It’s a truism but it’s true: In local government, all of the cybersecurity technology in the world won’t matter if an employee clicks on the wrong link in an email and exposes the network to ransomware.
Government employees need proper cybersecurity training, said Laurel Caldwell, IT director for Latah County, Idaho, because the “threat vectors are coming in through email, which is at every single desktop or on a cellphone with the employee.”
Speaking alongside other officials at the National Association of Counties 84th Annual Conference and Exposition in Las Vegas, Caldwell noted that “all it takes is one bad click and your network is going to be down in some capacity.”
Jockel Carter, senior cybersecurity advisor at Tyler Technologies, said at the same meeting that county governments need to transition from a “bolt on” mentality around cybersecurity that sees it as a “necessary evil” to live with into a “baked in” approach that integrates cybersecurity into the organization’s mission.
Officials at the NACo conference stressed that cultural change, including behavioral change, on the part of managers and employees is critical to enhancing county government cybersecurity.
Training, Culture and Behavior Change Keep Counties Secure
County leaders, elected officials and managers need to be “committed to cyber culture being a part of regular business practices” for employees to buy into the importance of cybersecurity, Carter said. “It’s got to start at the top.”
County governments should also make employees deeply familiar with the organization’s cybersecurity culture and best practices when employees first start their tenure, he said.
Additionally, county governments need to build learning, accountability and improvement into all of their processes, Carter added. That includes everything from user and equipment provisioning to cyber risk management, account and activity reviews, threat intelligence programs, and systems lifecycle management.
Caldwell noted that training has concrete impacts. Latah County has been conducting cybersecurity training for the past five years, and although the county did have a breach in that period, it was “very minor” because the county implemented network segmentation technology.
Every month or so, Caldwell gets reports on how many employees have clicked on test phishing emails. “The percentage of people who clicked on the fake email has decreased significantly,” she said. “They are more aware of it.”
Over the past several years, Tarrant County, Texas, has undertaken an extensive “door to door” approach, in which its IT department has gone to nearly every county employee at their offices to give them cybersecurity training. Since September 2016, the county has conducted about 70 presentations to more than 4,000 people, according to Tarrant County CISO Darren May.
“The more people hear about security, the more security-minded they become,” May said. “Culture is behavior. We go door to door and change the behavior of the county.”
May said the presentations focus on the importance of protecting data and try to bring the message home by showing employees how cybersecurity can protect their personal data. May said that he also stresses that employees should not conduct personal business on the county’s Wi-Fi networks. They also go over how to recognize suspicious emails.
“We let everyone know,” May said, “we measure the distance between here and Russia not in miles but in mouse clicks and keyboard strokes.”
Follow StateTech magazine's coverage of the NACo 2019 conference at our conference landing page.