The ongoing struggle of local governments trying to stay in pace with technology and the ever shrinking budget is tough. The financial constraints are comparable to bootstrapping in startups while trying to meet basic needs. Municipal and state governments are often far behind in regards to cyber security than their federal counterparts. Generally federal organizations have strong cyber security practice due to the recognition of what’s at risk to the country if there’s a data breach. However, local governments seem to have many barriers in place in addition to the most obvious barrier, financial. Some of these barriers include: lack of skilled personnel, compliance challenges, shared infrastructure, political infighting, lack of strategy, and of course negligent insiders.
Given all of these constraints it may be hard to imagine that even decent cyber security practice is possible. Thankfully, there are some practices that every local government can take that will improve cyber security practice even if you don’t have a CIO. However, it will need to involve everyone in executive decision making. Fair warning, this article will not offer the specific tools you should use. Instead, this article will share cyber security best practice resources for you to get started or improve your cyber security efforts.
The first question before you embark on the journey of better cyber security is: Is information a core part of governance or is it a stand-alone management area? If you answered that it’s a stand-alone management area, then some realignment may be necessary. By integrating information into your daily governance you gain a strong understanding of how data flows in the local government. This requires an examination of people, policies, processes, procedures, and protocols. Of course, this is a large undertaking, so it’s good practice to establish a committee to gather this information and develop the policy and framework for information governance. For local municipalities with a CIO then there’s likely some information policy in place beyond regulation. However, even with a CIO it’s important to not treat information as a stand-alone area. It’s one of the core underpinning of government. Management consulting firm, McKinsey has presented a good introduction to information governance which can be found here. Robert Smallwood also developed a handy introductory text called Information Governance for Executives: Fundamentals and Strategies which can be found here.
Information Security Frameworks & Best Practices
Frameworks are a strong way to get started on the right foot. Many organizations may feel compelled to develop something new, but it would be much more cost effective to use one of the freely available frameworks. There are no silver bullets when it comes to getting cyber security right, these frameworks keep that in mind. When using a framework remember to make it work for your specific conditions.
CERT Insider Threat Guidance
In any organization, the fact remains that people are the biggest vulnerability. This aspect of cyber security is referred to as insider threat. In some municipalities insiders whether malicious or negligent can go unnoticed for years, some may never get caught. Thankfully, the U.S federal government has dedicated funds to combating the insider threat.
The CERT division of the Carnegie Mellon University provides a framework for organizations to work through, complete with best practices to combat insider threats. There are 20 core practices they recommend implementing that align with regulatory standards. You don’t need to use all of them, just the ones that are necessary to protect your data. It is suggested to use the Common Sense Guide to Mitigating Insider Threats as your go to resource.
One of the most widely adopted frameworks comes from the National Institute of Standards and Technology (NIST) which provides a wealth of information on cyber security. The framework was developed to cover every aspect of cyber security which encompasses technology, people, and processes in both the physical and digital spaces. The framework can be found here, and remember to use only what applies to your organization’s needs. You don’t want to overburden your municipal operation with too many new processes and practices all at once.
In short, this is a massive undertaking to address cyber security in local government, but it’s well worth the effort. Beyond protecting every citizen under your administration, you also are contributing to the cyber resiliency of the entire nation.