After all, insurance comes into play after the disaster strikes, and it cannot fully undo the damage, much like auto insurance doesn’t stop the car crash, said panelist Alan Shark, executive director of CompTIA’s Public Technology Institute (PTI), a membership group offering research, professional development and consulting for local government.
And when a government agency or critical infrastructure entity is the one hit, the “car crash” is widely felt.
“Do your best to not be the one that shuts down the city or the energy sector,” said Kevin Walsh, director of the Government Accountability Office (GAO)’s Information Technology and Cybersecurity team. “Insurance is the backup for when things go wrong… Cyber insurance is plan D or E or Z — that’s for if everything else has failed.”
Agencies may get more bang for their buck by focusing first on cyber defense strategies and tools that could make successful attacks scarcer and their impacts milder.
“The cyber defense is by far the most important thing one can do,” Shark said, although he noted insurance is still helpful.
This idea has been getting more focus, and GovTech recently reported on a risk modeling tool intended to help local government make these kinds of spending decisions. That tool helps estimate chances of financial loss to cyber incidents and how far different investments in defense and insurance could go toward reducing such damages.
So where should governments be spending their cyber money and time?
Panelists’ discussions highlighted several key priorities: cyber posture assessments, incident planning, awareness training and layered defenses.
STARTING WITH A PLAN
Governments need a firm understanding of what they’re trying to protect, and that starts by taking an inventory of their data, assets, systems and current strategies, Shark said. They need to know things like how many endpoints they have and who can access them, what backup practices are in place, what kind of continuing education and certifications staff have been getting and whether any tools are in place to monitor for intrusions.
Walsh also said agencies should inventory their data, including identifying what needs the most protection because it would be particularly disruptive, embarrassing or harmful if made inaccessible or leaked.
Detailing out this kind of information can help agencies recognize gaps to address. In that vein, cyber insurers’ increasingly lengthy questionnaires — which ask about agencies’ cyber postures — can reveal useful insights, even if applicants get rejected, Shark said. He recommended hiring a third party to provide cyber risk assessments.
Governments first need to ensure they have up-to-date incident response plans that address cyber events, said Orange County, Fla., CISO Peter Miller.
Shark recommended testing such plans through tabletop exercises so participants can discover details they may have overlooked. For example, exercises may prompt participants to consider how they’d reach out for help if malware took down their voice over Internet protocol (VoIP) access and how they’d communicate with the public if websites were down.
Incident response plans must include backup strategies, too, Miller said.
“Everyone says, ‘Oh, yeah, we have everything backed up, it’s fine,’” Miller said. “Well, do you have enough backup people? Do you know how long it’s going to take you to restore not one system, not two — but if you’re hit with ransomware and you lose 10 major systems and have to bring them all up at the same time, what’s that going to entail?”
UPDATED TRAINING
The right training approaches can also make significant impact on cybersecurity, panelists said.
Governments are increasingly using cloud technologies, which introduce a new set of cybersecurity concerns. That’s a problem if staff were only taught to protect more traditional setups, so organizations need to make sure they get updated training, Miller said.
“A lot of staff are getting thrown into new areas like cloud technology and dealing with endpoints without the specific training or they just have traditional networking training,” Miller said.
And training doesn’t just stop at IT. Hackers continue to use phishing or other social engineering to get purchase on a network, and so agencies need to ensure their whole workforce is being educated about how to spot such ploys. Shark recommended continually sending users reminders and informational updates, not just offering annual trainings.
LIMITS AND LAYERS
Governments can also reduce users’ chances to make mistakes. Miller recommended blocking users on their networks from accessing websites that may be risky, such as those from Russia or China, for example.
Using layered defenses — rather than just relying on one or two measures — also gives an organization more opportunities to stop or limit an attack because hackers who manage to thwart one defense may still be defeated by another, Miller said.
He also recommended adopting zero-trust security approaches. These see agencies requiring even familiar users to authenticate themselves before getting access to enterprise resources and limiting users’ access to only those data and systems they absolutely need — rather than to everything on the network. The goal is to constrain the amount of damage hackers could do, even if they managed to penetrate the network.
