Recent data on network security all seems to be pointing to one conclusion: State and local government networks are extremely vulnerable.
Consider these statistics:
- A study just released by the Pell Center for International Relations and Public Policy at Salve Regina University on the state of cybersecurity readiness in state governments singled out only eight states as handling cybersecurity well.
- According to the Identity Theft Resource Center, more than 34 million records were exposed in breaches involving government agencies or the military in 2015.
Ransomware — like Cryptowall — is not only damaging to an organization, infection is also a shot to the ego. That’s especially true if you’re in the same boat as the Texas sheriff we heard about recently. He works in a small town where budgets are small and staffs are smaller. Not only is he the sheriff, he’s also his own IT staff.
This sheriff noticed one morning that he’d been locked out of his network by a Cryptowall infection. He called someone for help and was told that he had two options: Pay for the encryption key, or revert all of his data to the last backup and just lose any data that was new since that date. For the sheriff the choice was easy. He’d pay for the key. Why? Because he hadn’t backed up anything for more than a decade.
The story is an extreme example of what is a common problem. Staffing issues and budget constraints can make governments an easy target. That’s why it’s critical that these organizations move toward improving security. But that doesn’t mean buying new devices. Proper security is about more than tools. It’s about knowledge. Here are three steps that government IT managers can take, especially those at the local level, to start building more secure networks.
1). Recognize What You Don’t Know
One thing we’ve found is that there are many misconceptions about data security held by government employees. These misconceptions must be corrected before real advances can be made. The two biggest are:
- My data is already public, so we don’t need to protect it. — Open records legislation has created a bit of confusion for those tasked with controlling who can see what information. On one level it’s understandable. The clerks working in some local government offices may see so many requests for information that they assume everything is public. Keeping the data digitally secure isn’t really necessary. The truth is, most information that’s being held by local governments and agencies isn’t inherently public. Some of it can be obtained through the proper channels, but that doesn’t mean putting security in place to protect it isn’t necessary. The solution to this is actually pretty obvious: Data has to be segmented and classified. Too many local governments can't tell HIPAA data, from criminal data, from Social Security numbers. Without classifying data simply as either public or private, you are making the work of your local clerks twice as hard.
- I know exactly what data is where. — Pay enough attention and you’ll notice that in all the news stories about federal government data breaches officials knew exactly what kind of information was compromised. If those stories had been about local governments instead, the information wouldn’t have been so detailed. With single servers handling multiple departments and applications, knowing where data is to the level of detail that the federal agencies have isn’t possible. A single breach of a single server could mean that information from several departments has been compromised. How can this be fixed? With the budget concerns that local governments have, the easiest solution is virtualization. Run virtual machines that split up your apps and do not let them cross.
2). Engage in Consistent and Thorough Training of Your People
Headlines at the end of last year were asking if we were seeing the end of malware. Obviously, data says probably not. But that doesn’t change the fact that many hackers are increasingly turning to advanced social engineering tactics to prey on the naiveté of the typical employee.
But too many local governments are relying on trainings held a year or two ago to keep their networks protected. That’s not good enough. Training needs to be more regular than that. It needs to be done using simple language. Questions need to be encouraged and employees need to be tested regularly.
3). Use Your Limited Budgets Wisely
Local governments have a problem with speed. They want to be able to buy a security device, plug it in and instantly have a secure network. Unfortunately, security doesn’t work like that. It takes time. It takes consideration. It takes knowledge of your network and what data you need to protect and then buying the right device to do the job.
Every network is different. That’s why, no matter the device, modifications are going to be required. Development is going to have to be done. The new device will have to be tuned to the network if it’s going to achieve maximum effectiveness. All of that takes time.
But not only do these governments need to focus on buying the right device, it’s critical that the equipment purchased be high quality. No going down the street to Joe’s Firewall. Governments need to install a real piece of equipment that does real work.
Sometimes, though, the best use of your budget may be to not buy any equipment at all, but to hire someone to handle things for you. Whether it’s moving parts of your network to the cloud or using remotely managed devices, you can save money, time, and get top-level protection by looking to outside vendors to help you manage your security.
About the Author: David Lissberger is chief executive officer at Sentinel IPS, a managed service that relieves the burden of network security for businesses with its threat management system based on active threat intelligence.