County Officials: 3 Cybersecurity Questions You Should Ask IT

After attending the NACo Annual Conference this year and having the pleasure of speaking with hundreds of county elected officials and their IT teams, it was clear that the topic of cybersecurity was top of mind for everyone. The recent headlines about cyberattacks, especially ransomware on major organizations including Tyler Technologies, Solarwinds, the Colonial Pipeline, JBS, and Kaseya heightened awareness around the possibility of an attack happening to anyone, including counties.  

However when discussing cybersecurity, and topics such as multi-factor authentication, with elected officials, it was clear that there is a gap between the concern of becoming a victim of one of these attacks, and how to prevent them. When asked, many county commissioners, supervisors, and other elected officials confirmed that they used everyday passwords to access their devices, systems, and data. 

While the county IT team is responsible for putting preventative measures in place, elected officials play a vital role in recognizing and elevating their concerns and observations about the cybersecurity practices across their counties.  

So, if you are a county commissioner or any county elected official – this blog article is meant for you. Below we’ve included three key questions you should be asking your IT teams, as you work together to make sure your county is protected. Remember, cybersecurity requires cooperation and support from all county departments to be successful, with success often starting from the top down.   

Cybersecurity Questions to Ask Your IT Team 

• QUESTION #1: Why are we still using passwords? 
  

  Consider your day-to-day work with the county – do you use passwords to login to your email? How about county records and data? Court systems? VPN? Passwords have been proven to be the weakest link in security time and time again. Take for example the fact that the Colonial Pipeline ransomware attack started with an old, previously compromised VPN password or that the ransomware gang that attacked Delaware County, PA started the attack by communicating to users that they should change all of their passwords.  
   
  With passwords as a known vulnerability, it is time to ask your IT team why you are still using passwords and how you can avoid relying on them as the only way to login, especially to critical systems and data.  
   

• QUESTION #2: What is our ransomware response plan? 
  

  As mentioned above, ransomware has become one of the most common attacks that have been targeting counties on a regular basis. In one of our recent blogs, a simple search for “county ransomware” generated reports of attacks not only on Delaware County but also Baltimore County, MD, Jackson County, OR, and Hall County, GA. Counties continue to be targeted, and when discussing ransomware, it is not a matter of if, but when. 
   
  It is important that everyone knows the “fire drill” that will be necessary when an attack occurs. Being able to detect and respond quickly to an attack is essential so that the damage can be controlled and systems can get up and running again as soon as possible. Just as you have a disaster recovery plan for natural disasters, it is critical that your IT team has a ransomware response plan that is communicated to all employees.  
   

• QUESTION #3: Are we at risk of losing our cyber insurance? 
  

  Over the past 18-24 months the rate of ransomware attacks and the amount of ransom they demand has skyrocketed. With cyber insurers taking on the majority of the cost of these attacks, they are enforcing stricter requirements and evidence of proper cybersecurity controls. They often look for ransomware protections, IT risk management, and require multi-factor authentication (MFA) as a baseline for any cyber strategy. Without these controls, you could be at risk of being penalized with a higher premium or losing your insurance altogether.  
   
  Make sure to work with your IT team to understand what cyber insurance you have (a key part of any ransomware response plan) and what requirements are required to maintain your insurance and/or a lower premium.  

A First Step: Multi-Factor Authentication (MFA) on ALL Accounts 

These conversations and questions are ones that you should be having on a continuous basis with your IT team. While each of the answers to these questions may be complex, one cyber defense is able to address all of them. That’s multi-factor authentication (MFA).  

As recently reported by NACo MFA is a top cybersecurity priority for counties, and during the IT Steering Committee the Cybersecurity & Infrastructure Security Agency (CISA) made it very clear that you should, “have MFA on every, single account”. MFA can quickly add a layer of security to any password-based login, prevent ransomware and the spread of it, and meet the baseline requirements for cyber insurers. While it is often perceived as cost-prohibitive there are very affordable solutions, such as BIO-key PortalGuard’s MFA that eliminates that concern.  

Everyone is Responsible for the Cybersecurity of the County 

With cyberattacks skyrocketing and counties continuing to be a target for cybercriminals, all county departments need to start thinking of cybersecurity as their responsibility. As elected officials it is important that you are helping bridge the gap between you and the IT team by asking key questions, having tough conversations, and taking action to keep your county safe. MFA is a great start to begin to secure your county so you stay out of the headlines as the next victim of the next attack.  

Learn more about how to use multi-factor authentication to go beyond passwords in our State of MFA eBook, and make sure to share it with your IT team the next time you sit down to talk cyber.