Schools and local municipalities have always been vulnerable to cyberattacks, but in recent years, especially since the pandemic's beginning, they have been increasingly more prone to threats. According to a statement by DHS, ransomware attacks "crippled state and local agencies
in 2020," calling for a State and Local Cybersecurity Improvement Act
to set a baseline for new changes with cybersecurity efforts at the state and local level.
With more employees working from home than ever and millions of students participating in distance learning, public cloud consumption
increased dramatically, putting organizations at a new level of risk for IT disruption and cyberattacks. In response, state and local governments have begun a more targeted approach to cybersecurity plans.
As Brandon Shopp, group Vice President of Product at SolarWinds, discussed in a recent article in American City & County why, "a proactive defense strategy,"
when compared to a technology-first approach, can be more effective when it comes to developing and carrying out a cybersecurity plan. Here are three ways he advises IT organizations to do so:
- Identify key assets. Shopp says the first way state and local governments can take a proactive approach to their cyber strategy is by first identifying "the most critical data in their digital environment." By doing so, organizations can ensure the most crucial data is safeguarded before anything else. He explains that most organizations already have key components down in their cybersecurity plans – maintaining and protecting servers and critical endpoints. But they sometimes miss other important pieces, including addressing what is inside those servers and endpoints, including "applications, data stores, systems, and even employees. The unfortunate truth is that employees can sometimes be an organization's most significant liability when it comes to cyberattacks, and as Shopp says, "if an employee who has access to sensitive data is targeted with a phishing campaign – where threat actors send emails containing a malicious attachment or direct the recipient to a website containing ransomware – the entire data set could be compromised. The attack success depends on sufficient training for all employees and ensuring cybersecurity policies and backup plans are up to date and accessible for all. The good news is with these plans in place, proper training, and with the most critical organizational data defined, IT teams can then create targeted processes and policies to heighten security around these items. In addition, a review of which data points are most critical for the organization should be done on a regular basis.
- Practice regular data hygiene. To reiterate the above, a periodic review of critical data points is essential in implementing a sound data hygiene practice, of which state and local municipalities need to be especially mindful. To take things further, a recent study shows IT teams should "adopt a mentality in which even 'medium' risk exposure is unacceptable." Shopp adds that IT teams should be deploying solutions capable of providing complete visibility into all systems so they can identify and mitigate hidden risks. "Even small changes like maintaining a regular patching cadence, enforcing multi-factor authentication, and reducing the attack surface using network segmentation or virtual machines can improve security postures." A" top-down" approach, he says, is paramount in maintaining a secure, clean data environment. Non-IT employees must be treated as an extension of the security team to maintain the best data hygiene practices for your organization.
- Stay on top of regulations. Staying on top of the ever-changing guidelines and regulations in IT can be daunting, but at the end of the day, it can also keep you ahead of the cybersecurity curve. As Shopp says, "regulatory guidelines drive security, force buy-in from senior teams, and reduce the potential for data breaches in the future. They also benefit citizens whose data must be protected." Regulations like the General Data Protection Regulation (GDPR) act and the California Consumer Privacy Act have expanded significantly in terms of what state and local municipalities should be doing to best protect their data, controls they must have in place, and reporting requirements for data breaches.
Staying up to date with changing regulations and keeping teams involved with these changes is imperative. New regulations like the State and Local Cybersecurity Improvement Act
will set a baseline for new changes in cybersecurity efforts. Please share this information with your team as it becomes available. It may seem like an additional task on already full plates, but at the end of the day, it's just another way to create a proactive defense strategy for your organization. Doing so will keep you ahead of the curve and create a more secure data environment – for everyone.