2 minute read
Cybersecurity Review
by Damien Boley, Mayor, Smithville, and MML Board Member
Peace Of Mind
Cybersecurity should keep you up at night. It is a big unknown to most of us and can cripple an organization. Big plans for a city park? What happens if someone clicks the wrong link, and those funds are now in the hands of a cybercriminal?
When I first took office, we had a Linksys router in the attic that our police chief had to reboot occasionally and cabling that looked like it was completed using what could be found at the local hardware store by someone who knew a little bit about networking. Our servers lived in a closet or under desks and most of our staff had older computers. These are all IT assets that fall under a traditional IT manager and insurance scope of work, but cyber security is a different story. A flooded IT closet is no big deal when you have backups, as you can usually recover the data. However, when a cyber-attack locks you out, recovery is not so easy and insurance may not cover the situation.
Does your city have a rainy-day fund? Reserve policy? What about a crypto wallet? If you are a victim of ransomware, the time it takes to set up a wallet is hours lost. The time to set up a wallet is now.
Businesses are seeing an average cost of a data breach of more than $4,000,000. On average, small- to medium-size businesses lost $25,000 to cyber-attacks. Most of these attacks are not complex hacking attacks, but instead are social engineering. Test it out: email your staff, ask for something you would consider sensitive data and see how they reply. If they give it to you, what stops them from providing it to someone with a spoofed email address? It is the “I know the mayor” comments but in a cyber attack they are impersonating the mayor and most staff are hesitant to tell the mayor no.
I have told our staff I will rarely email them directly. If you see an email from me, do not trust it, but instead question it and look at the email address. If I really need something I will go to city hall and ask, pick up the phone or I will make the request in a public meeting. Based on current statistics, approximately 14% of small and medium businesses consider themselves prepared for a cyber-attack. A staggering 95% of cybersecurity breaches are attributed to human error. People have become apathetic and trust messenger requests, emails, chats and text messages.
So, what can you do? First, invest in training, including simulated incidents. Treat cyber like you would treat fire and tornado drills and emergency response exercises. Review your insurance and ask about cyber coverage and policy — many policies do not cover cybercrime and will tell you to pay the ransomware. If you cannot afford a full-time IT professional that is in line with private business (often drawing a $150,000 - $200,000 salary) find a managed service that can help. Train staff, require use of city email addresses and do not allow bring-your-own device unless you have a tool to manage those devices (including the ability to wipe them remotely). Work with your bank to ensure you have notifications, alerts and least access policies in place.
We are all in the business of municipal government and our job is to be good stewards of taxpayer money. This requires public meetings, fulfilling open records requests and following laws. This combination can provide a blueprint of how a criminal can take advantage of your municipality. Think of it like bank robbers obtaining the blueprints to the bank, only