Public Entities and Cyber Security

Posted by Mark Greisiger

A Q&A with David Lineman, Information Shield

Public entities are equally at risk for data loss incidents as organizations in the private sector, yet PEs are often far less prepared to handle these events. I spoke to David Lineman, president of Information Shield, about how PEs can strengthen their cyber security posture.

All organizations need to address two primary goals: First and foremost, to ensure that they have the security protocols in place to defend against the most common threats such as ransomware and accidental loss of sensitive information. Second, the organization must create a “defensible” information security program that would stand up to regulatory or legal scrutiny.

What are some unique challenges facing PEs with regard to cyber security? 
One challenge for public entities, especially city and county governments, is that in order to provide basic government services, the entity must by definition collect personally identifiable information (PII) from “customers.” In many cases, these customers cannot opt out of giving their information. For instance, a person cannot renew a driver’s license or insurance without providing personal information. They also hold vast amounts of employee data. City and other government employees must interact with IT systems in order get basic services such as benefits and payroll.

A second challenge is a lack of IT and security resources. If you ask most local governments, they would say that they are understaffed with regard to their needs for IT support in general and cyber security in particular. Unlike large private companies, most local governments don’t have a dedicated staff of security people on the payroll, so whatever solutions they employ must be very cost-effective.

A final challenge—which is common to many businesses— is a lack of clarity on what it means to be in a “secure state” with regard to cyber security. For example, the federal government encourages any business that’s part of the critical infrastructure to abide by the NIST Cyber Security Framework. The NIST CSF is the closest thing to a federal standard that would apply to small- and medium-sized organizations. While the CSF does provide some specific guidance in key areas (like access control), it has many vague requirements that require a security professional to decipher.

Do PEs face any unique cyber risks?
When it comes to what might go wrong, PEs share a common set of problems with any business. It’s natural for any business to think that they have unique challenges relating to cyber security.  But in fact, almost all businesses face a similar set of challenges when it comes to defending against cyber attacks, the vast majority of which are the result of basic problems like improperly trained users and failure to apply security patches to systems.

All organizations need to address two primary goals: First and foremost, to ensure that they have the security protocols in place to defend against the most common threats such as ransomware and accidental loss of sensitive information. Second, the organization must create a “defensible” information security program that would stand up to regulatory or legal scrutiny.

This is where things get challenging, because there’s no standard definition of a defensible program. However, we can define such a program by requiring certain elements. That’s why we have adopted the Common Compliance Library (CCL) at Information Shield.  It contains a specific set of program elements that can be understood, adopted and measured. We have taken requirements from various regulations and leading practices and put them into a simple package.

What’s involved in creating a risk management and compliance program?
First, the organization needs to define the essential elements of their cyber security program.  This is the list of specific management and technical controls that must be in place to address the risks to the organization. This list of controls falls into a set of 10 or 12 key domains of cyber security and they must map back to regulatory and legal requirements.

With regard to cyber security, it’s important to recognize the controls are both preventative and responsive. In other words, while certain technology such as access control and firewalls are designed to prevent an attack or incident, other controls such as information backup and incident response plans are required to respond to an attack. A sound program has a balanced set of both types of controls. Security awareness and training is one of the classic preventative controls.

Most security breaches can be traced back to a failure of people or process—not technology. So while it is tempting to focus on fancy technology such as firewalls, intrusion detection and malware defenses, you cannot ignore the basic elements or administrative controls managing the cyber security program. For example, since PEs collect many different types of sensitive data, a data asset inventory is a critical first step. It sounds basic, but to protect information you need to understand what you have and where it is stored.

How does a PE decide on the key elements?
This is a very big challenge. As I mentioned earlier, there is no defined standard for what exactly should be in your security program. This is one of the reasons we have a built-in Control Library within our ComplianceShield solution. We have created templates that automatically address the key cyber risk and regulatory requirements. These templates are based on proven best practices that work across hundreds of organizations.

A second key element is a set of written information security policies and procedures. Security policies perform at least two critical functions for the organization: First, they are formal documentation of the security program elements, a primary piece of evidence that the organization has considered cyber security and adopted the proper controls. Second, written polices act as a kind of contract between the organization and its various constituents.

For example, the Acceptable Use of Assets Policy is a definition of how the organization expects employees to interact with systems and protect data. The Data Privacy Policy is a form of contract with customers (citizens) on how their personal data will be gathered, stored and processed. The Network Security Policy provides details to the IT group on how networks are managed and configured. Thankfully, organizations do not have to start with a blank slate. For example, the internet has many examples of information security policies covering specific topics. Also, specialized firms like Information Shield provide a complete list of templates that can be easily customized. In most cases, purchasing a set of templates is a great value, as they save many hours of development time and review.  However, it is important to get them from a reliable organization with many years of experience.

What about employee training?
Another key element is employee education and awareness. This is required by every major data protection law and framework, for good reason. Data breach studies consistently show that the primary risk to most organizations is the people who work there. For example, most ransomware attacks start by a user clicking a link from a phishing email and giving out credentials or allowing the perpetrator to install malicious software. Common breaches in the healthcare industry include lost laptops.

In fact, from a pure risk perspective, having employee security awareness training is probably the number one priority. Unfortunately, while essential, training alone will not suffice to build a defensible program. Of course, organizations should have basic technical controls such as a firewall protecting their network and malware scanners protecting their endpoints (individual systems). But time and again we have seen that the most sophisticated technology can be overcome by a well-meaning employee making a mistake.

What else should organizations do? 
A final element to creating a “defensive” security program is to keep evidence that your program is running effectively. This essentially means that the organization needs to regularly monitor and test its own program. This can be done, in some cases, by automated tools such as vulnerability scanners or malware detection systems. The key step is to try to get your internal team to think like an auditor. In other words, what might an external auditor look for as evidence that your security program is operating according to your security policies? While this is a shift in perspective, it provides a valuable way to review your program. Of course, the best solution is to hire actual qualified security auditors, but not every organization has the budget to do so.

While this might seem challenging, the idea of keeping compliance evidence is starting to become a standard best practice. For example, the recent New York State Financial Services Regulation requires organizations to maintain a history of compliance evidence for five years.  Similarly, the HIPAA regulation requires healthcare organizations and their vendors to maintain a history of policies for a period of seven years. So in our mind, organizations should begin to consider how they will keep track of their overall program and performance over time.

Key Elements of an Effective Cyber Security Program

  • An inventory of sensitive information
  • Documentation: written security policies
  • Well-trained staff
  • Monitoring and updates
  • Response capability (incident response, backup, and disaster recovery)

In summary…

We want to thank Mr. Lineman for his thoughts and insights into cyber risk facing PEs. He rightfully points out the challenges facing many PEs, such as the fact they are often the custodians vast private data that requires prudent safeguarding. Meanwhile they might now have the same resources of a for-profit company towards essential security and privacy controls to mitigate the ever changing landscape of cyber threats.