you can work with, it is first very important that you conduct a Risk Assessment.  This simply means, on a general level, you are taking an inventory of all of your digital and physical assets, and ranking them on some sort of vulnerability scale.  Of course, those that are found to be the most vulnerable should receive the immediate attention of your IT department.  From there, you then need to figure out the controls you will need to put into place.  There are many frameworks out there that are available for free to help you do this.  For example, they include the ones from the CIS and NIST.  Follow these links to get more information on them:

https://www.cisecurity.org/controls/cis-controls-list

(FOR THE CIS)

https://www.nist.gov/cyberframework

(FOR NIST)

After this, the next step would be to conduct a deep dive Penetration Test, in order to discover any other gaps or weaknesses that have not been seen yet.  Then follow a path of security where eventually at some point you will be able to deploy the Zero Trust Framework.  This is where absolutely nobody is trusted.  Sound extreme?  Yes, it is, but has yielded some results to the businesses that have implemented this methodology.

My Thoughts On This:

Another line of thinking is to find out those resources that are freely available to the SMBs in your city or town.  I know there are a lot of them, especially when Trump signed into law this kind of allocation before he left office.  You don’t have to have deep pockets to adequately mitigate the Cyber risks that are posed to your city.  You just have to think strategically, especially when it comes to doing the Risk Assessment.

And to the Cyber Vendors:  Yes, we are all businesses and have to make money.  But Cybersecurity is also a team effort for everybody.  Forget the bottom line for a little and offer your services even pro bono to a local government for a small period of time. Doing so could yield you a lot of fruit in the end.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...