Not a week goes by that we don’t hear about it – ransomware attacks on governmental entities (large and small), hacks on governmental entities, loss of data by governmental entities, hacks of service providers of governmental entities, etc. As a result, no one can dispute the critical nature of Information Technology Security at all levels of government from the smallest towns to the highest levels of federal and state government.
Even the private personal information of government employees is at risk (social security numbers, etc.) as this data is held internally and often by payroll service providers, as well. Speaking of service providers, it is wise for governmental entities to also ensure that these third-party providers have proper information technology security controls in place. Cyber liability insurance for the government entity and ensuring that critical service providers maintain such coverage is also worthy of consideration.
Here is a sample of other areas for consideration:
1. Cybersecurity review and independent testing.
2. Email encryption for emails containing sensitive information.
3. A social media policy to prevent disclosure of sensitive information. As a real-life example, how safe is the physical security of your payment collection areas if an employee is posting on social media that they are the only employee in the area on certain times of the day?
4. Security awareness training as a key tool in preventing phishing attacks.
5. Security safeguards to include strong passwords which are changed on a regular frequency as well as other security safeguards.
6. A detailed and documented Incident and Breach Response Plan is also a must. If for example, a ransomware attack occurs, what is the action plan? Who are the players? Who communicates with the media, etc? See how the ThreatAdvice Incident and Breach Response team can assist with this.
7. Awareness of ensuring data stored on discarded PC's and copies is not exposed to access. For example, computer hard drives must be destroyed.
8. Protection of the information security network itself from external penetration.
9. Perhaps one of the most important points of all - a determination of just what it is you are trying to protect with Information Systems Security. The starting point of this is an Information Systems Security Committee. This is a must in government as records are shared across functional areas. Some information is highly confidential. As an example, there may be medical information not only on staff, but on prisoners in the information data base. There may be social security information on old deeds or mortgages that has not yet been purged. Copies of resident tax returns could be in file where residents are required to provide such to document their case for agricultural property tax breaks. Confidential information could be present on underage accused sex offenders (the breach of which could present legal risk).
Before you can adequately address the issue of security of electronic records in government, you must obtain an understanding of just what it is you are trying to secure. Hence, this Committee should be composed of representatives from all departments/elected official areas so that an understanding can be gained of the scope of protection needed.
10. A cybersecurity partner is also a key area for consideration. Such a partner makes a periodic report to your council on the status of information security and assists with your cybersecurity risk assessment and associated solutions.
Finally, remember that cybersecurity not only affects your government entity and its functioning as a provider of services, it can have other far reaching effects, that include your reputation risk and even your local revenue stream.
For example, suppose a large area business is wiped out by ransomware and no longer operates in your community. This creates a significant revenue effect including not only the loss of the business itself, but job losses. Hence, security awareness training performed by your local business community is just as important as it is for your government entity.
Hopefully, these “thoughts to ponder” will assist you in your consideration of Information Technology Security and how it affects government at all levels, directly or indirectly.