Improving “Cyber Hygiene”: The SDPAA announces Members’ Cyber Credit Program
By Dave Pfeifle, SDPAA Executive Director
Local governments in South Dakota and across the country have the dubious distinction of being one of the most ”successful” targets for cyberattacks. Ransomware has become an acute problem where attackers penetrate your cyber network, encrypt the data, then demand money or a “ransom” to decrypt it so you can access it again. This acute problem is gaining more attention as cyberattacks have become part of the nature of warfare. Recently South Dakota Public Assurance Alliance (SDPAA) Members have experienced on average two cyberattacks per year, with each attack costing thousands or hundreds of thousands of dollars to repair and remediate. It is becoming increasingly difficult to obtain cyber liability coverage for public entities. This coverage may become unavailable in the near future. Now is the time for local governments to improve their “cyber hygiene” by taking immediate steps to reduce their cyber risks.
The SDPAA Board of Directors is pleased to launch the SDPAA’s Cyber Credit program. The SDPAA’s 2022 Budget allocated $500,000 towards cybersecurity efforts and the establishment of a Cyber Credit program to provide Members the incentives towards improving their cyber hygiene. The program will provide three tiers of eligibility for SDPAA Members to receive credits to be used towards their future annual contributions to the SDPAA. To qualify for most of these credits, SDPAA Members will simply need to avail themselves of the free resources readily available for public entities. The three tiers of the program are as follows:
Tier 1: The first step in minimizing or eliminating risks is to know your risks. This first tier will require the SDPAA Member to enroll in the Dakota State University Project Boundary Fence program, which provides penetration testing of the SDPAA Member’s cyber infrastructure free of charge. This testing identifies the ways a cyber attacker could possibly penetrate your system. Please contact Dakota State University at projectboundaryfence@dsu.edu regarding these services and please visit https://dsu.edu/boundary-fence/ for more information. Their testing schedule is currently about ten months out from the time of enrollment to the time of conducting the testing due to its popularity with local governments in SD (thank you DSU!). The U.S. Cybersecurity & Infrastructure Security Agency (CISA), an operational component of the U.S. Department of Homeland Security, has offered to assist DSU in conducting this testing so every SDPAA Member should be able to have this testing completed within six months from the time of enrollment.
Please note the eligibility for this first tier’s credit is based on the SDPAA Member’s mere enrollment in the program, not on the completion of the testing. Many SDPAA Members have already enrolled in Project Boundary Fence so they would be automatically eligible for this first tier of the Cyber Credit program. This is one instance where being “on the fence” is a good thing in the public sector!
Tier 2: The next step in minimizing or eliminating risks is to prepare and plan for any anticipated risks. This second tier will require each SDPAA Member to designate a “cyber representative” for their entity. Many SDPAA Members do not have an internal IT person and are many miles from the nearest IT vendor. The cyber rep does not need to be an IT expert, but can be anyone within your organization who is willing to invest a few hours in becoming a point of contact for your public entity. The cyber rep can be your local IT vendor if you are fortunate to have one available. The cyber rep will complete a free training on “phishing emails” provided jointly by CISA and the State of South Dakota at one of several upcoming workshops this year. This phishing emails training will also have a virtual delivery format if your cyber rep cannot personally attend one of those workshops. Links to additional free training and other resources for the cyber rep and everyone else in your organization will be posted on the SDPAA website at sdpaaonline.org. The cyber rep will need to acquire a basic level of cyber vocabulary to be able to assist the experts when a possible breach of your cyber infrastructure is suspected to have occurred. This basic level of understanding can be achieved by participating in-person or virtually in a few short hours of free trainings.
The cyber rep will also receive regular alerts on possible security risks and upcoming free trainings for their entire organization. The cyber rep is expected to encourage your entire team to take some of the free trainings available to create a “human firewall” to better protect your organization.
The cyber rep will also need to spearhead the formation and adoption of your entity’s Cyber Incident Response Plan (Plan). This Plan will be similar to other incident response plans your entity has developed for natural disasters, but it will be geared towards cyber infrastructure risks. CISA will provide suggested templates for developing your Plan, along with free training resources. CISA will also be available to individually assist your cyber rep in drafting your Plan. To be eligible for this tier, SDPAA Members will need to adopt the Plan and demonstrate they will conduct “table top exercises” at regular intervals, like you do with other incident response plans. CISA will assist in developing these cyber incident table top exercises.
Tier 3: The final step is implementing the necessary measures to manage that risk. This third tier will provide future credit in recognition of your purchases of cyber hardware/software and other related measures to enhance your cyber security as recommended by the individualized penetration testing from Tier 1. These security measures could include, but are not limited to, installing or improving data back-up systems, purchasing new or updated software and installing any patches, and implementing measures for multi-factor authentication for all your systems. These three security measures will greatly enhance your organization’s ability to protect itself.
The SDPAA hopes this new program will lead to greater risk management and a reduction of cyber risks for SDPAA Members. If you have any questions or would like your public entity to explore becoming a Member of the SDPAA, please contact the SDPAA at 800-658-3633 option 2 or by email at sdpaa@sdmunicipalleague.org.