Three tips for improving cybersecurity posture

New year, same story: the emergence of new cybercriminals and attack vectors means that any networked products and services are at the potential risk of attack. Whether this is unauthorized access, exploitation of vulnerabilities or tampered software, any number of threats could pose a significant risk to municipalities and their communities.

However, reducing the risk of a cyber incident in municipalities isn’t simple, and requires advanced technologies and tools, as well as an understanding of best practices. With cybercriminals increasingly leveraging advanced technologies and the damaging impact of cyberattacks on cities, there has never been a more critical time to invest in strengthening your cybersecurity posture.

Tip 1: Standardize, standardize, standardize
To begin, it’s important to understand that municipalities function much differently than private corporations. Municipalities often deal with older infrastructure and legacy systems, and don’t have the resources to switch over to the latest and greatest technology as soon as it comes out. Because municipalities also cover a range of industries, you’ll deal with different ages and stages of tech—just because the traffic cameras are the latest, for instance, doesn’t mean the libraries also have new cameras. Beyond discrepancies in performance ability, you also must consider that tech procured in the early 2000’s has a completely different lifecycle and may have separate or confusing warranties.

Because of all these competing factors, the ability to go back through and update all technology is difficult. Though the task may seem daunting, it’s not something that can be put off or ignored. In Oakland, Calif., for instance, the city fell prey to a cyberattack due to outdated systems and practices and is now facing multiple costly lawsuits. Municipalities simply cannot afford to wait until after the fact to go through their legacy systems and update their technology. By presenting a unified front, cyberattackers will have fewer vulnerabilities to exploit, and there will be consistent policies in place so no matter what they face, all members of the municipality will be on the same page.

Tip 2: Wash your cyber hands
Though there are think pieces, real-world examples, and countless stories about how threats are changing, and cyberattackers are evolving, cyber hygiene remains the same. On its face, it seems straightforward enough: update your technology, patch before it’s too late, and change passwords regularly, but multiple vendors and many lifecycles across a large municipality make cyber hygiene difficult with multiple steps involved. For instance, if you have a vendor that doesn’t exist anymore and can no longer provide support for a device, that device needs to be eliminated. If the municipality can’t afford to replace all those devices, then at the very least, additional security segmentation and gateways need to be in place surrounding them.

Another obstacle standing in the way of clean cyber hands is how siloed municipalities can be. Because they’re so reliant on separate budgets that aren’t quick to be updated, the divide between departments can seem insurmountable. Video systems, for example, have always been their own department, because putting them on the IT network (and budget) would hamper what the IT department is trying to accomplish—but because those video systems aren’t on the network, they don’t get maintained. Like most issues a municipality faces, it comes down to manpower, budgets, and bandwidth. Municipalities need to spend a little extra time and money getting their defenses shored up and their cyber hygiene in tip-top shape, because it will cost more money in the long run if a cyberattacker exploits these siloes.

Tip 3: A good cloud strategy
Prior to the existence of cloud storage, everything was stored on-prem, which was straightforward and explicitly under the control of the municipality. Now, with the rise of the cloud and all of the benefits it provides, more and more data is being stored there—but by putting things in the cloud, municipalities are expanding their attack surface. The cloud can help with computing, visibility, and overall management, but it’s not a silver bullet, and if municipalities don’t already have a cloud strategy, now is the time to develop one. While some of this strategy does fall under the standardization tip, like making sure configuration settings are the same and IT security controls are uniform, this strategy goes beyond that.

In addition to standardization, municipalities should perform a cost-benefit analysis about what they’re keeping in the cloud and why. This is especially important as most have their data scattered across multiple clouds instead of one—say the smart camera vendor uses one cloud system for all their data, but all of the other data generated by a municipality is on another. This splintering issue is becoming more and more prominent with the rise of artificial intelligence (AI), as different cloud platforms compete to be the best for analytics. It’s up to those in charge of the municipality to read carefully, understand the capabilities of each cloud system, recognize the needs of their technology, and make their marching orders accordingly. By understanding the “why” behind each system, you’ll be better prepared to protect it.

As always, it’s a wild world out there for municipalities everywhere confronting this new wave of cyber threats. The risk is real, from outdated systems to departmental silos and the cloud adding its own twist to the plot. The key takeaways? Standardize like your cybersecurity depends on it—because it does. Keep those cyber hands squeaky clean, even if it means tackling budget battles and slogging through systems. And when it comes to the cloud, a well-thought-out strategy is your best bet in this digital era. The bottom line? Municipalities can’t afford to play catch-up with cyber attackers. It’s time to invest in tech, get everyone on the same page, and make sure they’re prepared to protect the communities they serve.

A 25+ year industry veteran, Wayne Dorris, CISSP, is the cybersecurity business development manager for Axis Communications covering North America. In this capacity, Dorris generates awareness and assists with cyberstrategy and demand in Axis products. He also influences IP solutions for all segments of Axis’ business relative to cybersolutions. Dorris is currently an active member of ASIS.