The cybersecurity risk to local government\nWeak or nonexistent cybersecurity programs represent a massive organizational risk for county and municipal government agencies in the United States. County and municipal executives are often unaware of these risks because they assume that their IT director, their CIO or an external vendor is managing security and addressing the risks. It is rare that such an assumption is correct.\nWhile the Ponemon Institute[i] found that \u201cfederal organizations have a stronger cybersecurity posture than state and local organizations,\u201d the Brookings Institute[ii] concluded that \u201cthe vast majority of public agencies lack a clear cybersecurity plan.\u201d Much of the available research is based on small samples and I believe that these studies may understate the scope of the problem. Based on my 23 years of working with public-sector organizations, I can state with confidence that most lack any cybersecurity plans at all.\nYour job as a municipal executive is to provide leadership and management in order to get the big picture right throughout your organization. What follows is advice on how to ensure that an appropriate cybersecurity program is established and functional in your organization. I recommend that you, the municipal executive assume high-level responsibility for cybersecurity oversight. You don\u2019t need to know the technical details, but you must know whether or not the infrastructure, policies and procedures are in place and working correctly.\nDefinitions\nThe need for information security is as old as civilization and possibly as old as life on earth. Information security (infosec) was invented to protect the first secret \u2014 whenever and whatever that was. Infosec is not solely a human artifact \u2014 my great Dane always felt the need to maintain security concerning the location of his favorite bones and dead woodchucks. Techniques, methods and models for protecting information haven\u2019t changed all that much, and the methods of cybersecurity are largely based on models for protecting physical information.\nInformation security refers to the discipline of and processes for protecting the confidentiality, integrity and availability of all your information, regardless of form. Cybersecurity is a subset of information security and applies to digital data. In this article, I may use those terms interchangeably even though they are not technically interchangeable, but counties and municipalities need an infosec plan that includes cybersecurity.\n\u00a0\n Wikimedia \nMunicipal data \u2014 a pot of gold\nCounty and municipal networks are treasure chests overflowing with priceless gems. Mortgage documents, deeds, births, deaths, ugly divorces, medical records, Social Security numbers and military discharge documents are among the many types of publicly accessible documents that may contain PII (personally identifiable information), PHI (personal health information) or other sensitive data. Constituents turn over all this information naively assuming that you are doing everything in your power to protect it from theft and misuse. Are you a worthy steward of this treasure?\nRoot causes and obstacles\nLet\u2019s discuss eight of many root causes of failure to establish appropriate information security programs in local government organizations. Subsequently, we\u2019ll move on to a methodical, practical approach you can initiate immediately to improve your cybersecurity posture.\nPersonnel\n\u201cA lack of skilled personnel is a challenge at both federal and state and local organizations.\u201d[iii] One problem is that many public-sector IT directors and CIOs don\u2019t have the knowledge, training and background to plan and deliver acceptable, standards-based comprehensive information security programs. They are often unaware of widely accepted standards, guidelines and frameworks that are readily available, so cybersecurity planning is often amateur and homebrewed. Moreover, HR and hiring managers often don\u2019t understand the required skills[iv] and look for the wrong people.\nThe largest municipal agencies may employ a CISO (chief information security officer), but the vast majority of public-sector organizations do not have a dedicated information security executive and staff, nor should they necessarily require one.\nIT staff members are rarely trained in or even familiar with relevant statutory compliance requirements. I have come to expect a deer-in-the-headlights look from public-sector CIOs and IT staffers when inquiring about security policies, privacy policies and other matters of security and compliance. Questions about compliance with HIPAA security rules, for instance, are almost always met with, \u201cWhat\u2019s that?\u201d\nA jumble of regulations\nMunicipal organizations may have dozens of departments, divisions or lines of business that must comply with varying regulatory requirements from numerous federal and state agencies. Municipal governments do a lot. They may be involved in building bridges, managing traffic signals, providing water, waste, electric and sewer services, supervising elections and recording deeds while providing physical and mental health services and dental care.