Best Practices for Cybersecurity
Creating a Culture of Cybersecurity
One of the best practices is creating a culture of cybersecurity in your organization. Strategically speaking a culture of cybersecurity means that elected officials and top managers fully embrace and support cybersecurity and play important roles in it, including, but not limited to, practicing it appropriately, insisting that others in government do so as well, and holding all accountable when they do not.
What does that look like in action? This could be done in several ways:
- At a minimum some type of annual training.
- Could be a quick discussion of a recent phishing example during weekly meetings.
- It could be proactive phishing with an emphasis on training and learning.
- Sharing articles with managers. Don’t wait for the perfect training. Just start somewhere.
Lack of Funding
Second, local governments must address their lack of funding which is ranked as one of the top barriers faced by everyone.
- Begin your efforts with no and low-cost basics such as adopting and implementing cybersecurity policies and end user training.
- Before your local entity can ask for more money for their cyber security budget, you must gain an understanding of your organization’s critical mission and what supports those critical missions. This is often best achieved by simply starting with a risk assessment. This CANNOT just be completed by the IT department or IT third party vendor the city or county uses. This must be a joint project between management and technical staff.
- Remember- the Risk is owned by the business and ultimately responsible.
Cybersecurity Frameworks and Controls
There are several nationally (and internationally) recognized guides for maturing your cybersecurity efforts.
The NIST Cybersecurity Framework is a guide intended for all organizations regardless of sector or size. Organizations will vary in how they customize practices described in this document. Organizations can determine activities that are important to critical service delivery and can prioritize investments to maximize impact. some of the available Cybersecurity Frameworks available to your organization. These frameworks outline steps which organizations of all sizes and business practices use to implementing best practices.
The CIS Critical Security Controls (CIS Controls) are a set of best practices for computer security. They are developed by a global IT community and provide specific and actionable ways to protect organizations and their data from known cyber-attack vectors. There are 18 different CIS Controls, which cover various aspects of cybersecurity and help defeat over 85% of common attacks. The CIS Controls are trusted by security leaders in both the private and public sector and support compliance in a multiframework environment.
- These controls are what the Illinois Cyber Navigator program use for risk assessment for local units of government.
The "I Don't Know"
It is very important for both IT and Management to identify what you “don’t know”. Sweeping it under the rug or not addressing only creates space for attackers to take advantage of your organization.
- A risk assessment generally can help facilitate learning what you don’t know as well clearing up misunderstandings as to what you think you know about your organization.