Cyber attacks are coming. Are you prepared?
By Roy Hadley, Jr.
Cyberattacks against municipal and state governments are becoming increasingly common. Attackers know that these governments often hold a tremendous amount of data on constituents, including credit card information, bank account details, and even social security numbers. As attackers realize that corporate America is becoming increasingly vigilant and hardened against attacks, criminals are focusing on governments, which they perceive to be more vulnerable and less prepared.
It is to this backdrop that governments must increasingly become vigilant with respect to the information they collect, store and use. As recent examples of major cyberattacks against governments have shown, both the number and severity of attacks will continue to increase.
Steps to getting cyber-ready
First, governments must adopt a holistic security mindset. This commitment should permeate throughout the organization, including increased spending on security as well as continual training and education for all employees. Governments should also strongly consider the hiring of a chief information security officer (CISO), who are already a necessary part of a security plan in corporate America and should have a similar status in all governments.
Secondly, governments should prepare for the worst. This includes not only having a security plan in place, but regularly exercising this plan. During an attack is not the time to try to develop a response plan.
Legal clients in corporate America can engage in “tabletop exercises,” which simulate a mock data breach/attack and the response. These exercises are very valuable in that if an incident does occur, everyone knows what, when and how to do it.
Third, despite tight budgets, governments should spend appropriately for security. While it is sometimes difficult to choose between schools,and new cybersecurity infrastructure, the costs of dealing with incidents after the fact most times far exceeds the investment that should be made on the front end. Working with outside vendors and security consultants, municipalities can leverage the experience of others to put in place the proper security infrastructure and procedures.
Fourth, municipalities should understand that technology is evolving daily, including the cybersecurity landscape. There are many bad actors that make it their job to attack governments. As such, governments should make it their job to protect the information they entrusted with by their constituents. Central to this is governments understanding the latest and greatest in technology and cyber defense capabilities.
Again, leveraging the expertise and experiences of partners and other governments is also a key part of this process. It is worth noting that often governments can piggyback upon thecontracts of other local and state governmental entities to get better deals on security infrastructure and services.
Lastly, governments need to understand that at the end of the day most breaches still occur due to human error. Whether it is an employee clicking on a link, putting a thumb drive into a computer or falling for a phishing scam, employees are the most often used vector by cyberattackers. As such, ongoing training should be mandatory for all employees. It is this training that will help employees to be the first line of defense again cyberattacks.
All levels of governments must dig deeper and to ask more questions about their readiness. Included in this is first and foremost an assessment of their current status to spot vulnerabilities, areas for improvement and potential threat vectors.
Further, governments must stay abreast of the latest threats, such as ransomware, phishing and malware, and ways to counter these and other threats such as encryption, adequate backups and private cloud services.
Municipalities are being increasingly targeted due to the perception that they are not prepared. In light of this, all governments should focus on cybersecurity and on becoming more diligent around their IT infrastructure, employees and processes. For most governments, the question is not whether they will be attacked, but when.
Roy E. Hadley, Jr. is an attorney with Adams and Reese (Atlanta) who serves as independent counsel to companies, governments, and boards on cyber matters, helping them understand and mitigate legal risks and exposures to protect themselves and those they serve. He has previously served in the corporate roles of general counsel and chief privacy officer, as well as special counsel to the president of the American Bar Association and special assistant attorney general for the state of Georgia. He may be reached at Roy.Hadley@arlaw.com.