Georgia Data Breach Provides Lessons for Cities

If your city hasn’t yet experienced a major data breach, it may just be a matter of time. In fact, it's already happened to a city in Georgia. Your city can implement some best practices that will lessen the risk of exposing your citizens’ personal information to hackers or unauthorized individuals.
 

Practice Proper Cyber Hygiene

You shower and brush your teeth every day. You change the oil in your car every few months. You clean your house regularly. Similarly, information technology systems require “cyber hygiene”—a series of ongoing tasks and processes that mitigate the risk of a data breach. Three major cyber hygiene tasks include:
 

• Antivirus: Enterprise-class antivirus overseen and managed by IT professionals is necessary to block dangerous viruses that employees may download by accident when browsing the internet or checking their email.
• Software patching and updates: Even massive ransomware attacks like WannaCry mostly hurt organizations that did not apply basic, regular software patches. If organizations had simply patched their software, they would not have been vulnerable to WannaCry or many other threats. Applying software patches and updates is one of the most important cyber hygiene tasks that help prevent data breaches.
• Data backup and disaster recovery: Unfortunately, even your best defenses may get breached. For example, a user may open an attachment or click on a link that unleashes a virus—mistakenly letting a hacker right in the door. In addition to stolen and exposed data, your data may also get deleted, corrupted, or held for ransom by an attacker. To alleviate the risk of permanently lost data, you need a data backup and disaster recovery plan that ensures you can recover your data in a worst-case scenario.

Implement Strict Policies to Help You Comply with the Law

How is your city specifically protecting citizens’ personal information? Policies around vendor contracts and management, network security, wireless security, physical access security, logical access security, disaster recovery, and application controls (such as data input, processing, and output) are needed to prevent unauthorized users from accessing sensitive information

It’s not uncommon to encounter cities that don’t have clear policies about authorized access. The result? Situations where too many people have administrative access, passwords are weak, and information is not properly encrypted and secured.
 

Increasing Your Ability to Identify a Breach

The longer it takes to discover a breach, the more scrutiny you will receive when it’s revealed to the public. A data breach can go undetected when an organization does not have a proactive IT mindset that includes:
 

• Ongoing monitoring and alerting of systems: A blend of automated software and the oversight of your systems by IT engineers is needed to detect issues such as suspicious activity.
• Proactive management of applications and systems, vendor access, network access, wireless access, physical access, and user access to ensure that only authorized users are accessing your systems.

Transparently Notifying Your Citizens after a Data Breach

Many state data breach notification laws require that you contact anyone affected. Laws vary by state but usually you will need to let victims know what happened, what information was breached, and what you are doing to remedy the situation. The Georgia city from our introduction sent out a letter to citizens that described the incident, tips on how to protect themselves, and free credit monitoring.

---

Especially after the Equifax data breach, people are more wary and distrustful of organizations that seem slack in protecting their sensitive data. Cities are stewards of sensitive citizen information. Many data breaches can be prevented by basic cyber hygiene that follow the steps above along with providing regular ongoing training for your staff. And remember, it’s also essential to have a data backup and disaster recovery plan in case hackers delete or destroy data as part of a breach.