6 Steps to Better Security
For public sector agencies, the ever-changing cyber threat landscape can seem daunting. New types of malware, new phishing tactics, and hackers who work around the clock to refine their techniques are ever-present. Mitigating these threats and securing an organization's information is not just a job for already-stretched IT departments. Cybersecurity is everyone's job. The most secure agencies create a cyber culture around people, processes, and technology, in equal measure.
Council members, mayors, and city and county managers have a unique responsibility to drive this culture in consult with CIOs and IT directors. Together, these leaders form an important team that embodies the people, processes, and technology that must align to mitigate risk. While a strong cyber culture is thoughtfully developed over time, leaders can immediately implement these six quick security controls to strengthen their organizationís security posture.
- Stop reusing passwords.
Avoid password repetition and using common or generic passwords like "Winter2020," as hackers easily guess those. Be sure to separate professional and personal usernames and passwords so that if one account is compromised, the other won't be affected. Employees with administrative access to a device or network should use two separate login accounts: one for day-to-day, non-administrative tasks, and one for administrative use. Finally, consider using a password manager to randomly generate security question answers, passwords, and usernames. Remember to store critical passwords in a secure, air-gapped location.
- Patch your network.
In 2019, almost every major data breach was the result of either weak password usage or known vulnerabilities being exploited on unpatched devices. Keeping patches up to date on desktops, servers, firewalls, mobile devices, switches, and routers greatly reduces the risk of them being compromised. When patching, test patches in small groups, then patch in increasingly large batches until everything is updated and running smoothly.
- Enable multi-factor authentication (MFA).
MFA ensures access to an account is only granted after proving the account belongs to the correct user. It provides an extra layer of security because it requires at least two things to access an account, including:
a. Something the user knows, such as a password.
b. Something a user has, such as an authentication code generated by an app or a one-time PIN texted to a phone.
c. Something a user is, such as a fingerprint.
- Proxy your traffic.
In cybersecurity, a proxy is a device that traffic flows through for inspection, control, and monitoring. If used correctly, it can eliminate most malware threats today by restricting access to certain types of web browsing. To protect against malware, program a proxy to block:
a. Unknown websites (unrated, new, or uncategorized); and
b. All malicious categories (phishing, adware, etc.).
- Segment your network.
Simply put, people should have access to things they need for their job, but if they do not need it, access should not be given. For example, 911 service networks should not be on the same network as the public library. Students should not be on the same network as school staff. Vendors should not be able to plug directly into a network with unvetted access, nor should employees be able to connect their personal devices onto organizational networks. Segment users so that an infection on one portion of a network won't affect other, more critical places.
- Modify inbound email.
Common email gateways connect to the Internet, with all inbound and outbound emails routing through it. Modify emails coming into an organization by adding a reminder at the top of each when a message is coming from an external source. Include language that staff should only open attachments if the sender is trusted.
Teaching all users to follow best practices including those above is key for security awareness and risk mitigation. Cities such as Sunrise, FL, are also employing proactive strategies by implementing regular training and disaster recovery and business continuity plans.
Considering managed threat detection can also help in monitoring and analyzing an agency's network activity. In State College, PA, for example, 24/7 monitoring of network traffic generated an alert that an entity was using a VPN to access the municipality's network from Aruba. Upon further investigation, it was simply an employee doing work while on vacation, but it could have been a much different situation if the entity had been unknown. Knowing about it immediately would have helped officials avoid a potentially dangerous outcome.
The majority of all publicized ransomware attacks in the United States in the past year targeted local governments. It's never too early for elected officials and agency leaders to team up with their tech leaders to scale simple steps across an organization to bolster security and better protect their data.
For more information contact Brian Aylward, association manager at Tyler Technologies at firstname.lastname@example.org, and learn more about driving a successful cyber culture here.