Cybersecurity is a significant issue in local governments because of external systems needing to connect with the public. For example, Impact Makers’ Vice President Joe Pugh remembers from his ten years serving at Chesterfield County that they had forty-seven lines of business. All forty-seven entities interacted directly with the public, requiring the IT department to coordinate with external vendors with hosted systems. Because they were constantly launching new applications and payment services, making sure all of those external connections were secure was a challenge.
Managing IT risks is a matter of preserving credibility and image. Even if a security vulnerability isn’t a local government’s fault, assessing that risk and alerting the business sponsors when the application doesn’t pass a security test is still their responsibility. The citizen doesn’t know — or even care — whether it’s the local government’s or an external vendor’s fault that their payment information was exposed. The negative experience will taint their perception and diminish their trust in their local government agencies, regardless.
Running Cipher Checks to Assess IT Risk in Local Government
Local government IT departments commonly run cipher checks on hosted sites to verify they’re on a specific code set, ensuring that the connection is secure and that there isn’t a risk to the citizen or the constituent. The IT department staff checks the SSL (Secure Sockets Layer) and TLS (Transport Layer Security) for vulnerabilities and weak ciphers with online tools. They scrutinize SSL certificate details and measure the security of SSL/TLS implementations.
Certain data classifications, such as PCI (Payment Card Industry), require stricter adherence to the latest implementations of TLS. Some vendors are slower to adopt new versions of TLS, but the onus is still on the municipal authority’s IT department to remain compliant.
A municipality’s IT staff must assess the security tests as new systems and applications are brought into their portfolio and attempt to regularly schedule the tests on at least an annual cadence. While the test may have checked out initially, scheduling recurring annual tests is essential because the technology behind each solution is exposed to changes and the risks change.
IT departments in local governments must categorize which systems and applications are the most high-risk. They assess the data and classify the systems and applications through the lens of, “If this was to be breached or exposed, what is the impact?” A risk analysis determines its liability and how much of the system is susceptible. Then a security test is scheduled at least annually for the ones that are high-risk and slightly less frequently for those deemed less high-risk.
Gauging a Local Government Agency’s IT Maturity
Are you doing cybersecurity penetration tests regularly? Do you have staff that is dedicated to doing that type of work? Are you bringing on professional services to assist in areas that might be outside of the expertise of your staff? Answering these questions can help a local government determine its IT maturity. Furthermore, local governments vary in size, which plays a significant role in what they can accomplish internally. Some local governments have a CISO (Chief Information Security Officer). Others have to rely more on outside help.
Regardless of their ability to execute a robust IT security program internally, local government IT departments understand that cybersecurity and managing risk and vulnerabilities is critical.
Roadblocks to Achieving IT Maturity in Local Government
Security awareness can become a roadblock to IT maturity, so it becomes a priority to educate people on the risk associated with these types of vulnerabilities. Staffing can also be a roadblock to IT maturity because there isn’t always enough staff to properly assess risk all the time. Fortunately, managing IT risk is often a priority in the budget requests for local governments, so finding the financial resources to progress an entity’s IT maturity is rarely an issue.
How Impact Makers Helps Local Governments Mitigate IT Risk & Accelerate IT Maturity
Impact Makers helps municipalities mitigate IT risk by providing a diverse pool of knowledge and expertise. Many of our team members previously worked in local government and intimately understand the challenges and frustrations faced by their IT departments. We often serve as fractional CISOs for small municipalities, in addition to supplementing the expertise of larger ones. Impact Makers also helps municipal authorities budget for the appropriate strategies to minimize risk.
Because we have a deep and comprehensive understanding of the challenges often faced by local governments and the services they offer, we’ve developed repeatable analyses. We provide IT departments with a repeatable process and offer them valuable insights based on our personal experience in the public sector and our work with other public sector clients. Local governments don’t always have the exposure to other government entities to learn from their mistakes and triumphs, so we help bridge that information gap.
In addition to risk mitigation, Impact Makers also helps local governments accelerate their IT maturity by offering experienced resources and dedicated services. We provide process improvements and best practices, allowing administrations to stay on the cutting edge of technology to best serve their citizens.
If you work in local government and believe your agency could benefit from external resources for IT risk mitigation and IT maturity acceleration, Impact Makers would like to offer you a no-obligation consultation. Get in touch today to start uncovering gaps in your IT security strategy and identifying opportunities for technology advancements.