In a chat with Georgia’s Cities, Joe Howland, Chief Information Security Officer at VC3, offers these tips for cities looking to increase cybersecurity.
GC: What are the top cybersecurity risks for local governments?
JH: Any kind of social engineering attack. It’s not just a link in an email. It could be a phone call with someone telling you your machine is infected and asking to connect. Or, it could be an email from a seemingly trusted vendor asking for a change to ACH payments. In August 2019, Naples, Fla., got taken for almost $700,000 simply by someone spoofing a construction company the city had a multimillion-dollar contract with.
A second item would be around zero-day vulnerabilities (vulnerabilities that no one has ever seen before). Many cities lack information around what systems are vulnerable, and they lack the ability to rapidly address cyberthreats when vulnerabilities are identified.
GC: How can small cities address these risks without an IT staff and a lot of money?
JH: Partner with a trusted vendor (GMA offers IT in a Box). Even a small IT staff may lack the expertise and knowledge to manage security and stay up to date about the rapidly changing cybersecurity landscape.
GC: How can cities increase the security of teleworking?
JH: An area of security (called Advanced Endpoint Protection/Endpoint Detection & Response) offers better protection at the endpoint—such as an employee’s computer at home. AER/EDR protects devices that are even located outside the carefully constructed security boundaries organizations put in place on their networks.
Make sure employees are using city-managed devices that are regularly patched and monitored.
Provide multifactor authentication (MFA) at all access points—email, VPN, cloud services, etc. MFA requires another step (such as inputting a code sent to your phone) that makes it difficult for a hacker to enter your systems.
Training, training, training! Awareness, awareness, awareness! You can never train your employees enough and create enough awareness about cybersecurity.
This story originally appeared in the March/April 2021 edition of Georgia’s Cities magazine.