States Face a Wide Range of Cybersecurity Challenges
According to the survey, these are the top security measures established or reinforced by CISOs during the pandemic:
- Safeguard teleconferencing and videoconferencing
- Establish secure work connections with MFA
- Provide guidance on phishing and disinformation campaigns
- Update continuity of operations plans
- Provide continuous guidance on COVID-19 scams
At a Wednesday panel about the survey during the NASCIO annual conference, speakers agreed that COVID-19 has challenged continuity and amplified gaps in cybersecurity
Discouraging the use of shadow IT has been a challenge, said North Carolina State Chief Risk Officer Maria Thompson, whose state follows a decentralized cybersecurity governance model.
“We found ourselves being more educators, not just on cyber awareness principles but also on approved solutions and the policies around them,” Thompson said. Workers may not see the perils of innocently using a personal application to support an official conference, for example.
Colorado CISO Debbi Blyth said the pandemic has required more technical support from her agency, which has centralized cybersecurity governance across state agencies.
“In Colorado, we had to spin up our VPN from 10,000 concurrent sessions to 30,000 concurrent sessions. We did that over a weekend,” Blyth said.
Employees working from home also prompted Colorado to devise a new way to patch its systems. Previously, the state IT agency pushed patches out over the VPN, which worked because the state assumed users would receive the updates while connected in their offices. But now, employees who aren't connected to the VPN all of the time may miss vital patches. This spurred the state to develop a new approach to patch management, Blyth said.
Moreover, states may hire new employees during the pandemic who have never used state IT networks, said Deloitte Principal Srini Subramanian, a co-author of the 2020 cybersecurity survey.
“There are workers, like contract tracers, who have never been state workers before and have never set foot in a state facility, yet they require access to state systems,” Subramanian said. These workers require immediate IT orientation and training.