Prioritizing Your Cybersecurity Efforts During Election Season

The information contained in this article is not intended as legal advice and may no longer be accurate due to changes in the law. Consult NHMA's legal services or your municipal attorney.

As we head into the primary season, culminating with the presidential election in 2020, we are starting to hear more and more chatter on election security. State and local governments are faced with the challenge of assuring voters that elections are secure and free from tampering. However, with nearly daily reports of ransomware attacks on government agencies and phishing attacks becoming more and more sophisticated, the election systems aren’t the only area that needs focus. Voter registration data must be protected and even websites used to post official results can be vulnerable to attack. How can local governments protect their citizens? Whether you are protecting voter registration data or protecting a municipal management system, security best practices remain the same.

The Basics of Prevention

Cybersecurity is complex and can be confusing. For many organizations, security consulting is often a new investment and governments are on fixed budgets. As a result, we have seen many government organizations struggling to identify a workable solution for securing county and municipal systems. How can you prioritize investment in security and come up with a cybersecurity plan that meets your organization’s needs? Let’s see if we can begin to answer that question. We’ll start with the cybersecurity basics. At a minimum, it’s a good idea to do the following:

  • Run a reputable anti-virus package on all systems;
  • Practice good user controls and avoid giving all users full administrative access to their workstations;
  • Apply security patches regularly;
  • Run firewalls at all locations with an Internet connection; and
  • Leverage some form of anti-spam technology.

Does this sound familiar? I hope so. If not, then this is a great place to start. I’d recommend making it a priority to talk to your IT department or IT provider. These are
foundational items to your security practice.

Employee Awareness Training

Beyond implementing basic infrastructure prevention, executing a strong cybersecurity plan requires more than your IT department or IT provider. Most successful attacks in the past year started with an email to an employee. These emails often trick employees into sharing their credentials, initiating fraudulent wire transfers, and unwittingly launching ransomware attacks. You cannot merely protect your hardware and systems, you must also protect your employees.

In order to protect employees, it’s critical to regularly train them. They need to become capable of spotting fraudulent email messages. And the good news is there are two good, low-cost ways to support and train your employees.

First, email banners that identify a message as coming from outside your organization are a simple way to raise awareness. A note from a coworker asking for sensitive information with a banner across the top identifying as coming from an external source should immediately raise a red flag. Almost every email system can support this feature at no additional cost.

Second, phishing simulation platforms are prevalent and inexpensive. These tools allow you to identify employees that click on suspicious links and provide targeted training to those individuals. When used repetitively, these training platforms shift the culture of the organization to caution. Employees stop clicking on every link and replying to every message. They start questioning the request in the email, asking themselves, “does this message make sense? Is the action I am being asked to take reasonable? Did John really just email me out of the blue and ask me to redirect his paycheck to a new account?”

Response and Recovery

After putting some of the basic prevention measures mentioned above in place, it’s then time for an organization to start thinking about how to respond to and recover from a security incident. The reality is that investing in security can dramatically lower the likelihood of an event, but there is no guaranteed way to avoid
one. Have you given thought as to how your organization would respond to a security event? There are two items that everyone should consider when it comes to formulating your response - cyber liability insurance and data backups.

Backups are Your Best Friend

The importance of data backups to an organization’s ability to recover from a disaster is not new. I have spent most of my career in IT helping organizations see the value of a solid, tested, backup solution. The value of backups was recently put to the test in the wake of Hurricane Dorian traveling up the east coast. The organizations with properly configured backups are reaping the benefits of faster, easier restoration to normal operations. While a cyber attack is very different from a hurricane, the same principles of disaster recovery apply. The impact of a ransomware attack crippling an organization is no different than losing infrastructure to a hurricane. In either case, backups are critical to recovery.

There are a few problems we regularly see with the configuration of data backups. First, it’s common to discover that only a portion of your data is being backed up. This means that you won’t undergo a full recovery. Second, it’s typical to discover the backup data isn’t replicated to a remote location and does not have enough separation from your production network. There have been several instances this year of organizations whose production data and backup data was encrypted in the same ransomware attack. Ask your IT department or IT provider when the last test restore was performed of your data. Testing your restore capability is the only way to know for certain that your backups are functioning properly. Speaking of restores, organizations typically underestimate the amount of time it will take to restore their data. With the right backup solution in place combined with a strong recovery plan, you could be back up in several hours or days. Without proper backups and a tested plan, cities can spend months on recovery efforts. The only way to know for sure how long it takes to restore your environment is to perform
a full system restoration test. It is also important to note that not all data is of equal value. You may have some systems that you want to the ability to rapidly restore while others can be down for weeks or months with little impact.

Importance of Cyber Liability Insurance

The costs of cyberattacks are increasing. Florida cities have been in the news many times recently regarding fraudulent wire transfers of hundreds of thousands of dollars and ransomware payouts totaling over a million dollars. Cyber liability insurance can protect an organization against these types of attacks. It can protect you from the costs of a ransomware attack, covering the ransom itself or the costs of a recovery effort. An added benefit that is frequently overlooked with cyber liability insurance is the expertise that your carrier can bring to the table in the event of an incident. They can help provide the forensic expertise to untangle how a breach occurred and even expertise in dealing with a ransomware attacker. They know which attackers are likely to provide the decryption key when paid and which attackers you should not pay.

But Wait, There’s More

We’ve covered many of the basics and those are a great place to start. However, there are other technologies and processes to consider for your long-term
cybersecurity plan. This includes multi-factor authentication, incident response plan, regular security scans, and more that you and your IT professionals
should evaluate. As I mentioned at the beginning of the article, cybersecurity is complex and can be confusing. The landscape is constantly changing. New solutions and products are frequently introduced and new types of attacks surface just as often. Cybersecurity is a specialized component of IT and is often outside the skill set of a typical IT department. As a result, it can be unreasonable to ask your IT staff to keep up with their day to day duties and remain current on cybersecurity trends. Even cities that feel they have a robust plan in place should seek outside expertise. The company I work for leverages outside organizations to monitor and test our security. We have the experts on staff but, just like a financial audit, an outside review may find something that we have missed. I would much rather
get the opportunity to resolve an issue uncovered during an audit than find out about the issue when I am successfully attacked.

What’s the Takeaway?

Ask for help. Request a security gap analysis or security assessment from a reputable organization to determine your vulnerabilities. It will be to the benefit of your residents, the businesses in your community, and your employees. When you select that outside organization, keep in mind you are looking for a long-term relationship. Cybersecurity is not a one-time effort. Cybersecurity plans need to be reviewed, tested, and updated regularly.

About Joe Howland 

Joe Howland is Chief Information Security Officer for VC3.  Joe has has been in the IT industry for over 20 years and has extensive IT management experience that spans multiple industries.  Joe joined VC3 in 2009 and during his time with VC3, Joe has performed in the role of Virtual CIO for some of VC3’s largest government
customers. Joe is currently VC3’s Chief Information Security Officer and is responsible for VC3’s IT security as well as advising on security for VC3’s customers.

Joe can be reached via email at joe.howland@vc3.com or by phone at 803.733.5888.

About VC3

VC3 is a leading managed services provider with a focus on municipal government. Founded in 1994 with offices across the east coast, VC3 forms partnerships with municipalities to achieve their technology goals and harness their data. In addition to providing comprehensive managed IT solutions, VC3 offers cybersecurity, website design, custom application development, and business intelligence services.

Visit www.vc3.com to learn more.