Cybersecurity Governance for Municipalities
Municipalities in Canada and around the globe are under attack by cybercriminals due to their particular vulnerabilities. While they hold valuable information about residents, most cities and provincial governments have small budgets for IT and often lack qualified cybersecurity personnel to properly manage cybersecurity governance.
The Canadian Center for Cyber Security has observed increasing malicious activity targeting provincial governments. They’re aware of more than 100 cases of cyberthreats targeting Canadian municipalities since early 2020.
Targeting residents’ personal data, service continuity, and trust in local institutions, criminals use tactics such as social engineering, unauthorized network access, or the deployment of malicious code (e.g., ransomware) to achieve their illicit goals.
The main threats to local municipalities
Attacks on provincial governments are primarily via email, a business tool that can be turned into a trojan horse that fools employees into helping criminals gain access to an organization’s IT network.
They often deliver malware through links or downloads that people innocently click on and unwittingly open the door, so to speak.
A particularly insidious tactic is the use of spoofed emails, a technique used in spam and phishing attacks to trick users into thinking a message came from a person or entity they either know or can trust such as an internal colleague or a government official — even the mayor. The intent is to get people to click a link or download an attachment that delivers malware.
Some of the main threats to watch for include:
- Ransomware attacks, which almost always come via email, but sometimes SMS text.
- USB malware, which is introduced to a computer network via a USB key.
- Denial-of-Service attacks, which inundate a municipality’s services portal by leveraging hacked computers around the globe, resulting in residents not being able to gain legitimate access to services they require.
- Social engineering, which is a method of tricking someone into helping the hacker through a phone call or other method where someone gets an employee to share a password by pretending to be someone they are not.
- Spoofed email, which is a form of social engineering (explained above).
A final, and particularly concerning contender to be on the lookout for is insider threats, which are highly unpredictable. There are unlimited reasons why a person might become hostile toward your organization, and from the inside, someone with malicious intent can cause all sorts of problems.
Common gaps municipalities must mitigate
Municipalities share many common cybersecurity gaps. Here are the 10 most prevalent problems that I’ve seen in my 35 years in cybersecurity:
- Lack of information security policies. Security policies don’t have to be elaborate. However, it is important that they address at least the following topics:Acceptable use of IT resources;
- Information security classification (i.e., what constitutes a confidential document?)
- Access to information (i.e., who can access which information?);
- Security for teleworkers and travelers;
- Physical protection of sensitive documents; and
- Security background checks for employees and contractors.
The government of Ontario has a website (Cyber Security Centre of Excellence) that lists policies and standards that can be used as a guide you can adapt to the needs of your municipality.
- Lack of security awareness. Most municipalities have an inadequate information security awareness program. Programs should include mandatory regular online training. You also need phishing simulations and keep metrics on the “click rate” of your employees. Among others, employees need to understand the different types of threats to watch for — everyone, from the mayor down, needs to go through training. Larger municipalities can outsource the training to third-party companies that specialize in security awareness. You can also hire companies that will conduct simulation testing to understand your vulnerabilities.
- Lack of data encryption. All data on laptops should be encrypted. No one should be able to take home unencrypted sensitive data. Ever. And no one should be using USB keys — they are a main source of data leakage and malware infiltration, and so should be banned. There are more efficient and secure ways to exchange information such as your cloud service.
- Outdated endpoint protection. Old-fashioned antivirus detection software has a significant problem: These tools can only detect known viruses, and thousands of new viruses are created every day. It can take weeks, or even months, for security agencies to discover them and create protections.
So we now have an Extended Detection and Response (XDR) solution. It detects abnormal behavior — including insider abuse — and alerts the appropriate system administrators. The solution will even detect brand new malware unknown to the cybersecurity community (often referred to as “zero-day” malware).
- Lack of IT asset management. You need an asset management solution to maintain an inventory of your IT hardware and software. All assets should be tracked in real-time — what equipment/software, the model/version, who has it, and location. These systems can detect the use of unauthorized software installed by the user. Note that decent asset tracking software doesn’t need to be expensive.
- Lack of access control. Privileged accounts, like systems admins, need to be limited. You also need to ensure accesses are granted and revoked. When an employee leaves, the application owners need to inform the system administrators as soon as possible to ensure that the corresponding accesses are deactivated. I recommend performing quarterly reviews to ensure access is based on business need-to-know. All systems should also require two-factor authentication for remote access and for privileged access.
- Poor control of third-party contractor access. All companies considered for the provision of critical online services (ex., pay system) should be compliant with the SOC 2 Type 2 standards, which is a new standard now used by most serious cloud services providers. Any IT security consultant you consider hiring should have a CISSP certification. Finally, you should conduct a security background check on every contractor needing access to your IT systems.
- Lack of security patches and updates. Hygiene is a requirement in any IT environment. Computers should be set to automatically patch and update systems, and any obsolete operating systems and software should be removed. Annual vulnerability scans should be conducted to identify unpatched systems, weak passwords, unsafe configurations, etc.
- Skipping penetration tests. Having a qualified contractor who can conduct penetration tests on your IT infrastructure on a yearly basis is a must. Take corrective action to remediate any identified vulnerabilities immediately.
- Not preparing for incident response. Improvised responses to IT incidents can be a catastrophe. Create a crisis management team. Include representatives from legal, PR (an organization on retainer that regularly manages crisis is best), and your insurer if you have cyber insurance. Write crisis management response procedures, starting with the most critical and most probable scenarios. For coordinating in the event of a crisis, you should use a crisis management mobile application. Remember that in a crisis, your computer network could be down — and paper versions of your plan are likely out of date.
Some final recommendations
Something I always tell clients is to keep in mind that backups are also vulnerable to ransomware attacks. You need to maintain at least three copies of your data in at least two different media. You should store at least one copy offsite (consider if your building burns down), store at least one copy offline, and make sure you have verified backups without errors.
Next, nominate one senior person in the organization to be accountable for IT security. Conduct an IT security assessment, and then present a three-year roadmap to your City Council, because you’ll need a reasonable budget to do what is needed. If possible, outsource 24/7 IT security monitoring and response to the pros, and always leverage cloud services where possible — get away from data storage on-premises.
Finally, use the Association of Municipalities Ontario’s A Municipal Cyber Security Toolkit to guide your cybersecurity governance and ensure that your municipality is prepared for the inevitable event of a cybersecurity incident. Eventually, everyone is a victim of hackers. Preparedness determines who walks away unscathed.
Municipalities worldwide work with Cisco to secure their valuable IT networks. Check out Cisco Umbrella, a key component of Cisco Secure’s portfolio of products that provide security and peace of mind for local government leaders in Canada and around the globe.