A 2017 article from LGR: Local Government Review (powered by TownCloud) discussed barriers that might hinder local governments from achieving high levels of cybersecurity. Of 13 possible barriers with regard to support, training, staffing, cybersecurity awareness, end-user accountability, and the federated structure of local government, one of the biggest barriers is the lack of adequately trained cybersecurity personnel.
In this Q&A, ICMA sat down with Battle Creek's (BC) City Manager Rebecca Fleury and IT Director Charles Norton to discuss cybersecurity awareness training strategies effectively placed within their organization, as well as best practices that other local government leaders can apply to create and to maintain a culture of cybersecurity.
ICMA: How would you summarize today’s cyber environment in local government? What do you find to be the greatest risks?
BC: Without a doubt, user education and security awareness are the greatest risks to technology and cybersecurity. Threats and attack methods evolve daily, and keeping the general employee base current on how to avoid those threats is a serious challenge. Local governments across the state are struggling to shift the conversation from the idea that security is an “IT problem” to the idea that security needs to be addressed at every corner of the organization.
ICMA: Local governments face many cyber threats as of late. How challenging is it for information technology teams to identify and respond to actual or potential threats?
BC: The job of IT to evaluate, identify, and respond to threats is an extremely difficult one. Ransomware, malware, intrusion detection, and intrusion prevention are constant concerns. Identifying which threats are real and which are just noise is a daunting task that requires constant vigilance.
ICMA: Properly trained employees are the first line of defense in a cyber attack. Tell us the steps you have taken to change Battle Creek’s risk culture so that employees understand the role they play in keeping systems safe?
BC: Working with the vocal support of executive city management and human resources, we began recurring cybersecurity awareness training in 2015. While there are many off-the-shelf training packages available, we chose to build our own in-house training materials around a free learning management system commonly used in higher education. This also allowed us to custom tailor the content to our staff and environment, using examples drawn directly from our own experiences. This freeware application has been effective to date but it does lack many of the reporting and compliance tools some of the commercial platforms offer.
We have instituted a desktop “virus counter” that displays the number of days since the last security incident on the desktop of all city computers. It began as a conversation piece that was meant to keep people talking about security, but it has evolved into more than that. It has been surprisingly well-received and, many staff members have expressed that they do not want to be the one who “resets the counter.”
We also performed our own in-house phishing attack shortly after our first round of awareness training. The goal was to determine how effective our training had been, and we experienced an approximate success rate of 92 percent. While encouraging, and significantly higher than most organizations on average, the results still showed that 8 percent of the organization was extremely susceptible to phishing and other spam emails.
ICMA: What are some important guidelines local governments should follow when implementing a cybersecurity training program for employees?
BC: Vocal, consistent, and outspoken support must come from the top of the organizational hierarchy for any training to be successful. The content delivery should strive for a balance between meaningful, impactful training and oversaturation. Then, test that training by setting up real-world scenarios for employees. As the most common attack vectors are spam, phishing, and social engineering, those avenues need to be tested to ensure that the awareness training was truly effective. Identify those staff members who might need extra training and help them get on board with security awareness.
ICMA: How did you convince the board that investing in and budgeting for cybersecurity training awareness programs are necessary for countering threats?
BC: We are using a freeware application, so our costs have been minimal so far. For the next cycle of training, I would like to look toward a commercial offering that combines training, testing, reporting, and compliance functions into one application. As most of those offerings are extremely cost-effective for an organization our size, I do not anticipate much pushback; however, my discussion points will center around the effectiveness of our overall security awareness training so far, in addition to the benefits of moving to a commercial platform. Citing real-world examples of data loss--i.e., Equifax, Target, and so forth--provide a clear illustration of both the financial and the branding risks to any organization.
ICMA: Organizations struggle to understand how to measure the return on investment on cybersecurity. How have you measured its effectiveness?
BC: Much like justifying the ROI of a life insurance policy, measuring the ROI on cybersecurity will always be a challenge. For hard numbers, metrics like phishing campaign results, threat detections, and spam instances can all be tracked. Any investments in new security technology or programs should be clearly justified by measurable metrics beforehand. Those programs also need to be carefully evaluated throughout their lifecycle to ensure that those metrics trend in the desired direction and to the required level.
We have measured metrics like those outlined above and have seen a significant improvement in them since beginning our security awareness program in 2015.
ICMA: Do you have any leadership tips for local government managers?
BC: As with any initiative, support for cybersecurity must come from the top down. Most staff members just want to focus on doing their jobs the best they can every day. To those people, cybersecurity can be an uncomfortable, inconvenient, and bothersome topic. Leadership must work to instill a sense of pride and ownership in the sanctity of the organization’s information. Only by doing so does cybersecurity shift from being a pain point to an intrinsic value that is grown and fostered organically throughout the organization.