By Dr. Alan R. Shark, Executive Director, Public Technology Institute
October has been designated Cyber Security Awareness month and the US Department of Homeland Security has issued a series of 5 weekly topical themes. This week's theme is "Cyber Security in the Workplace is Everyone's Business." PTI is developing a series useful checklists and commentary created for city and county officials.
This article focuses on what an organization can and must do to be cyber secure.
Cyber security breaches have grown some 26 percent over last year with ransomware continuing to rise. County governments have always been particularly attractive targets because they collect and store such massive amounts of personal information (tax records, payment information, etc.). With the growth in the use of mobile devices and social media apps, there are now more entry points for mischief than ever before.
The weakest link continues to be our employees. One misguided click on a targeted phishing email can compromise an entire organization. To make matters worse, many phishing emails tend to come from employees whose names we know and whose email address has become compromised in an earlier attack.
Recommendations that effect individuals are largely the same however, with the added emphasis of the potential impact on an entire organization. One careless staff person can bring down an entire city or county operation.
Many local governments require cyber security awareness training while others simply provide optional training. Our experience shows that many programs are inadequate for several reasons, which include:
While much of the actual protection of the digital infrastructure resides with the technical experts, there are two paramount roles elected leaders and appointed officials can and should play. The first one is for public officials to set the proper example themselves. This means following the rules like having and changing complex passwords, etc.
The second role is to ensure a safe and secure cyber environment. The key component of this is to have a robust Cyber Security Awareness Program. Many programs offered today online or in person vary in quality and approach. Many public officials ask, what should I be looking for and what are the elements of a sound Cyber Security Awareness Plan/Program? Here is a list to consider.
There are many digital destinations one can turn to for more information and assistance. The listing below list some very useful resources. Some are a bit more technical – so if you think it is useful simply pass it on to your technical staff – it shows you interest. Remember Cyber Security Awareness is about awareness!
Multi-State Information Sharing and Analysis Center. MS-ISAC is a PTI partner and membership is free.