The threat of cyber attacks is a serious and increasing threat to local governments according to a briefing given this week to the Metropolitan Washington Council of Governments Board.
“There are attempted attacks daily. Thousands of times a day on one entity alone,” chair of COG’s Chief Information Security Officers Committee Michael Dent said at Wednesday’s meeting.
Dent said the top threats to cyber security are phishing, ransom ware and humans.
“Four out of 100 people continue to open a malicious attachment, or navigate to that malicious website and give up personal information or even a password,” Dent said citing data from a recent study. “An email was used in more than 90 percent of the incidents to deliver malware.”
Organizations need to decide how much risk they’re willing to accept given available resources to counter potential threats, Dent said.
Protections can come in the form of updated and secure firewalls, great passwords and installing every software and antivirus update available. Or, for example, tightening access of who gets in and out of systems connected through the internet of things, such as Smart911, or traffic light control systems.
And, there’s the human factor. To help educate people, Arlington County’s Richard Archambault strongly recommends regular security training.
“There are great platforms today that allow you to do this on a regular cadence that include things like simulated phishing attacks where you can send emails to your entire organization and find out who those four in 100 people are,” Archambault said. “And in that moment provide a training intervention — ‘Hey, you clicked on this. It wasn’t the right thing. Here’s why.'”
Fairfax County Supervisor Penny Gross asked about the standard cost as a percentage of budget that such protections might cost.
“For IT in general, some of the national benchmarks are somewhere up towards seven percent of your total general fund should be applied toward technology,” COG’s Chief Information Officers Committee Chair Wanda Gibson responded.
Gibson added that a recommended security cost hasn’t been isolated in that broader benchmark recommendation. But Fairfax County, for example, is looking for additional security research on the topic. However, Gibson believes security costs should be built in.
“Because if it comes out as a separate cost and price, that kind of makes it almost like it’s discretionary, in a sense. But it should be built in … it’s the cost of doing business, it should be done.”
Editor’s note: A previous version of this story misspelled Richard Archambault’s name. It has been updated to correct that.