Public Sector Cybersecurity: Effective Strategies to Improve Cybersecurity Posture
The views expressed are those of the author and do not necessarily reflect the views of ASPA as an organization.
By Malik Dulaney
December 15, 2019
Ransomware attacks, malware proliferation and phishing schemes are headliners in the news. The victims of these attacks used to be limited to large corporations. Now, city, state and local governments are targeted because they are increasingly attractive to hackers. Government organizations manage services for police, fire, courts, water/utilities and traffic/citation systems. Hackers feel these organizations are worthy targets because they manage critical functions, but work with limited resources. These organizations don’t have substantial IT resources and may not be able to focus on cybersecurity. They may not attract cyber security talent or be able to outsource cyber security expertise. Hackers are very astute and know that public organizations are less likely to have the resources to invest in cybersecurity.
Much has been written about the technical solutions for cybersecurity. IT departments should focus on asset tracking, strong password policies, multi-factor authentication, software updates/patches and encryption of data at rest and in motion. Beyond what IT practitioners implement, public administrators should consider other effective strategies that would improve their organization’s cybersecurity posture.
User Education and Awareness
Informed users are the biggest tool an organization can have to ensure a solid cybersecurity posture. It is easier for hackers to target individual users within an organization for phishing and malware attacks than it is to solely carry out attacks on systems using technical methods. There has been a shift to phishing attacks as the largest attack vector for hackers.
Good cyber hygiene can be taught. Teaching users how to protect themselves and their organizations from these attacks is cheaper than employing the latest and greatest security products. IT departments have found it is effective to educate their users with periodic email lessons. They also try to foster a culture of openness by encouraging their users to ask questions.
In addition to in-house education, there are online services that will provide phishing and spam training, as well as automated email phishing testing of employees. These services will send brief lessons via email and/or conduct asynchronous online training.
Disaster Recovery/Business Continuity Planning
Prioritize development of disaster recovery and business continuity plans. A disaster recovery plan outlines what should be done immediately after a disaster occurs. This plan applies to any major disruptions, including cybersecurity-related events. It determines what should be done during and after an emergency. It outlines what roles and responsibilities are assigned to specific personnel, companies or agencies; who is contacted for incident response and remediation. For example, disaster recovery plan would address what to do initially during a ransomware attack.
A business continuity plan is broader, long-term and encompasses the disaster recovery plan. It describes what will be done to recover from a major incident and restore the organization’s operations. A business continuity plan addresses what to do during an extended, far reaching event, such as a hurricane. These plans can be developed with outside assistance. They can also include cyber-insurance coverage and incident response retainers.
Incident Response Retainers
There are companies that will establish pre-negotiated incident response retainers with organizations. The incident response contractor provides a quote/invoice for an introductory amount of incident response hours at an agreed upon rate. The customer generates a purchase order for the incident response company to keep on file. The vendor establishes a service level agreement (SLA), outlining the guaranteed response times. If/when a security event occurs, the customer calls the service provider to remediate the situation. The customer knows who to call; what services will be provided; and how much it will initially cost.
Cyber-Insurance
Cyber-insurance works like other types of insurance coverage. Insurance companies will underwrite policies covering damage stemming from security related events. This allows customers to transfer a certain amount of the risk associated with their IT operations. Cyber-insurance isn’t as mature as other areas of insurance underwriting. There are more underwriters in the market now, increasing the possibility of getting coverage for organizations with immature cybersecurity programs. Policies should be integrated into incident response plans to coordinate approval for response service providers ahead of time.
Utilize Cloud Computing
Organizations should explore leveraging cloud technologies to offset the risk of managing systems in-house. Cloud outsourcing reduces the risk of managing IT services onsite, as well as reducing personnel, equipment and other associated expenses. Cloud providers such as Google Cloud Platform, Amazon Web Services and Microsoft Azure have staff with security expertise that monitor systems around the clock. Applications like email web services can be offloaded to cloud providers, along with the inherent risk of managing those services.
Consider utilizing cloud services when adding new software services or updating current systems. Weigh the provider’s reputation and security practices, risk of handling sensitive data, cost savings and service level agreements (SLA’s) when considering service providers.
Conclusion
Adding some or all of these tools to your arsenal can improve your organization’s cybersecurity. Several of these strategies can be employed to start improving cybersecurity posture with a reasonable amount of investment. Most of these strategies can be implemented without internal staff or technology infrastructure.
Author: Malik Dulaney, PhD, CISSP is an information technology professional with the University of Dallas and an adjunct cybersecurity professor with the Gupta College of Business at the University of Dallas. He is also a public sector researcher with research interests in cybersecurity in public and nonprofit organizations, cyber warfare and information technology policy. He can be reached at [email protected].
(2 votes, average: 5.00 out of 5)
Loading...
