Building a national approach to public sector cybersecurity
Ransomware attacks are on the rise, with larger incidents hitting state and federal departments across the country every week, often halting everyday services that constituents need.
While many state and federal information technology leaders believe ransomware has become a formidable threat, less than half have an incident response plan in place. This gap is costing taxpayers a significant amount of money while, at the same time, threatening vital services.
The ongoing risk of organisations adhering to ransomware payouts is that you often signal yourself to more bad actors as an easier target because of your organisation’s lack of proper cyber hygiene best practices and willingness to comply with demands. What’s more troublesome is that when you pay a ransom, the originating criminals will often leave behind a back door to return later and hold your network hostage again.
State and Federal governments around the world often turn to cyber insurance to counter these nation-state-level cyberattacks, which are beginning to come with higher premiums.
Who creates whole-of-state cybersecurity policies?
Whole-of-state cybersecurity programs are ultimately collaborations among various government entities, each of which is responsible for its own cybersecurity policies.
Often these entities haven’t worked closely together on cybersecurity initiatives before, so the first step is bringing representatives from these groups together, making introductions, and beginning to build trust among stakeholders. Setting up this team can take time.
It’s important that this cross-organisational team be an independent organisation focused on governance and not simply a tiger team of IT engineers who have been traditionally responsible for implementing cybersecurity controls themselves. In addition, policymakers should be distinct from those who implement the policies made. This helps ensures that policies are rigorous, based on industry best practices and the latest threat intelligence, and that compliance, however well intended, isn’t simply a matter of rubber-stamped reporting.
This separation of duties represents a dramatic shift. IT teams might have been responsible for drafting policies, implementing them, and self-attesting that they comply with those policies. By separating these duties we are striving to make policies more comprehensive and rigorous and to hold IT teams responsible for implementing them in a way that can be measured objectively.
Governance and policymaking for a whole-of-state strategy
IT leaders don’t have to start from scratch when it comes to drafting effective cybersecurity policies. Instead, they can draw on established policy frameworks. Using these frameworks, policy teams can establish standards for good cyber hygiene, determine acceptable thresholds for risks, and define policies that can be enforced over time to realise those standards and address high-priority risks. An alternative approach is to define a high-priority list of best practices for everyone to follow.
Proactive cyber hygiene for real-time visibility
An organisation’s absolute first line of defence is the proactive cyber hygiene measures taken to prevent access in the first place. You cannot protect what you cannot see. It’s important to have maximum visibility — a common security measure — into your endpoints.
But there’s no one size fits all solution, so taking that action starts with integrating and automating standardised tools across the security and IT operations environment with a central platform that both teams can work from. With this approach, both the IT and security organisations can gain real-time visibility into what is connected to their network, where sensitive data may exist, allowing them to remediate any issues found in the process.
Preparedness for data recovery
IT security professionals — no matter the agency level, type, or size — should assume that a ransomware act will inevitably occur at some point. That makes data recovery best practices your last line of defence.
It’s become critically important to not just back up your data storage systems but also to backup your network and firewall configurations as well. Applying “air gap” technology best practices will allow you to separate a copy of your backup data from your affected environments. If the day comes when you are hit by ransomware, your organisation will be able to rebuild your devices and save your data with limited disruption.
How often an organisation should back up its data depends on the organisation’s mission. Archival data, for instance, that isn’t critical to mission operations will fall under less frequent needs. But backups for systems that are critical to citizen services — such as public safety, healthcare, payroll, financial assistance, and corrections — should be maintained as frequently as possible. If those systems are unavailable, the impact on society at large can be very dire.
Strategic alliances across state and national organisations
Organisations across your nation are grappling with how to reduce their IT risk. But many struggle with a fragmented governance structure, lack of streamlined policies and procedures, and have little certainty of how to truly validate the level of cyber hygiene at scale — not to mention operating under tight budgets for talent and tools to keep up with modern cyber threats.
Additionally, many local institutions have some connectivity back to the state level and interface with state or federal systems. In any security situation, you’re only as strong as your weakest link. So, if any single entity connected to your network does not have robust cyber hygiene programs in place, then you’re at risk.
A whole-of-state or whole of country approach to cybersecurity allows a state or country to provide support for cybersecurity management for smaller local government entities — whether by offering pre-approved tools, key threat intelligence and secure reporting, training, or generalised funding in the form of grants — to help bolster cyber defences across all levels of government.
This approach encourages information sharing across the whole-of-state or whole-of-country enterprise and provides a higher level of visibility into cybersecurity practices across the state to achieve a more secure government, easing budgetary restraints on smaller, less-funded entities.
But the whole-of-state or whole-of-country vision is no easy feat. To get it right, states or countries must apply that same model of uniformity at the state-wide agency level first before they expand on the local and tribal levels. A solid example in motion is the State of California’s Cal-Secure plan, the state’s first long-term roadmap to direct and decide cybersecurity strategies across state agencies. This multi-year plan establishes state-wide cybersecurity standards, defence protocols, and a consolidated patchwork of cybersecurity technologies in prioritised implementation phases to safeguard the state’s critical infrastructure.
If states can get it right on both commitment levels, that two-tiered approach will be the most successful path to warding off ransomware attacks. The ultimate outcome for a successful defence against ransomware will be the same — a common security posture.