\nA typical county government may have to comply with regulations like HIPAA[v] (the Health Insurance Portability and Accountability Act) and 42 CFR[vi] while also complying with policies from CJIS[vii] (criminal justice information services) in addition to following state regulations from organizations such as an office of mental health or a department of health. Additional requirements for records management from state archives agencies add to those complexities and often contradict other regulatory requirements.\nShared infrastructure\nDepartments with vastly different information security and regulatory compliance requirements often coexist on a shared network where the security posture is designed for the lowest common denominator rather than for the highest. Often, municipal IT staff members don\u2019t have clearly defined policies and procedures for reviewing information such as security logs and system events. Even if they do record these events, their stance is usually reactive rather than proactive.\nSilos and turf wars\nCounties and municipalities may have highly distributed management structures that function as silos rather than as a cohesive team. In some states, the silos may be a \u201cfeature\u201d of constitutional government, where elected officials manage some departments and may not be accountable to central executives. One result of this is that a county executive, and consequently the county IT department, may not have global control of IT and information security because other elected officials choose not to cooperate. Some real world examples I have seen include:\n\nCounty judges and their staff members refusing to sign and abide by acceptable use policies.\nCounty sheriffs refusing to cooperate with an IT security audit, claiming their security policies and processes are \u201csecret.\u201d\nSocial services commissioners unilaterally declaring that HIPAA regulations don\u2019t apply to their operations.\n\nSilos in organizations create massive gaps in security management. When multiple parties are responsible for security, no one is responsible.\nMost security problems are internal\n90% of breaches occur because of an internal mistake[viii], and 60% of breaches are a result of internal attacks[ix]. Unfortunately, county and municipal information security programs often treat outside threats as 100% of the problem rather than focusing on more probable internal threats.\nBudget\n Pictures of Money \nInsufficient budget is often used as an excuse for low-quality IT services and lack of security in public-sector organizations. It\u2019s usually a red herring. In my experience, there is no correlation between budget and quality in the public sector. I have seen small, low-budget organizations build excellent security programs. I have also seen large organizations with eight-figure tech budgets fail to establish even the most elementary components of an information security program. A cybersecurity program will cost money, but it doesn\u2019t have to bust your budget.\nPolitical hiring\nIn local government, critical management positions are often filled based on political considerations rather than the quality of candidates. Expertise in information security should be a major component in your CIO\u2019s tool kit.\nTech versus strategic thinking\nIf you think in terms of technology, stop it! I am always a little suspicious of industry professionals who fall in love with a particular technology. Technology is rapidly replaced or superseded, so think strategically instead. There is no such thing as a technology problem; there are only business problems. Identify and solve for the business problem and the appropriate technical solution will reveal itself.\nSolutions\nCheck back next week for the second installment, where I will discuss solutions you can use to address your municipal or county cybersecurity problems immediately. Also, feel free to leave a comment.\nReferences, Resources and Further Reading\n"The Need for Greater Focus on the Cybersecurity Challenges Facing Small and Midsize Businesses." Commissioner Luis A. Aguilar, Oct. 19, 2015. U.S. Securities and Exchange Commission.\n"How State Governments Are Addressing Cybersecurity." Brookings Institution. Gregory Dawson and Kevin C. Desouza. March 2015.\n"World\u2019s Oldest Hacking Profession Doesn\u2019t Rely on the Internet." CNBC\n"Four Critical Challenges to State and Local Government Cybersecurity Efforts." Government Technology. July 17, 2015.\n"Human Error Is to Blame for Most Breaches." Cyber Security Trend.\n"Cisco 2017 Annual Cybersecurity Report."\n[i] "The State of Cybersecurity in Local, State and Federal Government." Ponemon Institute. October 2015.\n[ii] "The Vast Majority of the Government Lacks Clear Cybersecurity Plans." Brookings Institution. Feb. 3, 2015. Kevin C. Desouza and Kena Fedorschak.\n[iii] "The State of Cybersecurity in Local, State and Federal Government." FCW.\n[iv] "Cybersecurity Unemployment Rate at Zero." SC Magazine. Doug Olenick. Sept. 19, 2016.\n[v] HIPAA Security Rule, Combined Text.\n[vi] 42 CFR Part 2.\n[vii] The FBI CJIS Security Policy Resource Center\n[viii] "IBM X-Force 2016 Cyber Security Intelligence Index"\n[ix] "The Biggest Cybersecurity Threats Are Inside Your Company." Harvard Business Review. Marc van Zadelhoff. Sept. 19, 2016.