6 Simple Ways County Supervisors Can Execute Cyber-Risk Oversight

Instances of cyber-attacks are no longer limited to large corporations but are occurring to local governments in our own backyard. This past year multiple rural municipalities in California experienced cyber-attacks that compromised computer servers and delayed provision of some public services. The impacts from such attacks can be significant including payroll delays, loss of residents’ personal private information, fraudulent monetary wire transfers, an inability to provide civic services for days to weeks, and potential financial costs up into the millions of dollars. The growing frequency and sophistication of cyber-attacks makes an occurrence inevitable for most counties and therefore necessitates County Board of Supervisor oversight to ensure proper cyber-risk management.

By performing the following six steps, Board Supervisors can easily perform adequate and diligent oversite of their county’s cybersecurity posture.

1.Ensure a framework for cybersecurity success is in place and functioning. Cyber-risk is a business issue and should be managed with organizational infrastructure just like counites do with all other risks. This would primarily take the form of a Board adopted County Information Security Program. The program should detail who is the lead person responsible to manage cyber-risk, lay out goals and strategies, describe roles and responsibilities, detail specific key cyber security polices, and direct the entire County organization to adopt and comply with the program. It should be adopted by Board resolution for top-down mandate and support.

2.Require that a cybersecurity report be presented to the Board annually. An annual non-technical cybersecurity report will keep the Board informed on the Information Security Program’s progress and maturity over time, insuring forward movement and progress. Your County’s National Cyber Security Review (NCSR) results should be included in the annual Board cybersecurity report. Every county is now required to perform the NCSR, which is a federally sponsored self-assessment and benchmarking program to measure an organization’s cybersecurity posture. The Department of Homeland Security (DHS) now requires counties to take the NCSR to receive DHS grants and it is expected that we will be seeing this requirement for other Federal, and likely State, grant programs in the future. The NCSR is a solid way to benchmark your county and track progress. It matters less on how well you score now, especially if you’re just getting started, but more on forward movement and maturity year-to-year.

3.Ask to see your county’s cybersecurity incident plan. A cybersecurity incident plan guides your county on how it will respond to a cyberattack. Having a robust and exercised information security incident plan in place is critical to minimizing organizational disruption and recovering normal operations in a timely manner. The plan should have escalation decision points for when the County Executive, County Counsel, the Board, cyber insurance provider, law enforcement, and the media are engaged and informed of the information security incident. During an event, the Board may need to make important decisions, such as do you pay a ransom or not. If your County does not have a security incident plan in place, direct that one be developed.

4.Ask if your county has an active cybersecurity awareness training program. County employees are the number one attack point for cyber-criminals, accounting for 80% of all cyberattack incidents. How employees use their computers, laptops, phones, etc. presents the single greatest risk to networks and systems being compromised by bad actors. Employees need to be trained and more importantly they need to take this very seriously. One mistake by an employee clicking on the wrong link in an email or sharing their username and password can compromise the entire county technical environment and all the data in it. Counties should have an active cybersecurity awareness training program that is required for all employees, including elected officials, with regular Phish testing. HR and Risk Management can partner with the IT Department on this training to help ensure success.

5.Ask all your County’s department heads how they are addressing cyber-risk in their departments. Too many county officials (elected and appointed) view cyber-risk as the IT Department’s problem, yet the business risk is to the county systems, customers, data, operations, and employees. The IT Department is responsible for technology systems disaster recovery plans, bringing the technology back online after a cyberattack. County departments are responsible for continuity of operations planning, ensuring that they can still provide critical services to residents if their technology is not available for a single day and up to four weeks. These are called business continuity plans or continuity of operations plans and should include elements to minimize cyberattack impacts such as data loss and service gaps from ongoing technology unavailability. Ask your county’s department heads if they have business continuity plans in place and if they have practiced them.

6.Ensure your IT Department has an adequate technical maturity level. IT Department operational maturity, also called technical proficiency, is a primary factor in reducing a County’s overall cyber-risk exposure. This indicates how well your IT Department manages all the technology and information systems that your county utilizes. The IT industry measures this on a scale from 1-5, with one being “Initial” to five being “Optimized”. IT Departments that live in the lower 1 range are called “firefighters”, running to put one problem/fire out after another, unable to work on more strategic and value add items like cybersecurity. As the IT Department matures as an organization and implements more processes, controls, policies, procedures, and trains up their staff, they move up the scale and overall cyber-risk across the county is greatly reduced. Boards and County Executives can help support and promote IT Department maturity by making sure the IT Department has the proper staffing level and funding in place in relationship to your size county and budget. On average, a local government’s total IT spend across their whole organization, both inside and outside of the IT Department budget, should be between two and four percent of the government’s total budget. Underfunding IT results in technology atrophy, lack of innovation, “firefighting” and higher cyber-risk. Be sure your County is not setup for failure by underfunding technology across the organization.

The threat from cyberattacks will never go away, therefore, counties need to work actively and continuously to manage and reduce cyber-risk. Performing the six simple steps outlined here, Boards of

Supervisors can execute their cyber security oversight responsibilities, minimizing the impact of inevitable cyber security attacks on their counties.

This article also ran in the Rural County Representatives of California - Barbed Wire Newsletter on 12/10/2021.