Improving city resilience with cyber checkups

Five things cities can do now.

By Debbie Pennick, Assistant Director of the Washington State Auditor’s Office Center for Government Innovation

Cities of all sizes are one click away from a cyberattack on their systems. These days it’s not a question of if, but when. The more you prepare for one, the easier it will be to recover from it.

Since 2016, state agencies and local governments in Washington have reported more than 100 cyber incidents totaling more than $25 million in related losses—with 60 local governments reporting they were targeted by a cyberattack in just the past two years.

Making sure your city’s systems are protected can seem daunting. It’s hard to know where to start.

Making sure your city’s systems are protected can seem daunting. It’s hard to know where to start. To that end, the Center for Government Innovation’s #BeCyberSmart program provides free cyber checkups to local governments in Washington as a service of the Office of the Washington State Auditor. These checkups are a great way to start building your city’s cyber resiliency. They’re fast (usually five hours or less spread over three to four weeks), free to local governments (can’t argue with that), and incredibly beneficial. A cyber checkup will help your city:

• Understand cybersecurity safeguards and why they’re important.
• Identify cybersecurity gaps and prioritize improvements.
• Begin building a cybersecurity program if you don't have one—or build upon your current program.
• Connect to free and low-cost resources to improve your city’s cyber health.

The program is also confidential, meaning the results will only be shared between Center personnel and your team. After the checkup, the Center’s cybersecurity specialist remains available to field questions and assist with implementing any recommendations.

Five things cities can do now

As of October 2023, the Center had completed 28 cyber checkups, with another three in progress. Daniel Mann, the cybersecurity specialist who conducts them, suggests five common strategies that all cities can focus on right away:

1. Train people as the first line of defense: Whether you have two employees or 2,000, a robust cybersecurity program starts with them—more specifically, with a thorough training program that teaches your staff how to identify, report, and protect themselves from cyber threats.
   • Training should be updated and conducted regularly, as new schemes and methods continually evolve.
   • Training and communications with staff should also include constant reminders about cybersecurity best practices, such as using strong and complex passwords.

      

2. Use multifactor authentication: This is a second form of authenticating your identity when accessing an account. It may be inconvenient, but it can help deter bad actors by making sure only credentialed employees have access to computer systems.

    

3. Back up your key datasets and systems: Having good, regular, reliable backups makes a ransomware attack easier to recover from.

    

4. Keep software current to reduce cybersecurity risk: Software makers are constantly updating their products to block or neutralize the latest threats, so you’ll want to check for available updates regularly to evaluate and prioritize when you should implement them across your government.

    

5. Write it all down: Be sure to document your IT policies and procedures. It helps everyone know what to do in daily work processes—and how to respond if a cybersecurity incident occurs.

One city’s story

The City of Port Townsend was among the first governments to receive a cyber checkup from the   Center. In a recent article published in Government Technology, David Olsen, a City of Port Townsend network administrator, recounted how the checkup’s final report provided a guide with potential next steps.

“You end up with an attractive package of recommendations,” Olsen said. “A lot of it is boilerplate, but it’s useful boilerplate, and there is room for specifics to the particular organization.”

Another advantage of the Center’s cyber checkup program, in Olsen’s view, was getting an independent, unbiased appraisal of his city’s cybersecurity posture that he could present to executive leadership.

“In some ways, the key benefit for me was creating visibility higher up the management chain,” Olsen told the magazine. “It fairly, economically, and quickly [helped me develop] some talking points I could use with management to say, ‘Here we’re doing OK. Here we could be doing better.’”

Bottom line? In today’s world, where cybercriminals are targeting local governments more because of the amount of sensitive data they maintain, signing up for a free cyber checkup program seems like a pretty easy decision.

If you or someone in your IT department (perhaps you’re both) would like to request a free cyber checkup or get more details, email center@sao.wa.gov or call 564-999-0818.