A cybersecurity panel discussion was presented that featured MCP’s Matt Yates, our director of cybersecurity operations, and Richard Osborne, our director of commercial cybersecurity services. The discussion was wide ranging, covering how cyberattackers and their tactics are evolving, what organizations should do if they have limited internal cybersecurity resources, and today’s scariest trends. (Click here to view all sessions on demand, including this session entitled, “This Year’s Cyber Landscape: What We’ve Learned.”)
In this blog, I want to focus on the biggest mistakes that public-sector organizations make concerning cybersecurity. If I was writing this blog a year ago, maybe as recently as six months ago, I would be exploring the fact that public-safety and justice entities aren’t taking the threat seriously enough.
For a very long time, they seemed to believe that cyberattackers only would target the private sector for their ransomware attacks — the most prevalent attack vector by far, though that it beginning to change —because that’s where the deep pockets exist capable of paying hefty ransoms to decrypt their files. However, it has become clear that public-sector organizations also are in the crosshairs, so they finally are starting to proactively guard against cyberattacks — better late than ever, I suppose.
While this is a big step in the right direction, it also is quite clear that public-sector organizations need direction in terms of effectively doing so. The following are a few of the most egregious mistakes they make:
Failing to implement the recommendations of CISA and NIST — The Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) offer tremendous information that can be used in the fight against cyberattackers, but it’s falling by the wayside in many cases.
Generally, this is occurring in public-sector organizations that exist in smaller municipalities and counties, primarily because they lack the internal resources necessary to fully understand the recommendations, much less implement them. This is not a criticism — the CISA and NIST recommendations are quite complex. If your organization is struggling in this way, please reach out to me — MCP has a team of seasoned cybersecurity subject-matter experts who can help you navigate the complexities.
Acting reactively, rather than proactively — Even though more public-sector organizations are waking up to the cybersecurity threat, they often fail to heed advisories or apply patches and updates designed to strengthen their defenses as soon as they’re available. (MCP regularly issues threat advisories as well as a monthly cybersecurity newsletter — click here to join the distribution list(s).)
This failure is understandable to a certain degree, especially in the public-safety sector, where savings lives is the mission. Consequently, anything that diverts focus and resources away from that vital mission usually is met with resistance. However, it is critical that the law-enforcement, fire/rescue, emergency medical, and 911 communities begin to grasp the reality that a cyberattack could impede their ability to fulfill their mission. As the adage goes, an ounce of prevention is worth a pound of cure. That said, organizations also need to plan for when a cyberattack occurs by developing and regularly updating an incident-response plan.
Viewing cybersecurity as a “check-the-box” endeavor — Public-sector organizations often look at cybersecurity with a compliance perspective, i.e., as something they need to do to meet a state or federal requirement, one that often is tied to funding. Then they lose sight of the ball, which is very dangerous.
We see this a lot in terms of network and system monitoring. They implement it and then think, “that box is checked — time to move on to something else.” The problem is that, while effective, monitoring will alert only when a breach has occurred — which is far too late. Instead, organizations need to approach cybersecurity comprehensively and combine monitoring with a slew of other preventive strategies and tactics, such as access controls, penetration tests, and vulnerability scans.
Said another way, the cybersecurity check never can be checked.
On the other hand, it is important that public-sector organizations understand that no matter what they do, they’ll never get ahead of the cyberattackers. But they shouldn’t let this fact discourage them. Some organizations think that a cyberattack, for this reason, is a fait accompli, i.e., an inevitable event. This type of thinking might be the biggest mistake of all. The goal of any comprehensive cybersecurity strategic plan is to do enough to cause the cyberattacker to bypass your organization and move on to another.
MCP’s cybersecurity team can help you do this — please reach out.
Jason Franks is an MCP cybersecurity analyst. Email him at JasonFranks@MissionCriticalPartners.com.