This article is posted with permission from VC3's blog and shares non-technical, municipal-relevant insights about critical technology issues, focusing on how technology reduces costs, helps better serve citizens, and lessens cybersecurity risks. VC3 is solely responsible for the article’s content.
We secure our cars, but we don’t drive Batmobiles. We like to unlock our car doors with one click but it’s still possible for a criminal to smash the window and grab something inside. It’s a trade-off.
We secure our homes, but we don’t live in a fortress with a moat surrounding it. We can unlock our doors with a key and perhaps a security system with an easy-to-remember code. Yet, if someone really wants to enter your home, it’s still possible. It’s a trade-off.
Similarly, your information technology needs to allow your city staff to easily perform work while keeping them secure. Sure, you could remove all access to the internet—but then you would get very little done. Sure, you could whitelist every single website that employees visit—but that takes excessive oversight and IT support.
What’s the right balance? If you are too lax with your information security, then you make yourself an easy target for bad actors (such as hackers). If you are too strict, then employees become unproductive, frustrated, and trapped.
Here are a few best practices that can help you balance both user productivity and security.
1. Monitoring and alerting for suspicious activity
Monitoring and alerting technology, coupled with proactive IT, provides early identification of suspicious activity and anomalous incidents before they become serious. For example:
- An employee’s email account is being accessed remotely from Kazakhstan.
- A large download or upload of data starts occurring in the middle of the night.
By proactively noting suspicious activity, you may be able to stop a data breach or data loss before it happens.
2. Enterprise-grade antivirus
Enterprise-grade antivirus is quite good at shielding and blocking obvious risks when employees accidently do something wrong. This software will flag and stop many viruses before they are activated, and it will also help prevent employees from entering suspicious websites or clicking on malicious email attachments. It’s not perfect, but antivirus software stops a lot of obvious breaches that result from employee error.
3. Patch management, software upgrades, and browser security
In addition to antivirus software, patching and upgrading your other software helps prevent employees from exposing your city to a virus or data breach. Patches often contain fixes to security vulnerabilities, and up-to-date software is built more securely than older software. Your accounting, office productivity, operating system, web browser, and other software all need regular patching and updating.
For example, keeping modern browsers up-to-date (such as Chrome, Firefox, or Edge) ensures that each browser’s built-in virus and malware protection helps prevent users from entering risky websites. When a user clicks on a bad website, a clear warning will often appear. It is important to keep your browsers updated to the latest version and with the latest patches.
4. Access and authorization
At a policy level, you need to restrict access to your software applications and data. Each person should be assigned the least security privileges required for them to do their job. For sake of ease, many cities allow administrative access (or full access) to many employees—even if those employees should not have access to sensitive information. By restricting access, you mitigate the risk of stolen, deleted, or corrupted data.
5. Wireless network security
It’s not uncommon to encounter an easily compromised wireless access point at a city. Warning signs include:
- No password needed to connect.
- An unencrypted or weakly encrypted connection.
- A default admin password identified in the original wireless access point packaging.
It’s essential that you require employees (and everyone) to log into a secure wireless network that you host. Also, make sure that wireless access points are set up by authorized IT staff or an IT vendor.
6. Physical access
Any employee shouldn’t be able to wander into a server room or have physical access to a computer. Protecting equipment through locks, encryption, and passwords is a sensible security precaution.
7. Application controls
Software that deals with important data needs controls over data input, processing, and output. Otherwise, employees could accidently (or intentionally) delete, alter without logging, corrupt, or even steal data. You also don’t want users seeing data they should not be able to see.
8. Content filtering
Content filtering can help block bad websites—and unfortunately many good websites. Whitelisting websites is very secure but it’s a pain for employees as they must submit many legitimate websites to someone within the city for approval. However, certain temp employees or employees focused on simple tasks may not need full internet browsing to do their jobs. Content filtering may work well to keep them focused.
9. Creative training
Employee error is the root cause of a high percentage of data breaches, viruses, and permanently lost data. All it takes is one employee to click on a malicious email attachment or website and you’ve got a potential data breach on your hands.
Consider training that is:
- Ongoing: This helps reinforce cybersecurity lessons for existing employees while training new employees.
- Test-oriented: For example, IT can periodically test city employees with mock phishing attacks to see if employees will click on malicious emails. If a user gets fooled, especially multiple times, they may need extra training.
- Leader-oriented: City leaders such as the city manager, city clerk, and department heads need to buy into the importance of cybersecurity training. Otherwise, no one will take it seriously.
These best practices will help you balance employee productivity with security in a way that won’t overwhelm or slow employees down.