Developing Cybersecurity Standards for Local Government

Lena Eisenstein
To say the least, the most recent cybersecurity attack that the media reports seems to be more alarming than the one that preceded it. Nearly every organization relies on computers and computer networks to run their businesses. That means that no organization is immune from attack. In recent months and years, more reports are coming forth about cybercrime that have affected vulnerable organizations like nonprofit organizations, schools, healthcare organizations, and local governments.

Cybercriminals continue to work hard to escape detection from the latest cyber protection strategies and programs. It takes a lot of resources to protect local governments from cybercrime. So much so, that local governments can't expect to do it on their own. One of the most difficult things about cybersecurity is that it's not 'one and done' activity. As cybercrime continues to grow in number and sophistication, local governments will continue to be challenged with how to stay a step ahead of the criminals and keep their information protected.

At present, there are no single easy answers for how local governments can best set cybersecurity standards. Nevertheless, there are plenty of things that local governments can do, which can collectively make a positive difference.

Challenges in Bolstering Cybersecurity Programs

Before developing a program for cybersecurity standards, city managers and council members need to educate themselves about the many challenges they will face.

First, it's important to consider the rapid pace at which cybercriminals are working. The staff at local governments has many different tasks that they need to manage every day. Because of their many duties, municipal government staff simply can't dedicate the same degree of time and resources to protecting computer systems and programs as criminals dedicate to breaking into them.

Second, most local governments are already stretching limited financial and other resources. The technology they invested in not so long ago may already be aging and outdated. It's also not so easy to update systems because older technologies don't always integrate or play nicely with newer systems and technologies.

Cybersecurity is a relatively new issue for local governments. It's one that is larger in scale and size than what most local governments can successfully tackle on their own, given the rapid pace of evolving changes in the world of cybercrime.

While many city managers are beginning to understand the scope and severity of the issue of cybersecurity, in many jurisdictions, there is a lack of knowledge, funding, and support at the decision-making leg of the body.

Where there is a lack of knowledge and understanding at higher levels of authority, there is the same deficit at lower levels of authority. Where there is little focus on cybersecurity internally, there is decreased awareness of it and with that comes an increased risk of a cyberattack.

Developing a Basic Cybersecurity Plan for Local Government

To date, no one has established national standards for cybersecurity for local governments. While that's something that we may see down the line, local governments can and should begin developing their own cybersecurity standards. There are a few tangible ways that local governments can go about it.

It's important to recognize that tens of thousands of other local governments are facing the same issue. There is power in numbers. One of the easiest and best things that local governments can do is to compare notes and strategies with other local governments. The information that one municipality learns can be used by other municipalities to help protect their data and their community.

While local governments may not have begun developing cybersecurity standards, it's important to start somewhere. Cyberattacks don't and won't always occur during normal business hours. It's important to consider that when establishing cybersecurity standards and ensure that local governments establish standards that cover their efforts around the clock.

Additional Considerations for Developing Base Standards for Cybersecurity

There are several other issues that local governments can consider when developing base standards for cybersecurity. In addition to local governments sharing information, there are other opportunities for information sharing at the federal and state levels. This type of information is especially helpful around issues concerning the infrastructure of cybersecurity and threat monitoring and detection.

In most cases, local governments won't have the capacity to tackle the full scope of cybersecurity in house. Considering this, each local government has to define the capacity for how much they can do in-house and how much they'll need to delegate to an outside IT resource. This decision should incorporate the necessary coverage for off-hours periods.

This is an important consideration because the city manager will need to make some recommendations for how best to allocate sufficient financial resources. One of the easier and lesser expensive things that local governments can do is to work towards building a robust cybersecurity culture internally by developing cybersecurity training plans in-house.

Planning for cybersecurity should be considered a work in progress that city managers review on a regular basis to account for the evolution of knowledge in this area.

Community by Diligent

Community by Diligent takes much of the concern about cybersecurity away from city managers and council members. Community by Diligent is a secure board portal system that was designed with the specific needs of accountability, transparency, and security built right into the platform.

The software makes it possible for citizens, staff, and council members to access documents and other information that's approved for their viewing without sacrificing security. The program is continually monitored and tested by Diligent to detect malicious behavior at the earliest opportunity and safeguard the community's private data. There's no need to invest extra finances or resources in cybersecurity expertise and it frees up internal IT teams to address other priorities. It's a far less expensive approach than hiring internal or external IT professionals.

Cultivate Organization-Wide Cybersecurity Culture

While a board portal system by Community by Diligent does some of the work for local governments, it's still proper to provide education for staff that works with computer systems and processes data. It's important to involve every department in this training and it should be an ongoing effort.
Related Insights
Lena Eisenstein
Lena Eisenstein is a former Manager at Diligent. Her expertise in mission-driven organizations, including nonprofits, school boards and local governments, centers on how technology and modern governance best practices empower leaders at these organizations to serve their communities with efficiency and purpose.