Putting cybersecurity action plans in place, both before and after an attack

Not being prepared is as expensive as it is debilitating for municipal operations

According to a recent survey from the Public Technology Institute, only 35% of the local government IT departments surveyed have adopted a strategic plan for preemptively addressing cybersecurity concerns. And, perhaps even more disconcertingly, only 27% have developed an incident response plan to help guide staff through what at this point can only be considered the next inevitable attack.

If we’ve learned anything from recent, well-publicized incidents, like the ransomware attack that forced the city of Baltimore to revert to manual operations after 10,000 city computers were compromised, it’s that not being prepared is as expensive as it is debilitating for municipal operations.

The First Step Is Inventorying IT Assets

Evolving technologies have made it increasingly difficult for agencies to identify their key IT assets -- i.e. the ones that must be protected in the case of a breach -- but that still doesn’t change the fact that agencies can’t protect what they don’t know they have.

“As cloud technologies and mobile devices become workplace staples,” the Center for Internet Security explained in a blog post earlier this year, “it’s essential that CISOs consider all data for which they are responsible. Start by taking an inventory of all hardware and software your organization uses. Next, map out where data lives — whether that’s on a hard drive, in an application or in the cloud.”

This should be considered a mandatory risk assessment exercise.

Fill the Skills Gaps on Your Team

Do not wait for another budget or strategic planning cycle to begin enabling staff to obtain the in-depth training they need to learn about such critical cybersecurity components as network infrastructure, SSL, cloud computing applications, security analysis and investigation, application security, attack vectors, and attack schemes such as distributed denial of service (DDoS) attack,” writes CivicPlus’ Director of Information Security Jim Flynn.

Flynn suggests using the guidelines set out in the Federal Cybersecurity Workforce Assessment Act to:

  • Identify the percentage of staff with Information technology, cybersecurity, or cyber-related functions who currently hold appropriate industry-recognized certifications
  • Identify the level of preparedness of staff without credentials to take certification exams
  • Identify a strategy for mitigating any gaps identified with appropriate training and certification for existing staff.

While federal agencies are required to follow these steps, municipalities would be wise to follow suit.

Cybersecurity Incident Response Plans

“Incident response is one of those things that should be practiced regularly like fire safety training or disaster recovery testing so that when something bad happens, your actions are almost second nature ensuring a favorable outcome,” says Ashley Deuble, manager for IT security and identity services at Griffith University.

Through working with many companies over the years and experiencing firsthand a variety of approaches to incident response, Deuble has devised a six-step model that agencies of all sizes and levels of expertise can put to work right now.

#1 Preparation

The preparation phase is all about making sure you have clearly defined processes for handling a variety of cybersecurity incidents. This includes knowing who to contact and when, both within the organization and without.

#2 Identification

This is where your team identifies the type of incident the agency is experiencing. Holding monthly tabletop cybersecurity incident similations is a great way to get IT staff members up to speed on best practices for quickly pinpointing, and then mitigating, specific attack types.

#3 Containment

Containment is all about preventing any further damage to your compromised systems.

#4 Eradication

This is the stage in which your team makes sure your system is clean and ready for restoration. This is also why regularly backing up data is so important.

#5 Recovery

This is where systems are restored and brought back online. It also includes having plans in place for monitoring any continuing signs of suspicious activity.

#6 Lessons Learned

This is the (often overlooked) stage in which IT professionals can either prove or disprove the age-old adage: “Those who do not learn from history are doomed to repeat it.”

Read about specific tactics local governments have used to mitigate cybersecurity incidents in the National League of Cities’ Protecting Our Data: What Cities Should Know About Cybersecurity report:

CS Cybersecurity Report Final by Ed Praetorian on Scribd

Sarah is based in North Carolina, where she lives with her son and several rambunctious reptiles. Before taking on her current role with Lexipol, she was the staff writer for the tech website DZone and served as an assistant editor with the rural lifestyle publication GRIT Magazine. Get in touch with her at ssinning@lexipol.com.