Most municipalities are different from organizations in the private sector, however, they have one thing in common: the need to prioritize their data to meet privacy and security obligations.
During an online cybersecurity panel at this month’s Technicity GTA conference, speakers from the municipal sector made it clear doing that is no different from the way profit-making firms do it.
“It’s critical that the information security team spend time with business leaders to understand questions such as how long would it take to retrace all of our engineering drawings, how much lost productivity would we have if the ERP system was unavailable for a week?” said Brent Capp, IT security and risk officer, for the town of Newmarket, Ont.
“Using this information we can start to tell a story of how critical an asset is, what it’s worth from a service delivery perspective.”
It starts with collaborating with the city clerk’s office, with business owners and data custodians who can help identify data based on its classification, agreed Maneesh Agnihotri, interim CISO of the city of Toronto. Then, he said, based on the data classification, infosec leaders can look at the security infrastructure and everything around it that supports the safekeeping of that data.
“So the first step is to have that discussion, to identify what is the key data in the organization, where is it housed, and how do we secure that?”
That led moderator Richard Freeman, Ricoh of Canada’s portfolio manager for enterprise workflow solutions, to ask how municipalities can balance the security needs of users — internal and taxpayers — with the need to protect data.
Kush Sharma, director of municipal modernization and partnerships for the Municipal Information Security Association of Ontario, reported that 92 per cent of respondents to a recent poll of members said municipalities should first focus on critical infrastructure — such as the water system, public transit, solid waste and the voting system — before what they called traditional IT.
“What you don’t want is the water system to be breached. If Microsoft Office 365 and your documents go down, or maybe you can’t process some financial statements, that can be fixed. But if your water system goes down there are life-safety issues. If we can try to balance the resources we have as municipalities and focus on the critical infrastructure components …. that would be a good start.”
Finding information is vital, panelists said. Capp noted that IT business system analysts and the records management team will help with the lesser-known areas where personally identified information is stored. They are experts at collaborating with different business units and know where some data is “unofficially” stored.
“Sometimes you’ll find people are storing PII somewhere because it’s convenient and helps them get from point A to point B faster. The more we understand the use cases for these temporary or alternate use cases, the easier it is to work with the business units and improve the security posture,” he said.
The panel also touched on cyber insurance. Roland Chan, CISO at Toronto Metropolitan University, said that because rates depend on what organizations are doing to protect themselves, his institution makes departments aware of the importance of good cybersecurity practices.
Many municipalities won’t be able to qualify for insurance based on the heightened cyber controls insurers are asking for, warned Sharma. Even if they do, insurers may declare a cyber incident is excluded from coverage because it is part of an ‘act of war’.
Any municipalities smaller than a city may have to look at self-insurance, he advised, or group with other municipalities to self-fund themselves.
“Organizations have to understand insurance isn’t a cyber control,” said Agnihotri. “It’s part of your remediation, it’s part of your recovery. So what is driving this now is how fast can we improve and mature our security posture.”
Finally, asked for tips on improving employees’ cybersecurity awareness, Sharma urged infosec leaders to stop thinking of themselves as technical experts. “We need to translate and communicate better to the leadership that we are a critical business function within the organization,” he said.