Cybersecurity for Urban & Suburban Municipalities – Part 2: Strategy
6 min read
In Cybersecurity for Urban & Suburban Municipalities – Part 1: Overview, we learned about the vast and diverse range of considerations public officials need to consider when evaluating municipal cybersecurity.
Shortly after we published Part 1, reports of multiple large cyberattacks broke. In one attack, the Colorado Department of Higher Education learned on June 19, 2023 of unauthorized access to its systems some time between June 15 and June 19 in which the threat actor copied personally identifiable information (PII), including the names, student identification numbers, and social security numbers of students who attended public high schools and universities
While these considerations may be substantially different from a typical business organization, the key pillars of an effective cybersecurity strategy are essentially the same.
Actions Municipalities can take to improve Cybersecurity
Building a Security Operations Center (SOC)
Establishing a Security Operations Center, or SOC, is the foundation for a municipality to be able to manage, detect, and respond to cybersecurity risks, threats, and vulnerabilities in real-time. By taking a proactive approach to cybersecurity, counties and cities can minimize the likelihood of an attack, although it can never be completely eliminated.
A SOC is a coordinated 24/7 IT security team that is dedicated to monitoring, detecting, investigating, and responding to cyber threats. Larger counties and cities should seriously consider implementing a municipal-staffed SOC. Smaller municipalities, on the contrary, may benefit from contracting security operations to a dedicated third party.
A municipality’s security operations center is the organizational unit that is responsible for many of the following recommended actions.
Conducting Regular Security Audits & Assessments
Known vulnerabilities and cyberattack methods are constantly evolving. As such, cities and counties need to periodically update their cybersecurity protocols, plans, and procedures.
A security audit is an independent review and examination of a system’s records and activities to determine the adequacy of system controls, ensure compliance with established security policies and procedures, detect breaches in security services, and recommend changes to security controls and procedures.
Security audits and assessments may include reviewing logs, roles and permissions, and penetration testing. Penetration testing, also known as “pen testing” or “ethical hacking,” is a method of security testing in which assessors, typically working under specific constraints, attempt to circumvent or defeat the security features of a system.
Providing Employee Security Awareness Training
The biggest asset in any organization is its people; however, they are also its biggest vulnerability with regard to security. As such, regular security training for municipal employees and contractors is one of the most effective preventative measures for reducing cybersecurity risk.
Employees are often targets of social engineering, or attempts to trick someone into revealing information that can be used to attack systems or networks. Keeping employees up to date with the latest social engineering techniques can help a municipality prevent an attack by minimizing threat vectors.
Mandating Multi-Factor AuthN (MFA)
Multi-Factor Authentication, or MFA, is authentication (AuthN) using two or more factors for successful authentication. Factors include something you know (password or code), something you have (key, badge, cryptographic token), and something you are (biometrics, fingerprint, retina/iris scan).
Enforcing MFA across a municipal organization can reduce the risk of a compromised password or a lost key/badge because a single factor is insufficient for authentication.
It is important to note that MFA policies should apply not only to city/county employees, but to residents, customers, third-party vendors, and anyone else whose identity needs to be authenticated.
Engaging in Ongoing Security Monitoring
Continuous security monitoring enables a municipality to use real-time data and information to detect and respond to threats and attacks immediately.
A security information and event management (SIEM) tool is an application that provides the ability to gather security data from various systems and components and present that data as actionable information. Using a SIEM tool allows a security operations center (SOC) to automate the analysis of log data and provide ongoing visibility and monitoring.
Developing Incident Response, Disaster Recovery, and Business Continuity Plans
Urgency, efficiency, and accuracy are crucial in quickly identifying and mitigating a security threat.
A Business Continuity Plan (BCP) defines an established set of instructions or procedures to allow an organization to recover and return to normal operations.
Incident Response playbooks determine standard operating procedures (SOPs) and are developed based on the goals, processes and procedures outlined in the BCP.
A Disaster Recovery Plan (DRP) is a written plan for recovering one or more information systems at an alternate facility in response to a major hardware or software failure or destruction of facilities.
Maintaining Standard Policies for Retention/Disposal/Destruction of Data & Devices
Data retention policies at any given organization are often dictated by laws & regulations, industry standards, and organizational objectives. These policies may require both a minimum retention time (often determined by laws & regulations) and a maximum retention time (destruction point).
Retaining data longer than is legally required may expose a municipality to unnecessary risk, as threat actors may find ways to exploit vulnerabilities and compromise that data.
Performing Regular Patching & System Updates
Many systems release regular updates, known as patches, in order to address newly discovered vulnerabilities. If systems are not patched and updated regularly and quickly, threat actors may be able to take advantage of these vulnerabilities.
Regular patching and system updates contribute to eliminating a threat vector and known vulnerabilities.
Implementing Zero-Trust & Least Privilege
Zero-trust refers to removing the design belief that there is any safe space within a a network. Based on the principle of zero-trust, micro-segmentation is used to manage security at each level, representing even the most granular asset.
The principle of least privilege is the idea that people should be given the minimum permissions necessary to complete their job functions and no more.
By implementing both of these policies, municipalities can reduce the risk of unauthorized activity being carried out by an internal threat actor, such as a disgruntled employee or contractor.
While it is impossible to completely eliminate the possibility of a cyberattack, urban and suburban municipalities can drastically reduce the chances of an attack by implementing standard cybersecurity policies and procedures.
About The Author
