Pfeiffer – TECH UPDATES: What Municipal CAOs Need to Know, Part 1: Tech Fitness and Cyber Hygiene

Bloustein Local Government | News

There are two basic elements of technology that every municipality must have. Most places already do this, but it doesn’t hurt to highlight them.

The first is an expert to advise you and your governing body on technology issues. As with other experts you hire—a police chief to advise you on law enforcement concerns or an engineer to advise you on infrastructure issues—you must be able to trust the expert you hire in this case to give you their best advice based on a clear understanding of your municipality and its use of technology.

The second is data and system backups: to have sound and regularly tested procedures for data and system recovery. It is critical that you establish and execute policies that fit your organization’s level of technological complexity; not doing so is gross mismanagement.

You must routinely test your backup procedures to make sure they are working properly. That will give you confidence they will work when you experience a cybersecurity breach, ransomware, or a disaster incident. Your expert should decide what your backup regimen should be.

By now, every municipality should have those in place. If not, you’re late! Get that done, then come back to the rest of this article.

For the rest of you, now what? The answer: develop tech fitness. A technologically fit agency has sound technology management policies; its employees are regularly trained in cyber hygiene (security awareness) practices; and it competently manages delivery of its technology services, including cybersecurity prevention and incident mitigation.

Over the years various technology organizations have developed frameworks that organize and structure cybersecurity practices. The Center for Internet Security’s Critical Security Controls is the most well-known of these standards. While their details may be challenging for smaller organizations to implement, the concepts of tech fitness track the main points of the CIS and other frameworks very well.

Each municipality needs to decide the best approach for their community based on their technology profile and risks. This link will give you a head start on the other elements if you want to get ahead. This rest of this article focuses on ensuring a critical element; that your staff is trained to avoid creating a cyber incident.

Cyber Hygiene/Security Awareness

Whatever you call it, employees need to be trained and periodically reminded how to act responsibly when opening emails, clicking on attachments and links, constructing passwords, and avoiding fake websites. Your tech expert should help assess your needs and develop the best way to approach training.

The best approach is to enroll employees in an online program that provides video training modules with monthly quizzes and periodic penetration testing using test phishing emails. Keep in mind that the best services may also be the most expensive. Municipalities will need to sift through providers and the wide range of services they offer to meet local needs.

Make sure the training includes the use of mobile devices as well as desktop, laptop, and handheld devices. Don’t forget to involve non-office workers as well: public works, police, fire, and inspections personnel all use computers in some way and need to be trained.

There are also low-cost alternatives. These include the following:

• Subscribe to the SANS Institute monthly OUCH newsletter and send them to staff. SANS is an internationally known cybersecurity training and education organization. OUCH is free; sign up for it here.

• Take advantage of resources from your cyber insurance carrier. Today, every organization needs cybersecurity insurance protection. Most insurers, especially those that provide cybersecurity coverage, provide training and educational materials for employees.

• Use online training videos (i.e., search YouTube). Many organizations (including local governments) have posted training programs online. Do a web search for “cyber security awareness employee training videos” to find videos that might meet your needs.

• Use employee-led in-service training at staff meetings. Ask staff members to take turns developing short presentations each month or quarter. Reinforce the content of the latest OUCH newsletters. Discuss cybersecurity in the news and how it could affect your organization.

• Stopthinkconnect.org is a U.S. government cybersecurity resource with a wide range of cyber security resources (printed, website, video).

• Partner with your local board of education, county colleges, and other area agencies. Everyone needs training. Leverage staff, volume, and consistency.

• A cybersecurity vendor, Total Defense, maintains a Security Tips of the Day website. Not every entry may be relevant for your organization, but it can serve as a useful source of information to disseminate to your staff.

Establish formal cybersecurity training policies, put someone in charge of them, and include them in routine risk management training. Keep training records; you may need to provide documentation of employee training when filing an insurance claim in response to a successful cyber attack. Many local government self/joint insurance funds and insurance companies provide portals or online systems to track employee training. Take advantage of them.

Don’t forget new employees; they should take some form of cyber hygiene training as part of their onboarding.

Ongoing training doesn’t have to be just organization related; you can include guidance for parents of K-12 students, how security affects families and nonprofit groups, etc. Since most employees and their families encounter online technology outside of work, developing their understanding of the risks and responsibilities of using their devices has value. It will help protect the entire community and may lead to increased awareness in related areas as well. It may also provide some good use case discussions for your organization. The stopthinkconnent.org site has resources for specialized groups.

Finally, take advantage of your local library. Most libraries are involved in technology training in some way. They may be a resource you can leverage. And if yours doesn’t do tech training, encourage them to. Most state (and national) library associations can provide guidance on how to approach this.

This series continues next month with a discussion of tech management fitness. MARC PFEIFFER, an ICMA Life Member, is a marginally retired New Jersey town administrator and state agency manager. He is currently a senior policy fellow and assistant director at Bloustein Local, a unit of the Center for Urban Policy Research at Rutgers University. (marc.pfeiffer@rutgers.edu)

About Tech Fitness

The concept of Tech Fitness evolved from one of the country’s first local government joint insurance funds: the New Jersey Municipal Excess Liability Joint Insurance Fund (MEL). In 2017, the author led a small group of municipal CIOs (part of the NJ chapter of GMIS, a national association of local government technology managers) and developed a cyber risk management plan (CRMP) for the 500+ MEL local government agency members.

In 2020, the CRMP evolved into Tech Fitness, based on the author’s 2020 report that recommended a set of minimum technological proficiency standards for local government technology management practices. That is now the current core of Tech Fitness. The report provides guidance on technology standards, understanding risks, and proficiency standards for small to medium-sized government agencies. While it maintains basic consistency with comprehensive cybersecurity frameworks, it goes beyond security and addresses broader issues of technology management.

The series starts with this introduction and comments on cyber hygiene/security awareness. Future articles will cover the key elements of Tech Fitness and high-level briefings on the cloud, contracting with third-party service providers, procurement of tech goods and services, HR and budgeting, and a bit of artificial intelligence. Send questions for the author to marc.pfeiffer@rutgers.edu.

ICMA, October 1, 2023