Reducing Cyber Security Concerns for the Small City – Part 2

What does it take to run a small city these days? Budgets, staffing, and maintenance of city facilities are always a concern. However, we would like to point out a few things related to reducing cyber security concerns and how city administrators and city councils can push their IT staff, IT vendors and Public Works vendors toward reducing these concerns.

In part one of this two-part series, we examined connecting public works control systems (SCADA) to the public Internet and police department compliance with CJIS cyber security standards. Let’s continue with our last three cyber security concerns.

Concern #3: Poor Investments in Technology

We’ve seen many “cheapskate” city council members think they are protecting their residents from “the expensive costs of IT infrastructure” by continually declining to spend money on hardware and software. We think this mentality is short-sighted and does the residents a disservice, introducing inefficiencies and cybersecurity risk. Here are some tips for proper budget planning, which spills into reducing the cybersecurity exposure for the city:

• Rotate desktops and laptops out every three years. This gets the old computers out of the system and keeps them up to date on the latest software and security configurations.
• Rotate networking gear out every five years. Routers, switches, access points, and firewalls – all keeping up to date and with the latest security patches.
• Hire a qualified security vendor to review your security configurations and policies. Everyone needs a coach, and a security vendor helps city staff maintain a good security posture.
• Invest in a good intrusion and detection and prevention system (IDS/IPS) managed by a 3^rd party vendor. There is very little to no time for internal staff or an outsourced managed IT vendor to monitor a good IPS/IDS system, so outsourcing this critical task is a must.

Concern #4: Legacy Employees and/or Employees Unwilling to Learn

We all know the folks who are unwilling or incapable of learning more in computers/technology. They are increasingly unproductive and can often be a security liability. Maybe there is another role for this person in your organization. Don’t get us wrong, we are not advocating for violations of employment laws around age discrimination – we are advocating the active management and coaching of these employees. Their knowledge is valuable, and we love their insight, but it should not come at the cost of a cybersecurity incident. Here are a few tips for addressing legacy employees:

• Establish a mentoring program. Get serious about pairing up employees who are mature leaders with the up-and-coming leaders of those areas. The mentoring should include all three areas of knowledge: business, technical, and relationships.
• Establish a “reverse mentoring” program. The reverse mentoring works the opposite of the regular mentoring program where now the younger employees mentor the older employees specifically on technology-related activities. For example, you can pair up a young mentor with an older employee to teach them how to use new capabilities from your accounting system.
• Ask employees who attend conferences to present to the team who may benefit from the newly acquired knowledge. At the minimum, they could write an “Executive Summary” of what they learned and share it with the team.
• Invest in the “soft skills”, such as training on leadership talent and management skills development (notice that leadership is a talent and management is a skill). Invest in the other skills that are crucial for all employees to succeed—especially those in leadership—such as negotiation, communication, presentation, and presence skills.
• Most importantly, establish a culture of continuous improvement and learning where everyone is cross trained on other duties and everyone has a backup.

Concern #5: Relaxed Oversight of IT Functions

There are two ways relaxed oversight of IT functions happen. The first one is where there is internal IT staff. Staff gets busy and says, “I’ll get to that someday” and someday never comes.

The second way relaxed IT oversight happens is when an IT vendor is hired to manage the IT infrastructure, but they have no methodology of making sure security best practices are followed.

Both can eventually lead to what we call “sloppy security”.

We’ve got a few ideas on how to overcome sloppy security:

• Pick a security frameset to follow for your non-CJIS areas of the City’s network. If you don’t already have one, we recommend looking into the newer CMMC 2.0 framework, which is based on several NIST standards. A good security vendor can help your IT team determine which of the various CMMC levels of security are needed for your city.
• Hire a 3^rd party security auditor to audit security at least every three years. This security auditor needs to be a 3^rd party vendor so they can give the team objective results and recommendations.

Your Call to Action

Start the process of raising the awareness levels of Internet security in your city. Hire a company to do a security audit, and then implement their recommendations.

We hope our tips related to reducing cyber security concerns was helpful. What projects are you working on? As always, we’re here to help.

This week’s post by Tim Malzahn, Principal Consultant at Malzahn Strategic