October is national cybersecurity awareness month. We Local Governments have the dubious distinction of being one of the most successful targets for hackers. For years SDPAA Members have enjoyed the benefits of the cyber liability coverage that is included with participation in the SDPAA’s liability program. Unfortunately cyber liability coverage is becoming less available for everyone due to much higher pricing and its decreasing availability. The SDPAA recently distributed a cyber survey to ascertain each Member’s entity’s level of technology to help obtain quotes for cyber coverage. The SDPAA’s 437 Members will leverage their collective buying power to hopefully continue this coverage, but we cannot predict whether we can secure it as of this writing.
As you know, the SDPAA has teamed with Dakota State University (DSU) who is using funding provided by the SD Attorney General’s Office of Consumer Protection to provide cybersecurity assessments for local governments in South Dakota. Please sign up for this free service if you have not done so already. They can be contacted at projectboundaryfence@dsu.edu regarding these services and you can visit https://dsu.edu/boundary-fence for more information. These assessments will identify the remediation efforts your entity needs to implement to protect itself from cyber threats.
Cybersecurity remediation efforts can be a considerable investment but cannot be delayed or ignored. Federal funding for cybersecurity for state and local governments has been increased under the auspices of the U.S. Department of Homeland Security (DHS). More funding may soon become available in the form of federal grants, which have historically required applicants to complete the Nationwide CyberSecurity Review (NCSR) survey in order to be eligible. The cybersecurity assessments conducted by DSU will help prepare your entity for completing that survey.
While waiting for your cybersecurity assessment, please take these immediate steps to instill the proper “cyber hygiene” protocols within your organization:
- Update your policies – Update (or implement) policies for teleworking practices, system inventories, and acceptable use agreements. Ensure your team understands which systems to use for their job functions and how to report any suspected incidents.
- Conduct regular cybersecurity trainings – the SDPAA will team with DSU and other cyber experts to provide you the materials and training you need to educate your team on properly accessing systems from remote environments, protecting passwords, recognizing phishing emails, how to use Multifactor Authentication (MFA), and other topics. The SDPAA’s on-line training library provided through its vendor Safety Benefits, Inc. contains training on these issues, with more to come. On a quarterly basis, do a safety meeting with your team to view one of those training sessions and discuss it afterwards to improve everyone’s cyber awareness. Remember your chain of cybersecurity is only as strong as its weakest link. Most successful attacks occur because one person in the organization unknowingly clicked on a suspicious email link or attachment. Heightened cyber awareness for each member of your team significantly decreases the likelihood of that bad outcome. A best practice already imposed by the State Government and some SDPAA Members requires team members to successfully complete regular trainings to maintain access to their entity’s email system.
The U.S. Department of Homeland Security (DHS) whose operational component is the Cybersecurity and Infrastructure Security Agency (CISA) has an extensive collection of materials and resources which can be accessed at www.cisa.gov. Other free training and education resources are available through a partnership with S.D. Public Broadcasting, the S.D. Department of Public Safety, and the State’s Bureau of Information Technology (BIT):
South Dakota Cybersecurity – Training & Education (sd.gov) (https://cybersecurity.sd.gov/trainingandeducation.aspx).
The above link contains four videos of approximately 15 minutes each on the fundamentals of cybersecurity in these four areas: 1) election security, 2) cyber hygiene, 3) incident response, and 4) Phishing basics.
- Implement MFA – systems housed in cloud or hosted environments have direct access from team member devices outside of the office. Username and passwords could become compromised which would allow hackers access to the system. MFA is an additional measure that must be met to gain access to cloud-based systems. Examples of MFA include unique codes sent to cellphone apps, texts, or phone calls. When implemented, MFA is a great tool to protect your organization.
- Protect individual team member files – Consider implementing cloud or hosted environments such as OneDrive by Office 365 and educate your team to store their working files there. As an added safeguard, implement systems to back up these cloud systems.
- Ensure system updates are occurring and patched accordingly – Many software developers are providing ongoing updates to hardware and software in an attempt to outpace vulnerabilities that hackers are exploiting. Update systems for remote team members on a regular basis as well.
- Free materials and resources for national cybersecurity awareness month can be found at: www.knowbe4.com/national-cyber-security-awareness-month-resources.
The SDPAA will continue working diligently to provide additional cyber resources to its Members in the coming months. If your public entity is not a Member of the SDPAA, please contact the SDPAA at 800-658-3633 option 2 or by email at sdpaa@sdmunicipalleague.org to inquire about all the services available to SDPAA Members on cybersecurity and so much more.
David Pfeifle
SDPAA Executive Director