October has been designated Cyber Security Awareness month and the U.S. Department of Homeland Security has issued a series of five weekly topical themes. This week’s theme is “Cyber Security in the Workplace is Everyone’s Business.” NACo, in partnership with the Public Technology Institute (PTI) has developed a series of useful checklists and commentary created for county elected leaders.
On Week 1, published in the Oct. 3 issue of CN Now, we focused on what an individual can do to be more cyber secure. This week we will focus on what an organization can and must do.
Cyber security breaches have grown some 26 percent over last year with ransomware continuing to rise. County governments have always been particularly attractive targets because they collect and store such massive amounts of personal information (tax records and payment information, for example). With the growth in the use of mobile devices and social media apps, there are now more entry points for mischief than ever before.
The weakest link continues to be our employees. One misguided click on a targeted phishing email can compromise an entire organization. To make matters worse, many phishing emails tend to come from employees whose names we know and whose email address has become compromised in an earlier attack.
Recommendations that affect individuals are largely the same, however, with an added emphasis of the potential impact on an entire organization. One careless staff person can bring down an entire county operation.
Many counties require cyber security awareness training while others simply provide optional training. Our experience shows that many programs are inadequate for several reasons, which include:
- Training is only required once a year.
- Training can be too technical.
- Training can scare some staff and can create an environment of resentment or fear of punishment.
- Training can lack real-world examples and is often out-of-date.
While much of the actual protection of the digital infrastructure resides with the technical experts, there are two paramount roles county elected leaders can and should play. The first one is for public officials to set the proper example themselves. This means following the rules such as having and changing complex passwords.
The second role is to ensure a safe and secure cyber environment. The key component of this is to have a robust cyber security awareness program. Many programs offered today online or in person vary in quality and approach. Many public officials ask, what should I be looking for and what are the elements of a sound cyber security awareness program? Here is a list to consider.
Assign a senior staff member to be in charge. This person might be the chief information officer, the chief information security officer, or other designee who is both technical and people-oriented. A high-level administrator or HR professional can also fill this role.
The best plans are ongoing and not just an annual event of a few hours of training.
Practice the elements of the plan and conduct drills to make sure everyone understands and complies.
Make sure there are stated consequences for careless behavior, depending on the levels of any violation.
While making sure you hold to your stated policies and procedures, you also want to make sure that you create a positive environment that encourages staff to report things at once if they believe they may have come across something wrong. In fact, there should be consequences for anyone not reporting an incident immediately.
Conduct regular, focused sessions aimed at exploring various types of cyberattacks. This will help demonstrate your organization’s commitment to keeping systems safe as well as to keep the topic front and center with employees.
Consider role playing to help demonstrate how criminal elements use the phone, or social media to manipulate staff into providing valuable data that get into the wrong hands.
Employees should be trained to recognize an attack; to know not only what it looks like, but who to call and when to report the attack.
Always encourage employees to come forward with anything that they feel does not look or feel right. There have been many cases where an alert employee reported something as it was unfolding and as a result was able to minimize damage and loss.
Overall, training must be relevant and should be fun — like playing detective or guarding the “palace” as in a video game.
There are many digital destinations one can turn to for more information and assistance.
Check this story online at www.countynews.org for some very useful resources. Some are a bit more technical — so if you think it is useful, simply pass it on to your technical staff — it shows your interest. Remember Cyber Security Awareness is about awareness.
Finally, make sure your organization is a member of MS-ISAC, a NACo and PTI partner; membership is free and they are funded by DHS.