Public Sector Cybersecurity: Effective Strategies to Improve Cybersecurity Posture
The views expressed are those of the author and do not necessarily reflect the views of ASPA as an organization.
By Malik Dulaney
December 15, 2019
Ransomware attacks, malware proliferation and phishing schemes are headliners in the news. The victims of these attacks used to be limited to large corporations. Now, city, state and local governments are targeted because they are increasingly attractive to hackers. Government organizations manage services for police, fire, courts, water/utilities and traffic/citation systems. Hackers feel these organizations are worthy targets because they manage critical functions, but work with limited resources. These organizations don’t have substantial IT resources and may not be able to focus on cybersecurity. They may not attract cyber security talent or be able to outsource cyber security expertise. Hackers are very astute and know that public organizations are less likely to have the resources to invest in cybersecurity.
Much has been written about the technical solutions for cybersecurity. IT departments should focus on asset tracking, strong password policies, multi-factor authentication, software updates/patches and encryption of data at rest and in motion. Beyond what IT practitioners implement, public administrators should consider other effective strategies that would improve their organization’s cybersecurity posture.
User Education and Awareness
Informed users are the biggest tool an organization can have to ensure a solid cybersecurity posture. It is easier for hackers to target individual users within an organization for phishing and malware attacks than it is to solely carry out attacks on systems using technical methods. There has been a shift to phishing attacks as the largest attack vector for hackers.
Good cyber hygiene can be taught. Teaching users how to protect themselves and their organizations from these attacks is cheaper than employing the latest and greatest security products. IT departments have found it is effective to educate their users with periodic email lessons. They also try to foster a culture of openness by encouraging their users to ask questions.
In addition to in-house education, there are online services that will provide phishing and spam training, as well as automated email phishing testing of employees. These services will send brief lessons via email and/or conduct asynchronous online training.
Disaster Recovery/Business Continuity Planning
Prioritize development of disaster recovery and business continuity plans. A disaster recovery plan outlines what should be done immediately after a disaster occurs. This plan applies to any major disruptions, including cybersecurity-related events. It determines what should be done during and after an emergency. It outlines what roles and responsibilities are assigned to specific personnel, companies or agencies; who is contacted for incident response and remediation. For example, disaster recovery plan would address what to do initially during a ransomware attack.
A business continuity plan is broader, long-term and encompasses the disaster recovery plan. It describes what will be done to recover from a major incident and restore the organization’s operations. A business continuity plan addresses what to do during an extended, far reaching event, such as a hurricane. These plans can be developed with outside assistance. They can also include cyber-insurance coverage and incident response retainers.
Incident Response Retainers
There are companies that will establish pre-negotiated incident response retainers with organizations. The incident response contractor provides a quote/invoice for an introductory amount of incident response hours at an agreed upon rate. The customer generates a purchase order for the incident response company to keep on file. The vendor establishes a service level agreement (SLA), outlining the guaranteed response times. If/when a security event occurs, the customer calls the service provider to remediate the situation. The customer knows who to call; what services will be provided; and how much it will initially cost.
Cyber-Insurance
Cyber-insurance works like other types of insurance coverage. Insurance companies will underwrite policies covering damage stemming from security related events. This allows customers to transfer a certain amount of the risk associated with their IT operations. Cyber-insurance isn’t as mature as other areas of insurance underwriting. There are more underwriters in the market now, increasing the possibility of getting coverage for organizations with immature cybersecurity programs. Policies should be integrated into incident response plans to coordinate approval for response service providers ahead of time.
Utilize Cloud Computing
Organizations should explore leveraging cloud technologies to offset the risk of managing systems in-house. Cloud outsourcing reduces the risk of managing IT services onsite, as well as reducing personnel, equipment and other associated expenses. Cloud providers such as Google Cloud Platform, Amazon Web Services and Microsoft Azure have staff with security expertise that monitor systems around the clock. Applications like email web services can be offloaded to cloud providers, along with the inherent risk of managing those services.
Consider utilizing cloud services when adding new software services or updating current systems. Weigh the provider’s reputation and security practices, risk of handling sensitive data, cost savings and service level agreements (SLA’s) when considering service providers.
Conclusion
Adding some or all of these tools to your arsenal can improve your organization’s cybersecurity. Several of these strategies can be employed to start improving cybersecurity posture with a reasonable amount of investment. Most of these strategies can be implemented without internal staff or technology infrastructure.
Author: Malik Dulaney, PhD, CISSP is an information technology professional with the University of Dallas and an adjunct cybersecurity professor with the Gupta College of Business at the University of Dallas. He is also a public sector researcher with research interests in cybersecurity in public and nonprofit organizations, cyber warfare and information technology policy. He can be reached at [email protected].
Follow Us!