Canadian municipalities and school boards facing financial constraints can still do a lot, short of overhauling their infrastructure, to boost their cybersecurity, a Technicity West panel on cybersecurity in the public sector was told this month.
“It’s really important as a first line of defence that our staff are aware” of cybersecurity risks, said Brad Labrenz, chief security officer (CSO) of the city of Calgary. “The more awareness we can put forward, the better off we can respond to threats.”
Training is worth it, he said, noting that when the municipality runs its annual cybersecurity awareness program, the click rate on phishing tests drops.
Darin Young, chief information officer (CIO) of the city of Delta, B.C., said the municipality takes what he called a balanced approach, educating staff about the cyber landscape and the risks that go with it. Not only does the city have an annual compulsory training program, it runs phishing tests all year. Those who are “unsuccessful” on a test have to take a remedial training course. That got the click rate down “significantly over the past couple of years,” he added.
Another relatively inexpensive security booster was pointed out by Trevor Butler, general manager of information services and digital transformation for the city of Lethbridge, Alta.: Having a disaster recovery plan.
Cybersecurity awareness is also key to getting municipal councils or school boards to increase security funding, panelists agreed.
“We make sure our council and business units understand their own risks,” said Labrenz. “And what’s there to mitigate it. Ultimately that allows business unit owners to make risk decisions on their own. That is key to having them as a collaborative partner.”
“It’s a collaborative relationship with your business partners,” he added. “As they make decisions on how and where to spend their allocated budget, they obviously have a role to play in understanding their risks. If we’re good partners, we’re going to be very good at helping them understand what that risk is, and allowing them to make decisions. I don’t think we present risk as all-or-nothing. We often present them will different levels of risk and different levels of mitigation, and then allow the business owners to make decisions based on their budget.”
“When you have limited resources, the first thing you want to do is find out where the greatest risk is and apply those resources where it makes sense,” added Young.
Asked by panel moderator Richard Freeman, a portfolio manager of enterprise workflow solutions at Ricoh Canada, how staff can be empowered to make smart security decisions, Butler cautioned against having a punitive attitude toward those who make mistakes. “That’s not the world empowerment lives in,” he said.
“Naming and shaming” isn’t part of education, agreed Labrenz. Calgary has been hit twice by major cyber events — one was ransomware — and both times the staff that made mistakes reported their errors to the IT service desk. They wouldn’t have done that if they believed they would be “ostracized” for starting the incident, he said.
Peter Holowka, director of education technology at West Point Grey Academy, a Vancouver private school, noted the cybersecurity awareness of staff at the institution has gone up since the pandemic. “You can expect a level of sophistication [now],” he said.
Finally, asked about cyber insurance, several panelists said their municipality has it. But with premiums and deductibles going up and coverage going down, many are thinking of “self-insurance” — meaning taking the money being spent on insurance and putting it into improving IT.