The right playbook to fight against ransomware
In October, the FBI released a public service announcement warning of potential “high-impact” ransomware attacks against U.S. organizations. Ransomware and the associated fallout continues to burden organizations every day. Major cities felt the brunt of this impact, with more than 81 attacks on municipalities in 2019 alone.
Ransomware can plague operations and hamper everything from public safety to transportation and waste management. For example, a recent attack against a major eastern city restricted civil employees’ access to essential resources like bill payments and databases required by local prosecutors to try cases.
State and local government leaders are taking these issues seriously. NASCIO’s State CIO Top Ten Priorities consistently identifies security and risk management as a top priority.
An investment in the right technology and careful execution of cyber procedures will immediately transform the security posture of state and local governments. While municipalities and state governments may not know when a threat will come, these steps can help mitigate the effects of a breach:
Develop a cyber playbook
Like agencies that have preparedness plans to protect and respond to natural disasters, cybersecurity teams also need to plan in advance for cyber incidents, including the development of playbooks with varying scenarios.
Many organizations follow the NIST Cybersecurity Framework, which guides teams through the cybersecurity process. This framework is an excellent tool as its flexibility allows governments to fit the guidelines to their specific situations.
Flexibility matters because as an organization’s goals change, so do the risks. The cyber playbook should align with the NIST framwork, with a comprehensive approach to security focused on identifying, protection, detecting, responding to and recovering issues within an environment. IT leaders must ensure the playbook isn’t stagnant as the organization continues to evolve.
Train, train and train again
Government organizations must follow various guidelines, whether revenue departments and IRS Publication 1075 or healthcare agencies and HIPAA. However, simply remaining compliant doesn’t ensure citizen data will be protected–there are numerous scenarios that standard requirements won’t cover. One important scenario is when data or a system becomes unavailable or corrupted. This is where developing a system backup plan comes in, to know how long an organization can operate through an outage, and how to transition to paper logs if necessary.
Security teams should always utilize opportunities for continual training. When a new member joins the team, use the onboarding process to reintroduce exercises and best practices to the whole team. Leaders should also leverage creative methods—including team events and gaming-based training, such as capture the flag and software that simulates attacks—to facilitate greater participation and learning. These scenarios should include best-case and worst-case outcomes of an attack.
Awareness training is also key for teams to be able to identify and respond correctly to suspicious activity within networks.
Audit (and supplement) personnel
Cyber leaders should continually audit organizational roles to determine specific strengths and weaknesses within their teams to assess their stance on risk management.
The need for cyber talent is clear – The lack of cyber personnel and resources are undeniable. A 2017 Netwrix survey found 75 percent of government respondents’ organizations lacked dedicated information security personnel. For example, the majority of ransomware attacks were successful because known vulnerabilities were not addressed. This speaks to a national trend where many executives feel cybersecurity staff are overwhelmed.
A successful way to bridge this gap is through a hybrid managed service model, which includes a combination of civil servants and support agreements with private sector companies that help augment resources to respond quickly in the face of cyber incidents.
Proper cyber hygiene
Cyber hygiene isn’t a one-off exercise or participating in National Cybersecurity Awareness Month once a year — It’s a consistent mindset that encompasses all parts of our life and a continual journey. As governments reinvent the ways they operate and interface with constituents, they must also empower employees through a workforce transformation to meet the growing security expectations of the 21st century. This needs to be a year-round effort, with substantial, calculated investments in employees through awareness campaigns.
Cyber hygiene and culture begin at home. It’s important agencies and employees educate using phishing exercises and cyber literacy, helping understand the possible negative consequences both at home and in the workplace.
Invest in infrastructure with built-in security
Agencies struggle to protect the numerous endpoints that fall outside of the traditional security reach of the organization. As the number of tools and cloud-based systems increases, the volume of generated data also rises, expanding IT infrastructure beyond data centers, making it harder to protect against threats.
It’s vital then for governments to invest in a secure, flexible infrastructure from the beginning, extending from edge to core to cloud. Doing so will allow them to focus on continually improving citizen experience without having to worry about the disruption of layering security on top.
The road ahead
An investment in a comprehensive security approach saves invaluable time and resources, but also preserves public trust. For example, if citizens can’t trust an online portal to conduct business with the government, they may all show up in person, disrupting service and organizational processes, or perhaps worse, their needs may go unmet.
Fighting ransomware is an iterative process that measures progress. Agencies should tailor these efforts to make the most significant impact within organization and meet with their business peers to re-assess risk and adjust the course of the cyber security program accordingly.
Christopher Montgomery is the chief technology officer and strategist for state and local government for Dell Technologies