As a Manager, Mayor, or Councilor of a city or town, you do your best. You manage employees and support their growth. You improve your services to better serve your residents. Maybe in the back of your head, you think occasionally about information security. Between tax records, police records, and employee records, your local government presides over a lot of information. By your state government’s standards, even your small town or city is considered a “data collector”.
As a data collector, what are your responsibilities and how do you manage them? Maybe you have a small IT department, or you have a relationship with a local IT service provider. Your immediate technology needs are being met, but are you protected from cybercrime? Information security is inherently tied into technology, but your staff or service providers are likely not experts in keeping your residents’, employees’, and users’ information secure.
Not too long ago, smaller cities and towns could fly under the radar. There weren’t enough “bad guys” to merit extensive measures. Now, everyone and anyone can be a hacker. The systems you need to operate day-to-day all pose threats in their own way. Websites provide valuable information, but can crash or become comprised through denial of service attacks. Cloud storage allow employees flexibility, but can open channels to confidential documents. WiFi keeps everyone connected, but can also connect insecure devices to your secure network.
Many Local Government Targets
In the Northeast, we have so many cities, towns, and villages. Some recently publicized events show that information security victims come in all shapes and sizes. Your local government, unfortunately, is not immune:
At the Police Department of the City of Middleton, New York, hackers gained access to the Middleton Police Department’s database and were able to export personal information including names, social security numbers, driver’s license numbers, dates of birth, fingerprints, and addresses of individuals who had contact with the Middleton Police Department.
The Township of Springfield, New Jersey also recently reported similar activity in their Police Department’s database.
The City of Stillwater, Oklahoma reported that “an unathorized party accessed a computer” for 22 days which contained the information of 3,000 people who were issued citations for ordinance violations.
The website for Harrison, New Jersey was hacked eight times in one month last year. While no privileged information was compromised in this instance, many city websites allow for online database access. If these systems are not configured properly within your website, they can allow unauthorized users to access your data.
The Police Department of Essex, Vermont, located right down the street from our headquarters, fell prey to a tax fraud scheme via email in 2016. This illustrates the most common cause of data breach: internal threats. In this case, an unknown person sent emails pretending to be an Essex Town Official and requested payroll records. Town staff provided the information and did not verify the sender’s identity. Internal errors like this are much less technical, but just as damaging as a hack.
Finally, in Israel, cybersecurity researcher illustrated a takeover of Tel Aviv’s public WiFi. Do you offer WiFi in your city buildings? Public WiFi should be firewalled off from your internal password-protected WiFi.
Impact of Data Breach
Not only is a data breach a huge setback for local governments, the costs are greater. The relative significance of data breaches is larger for small entities. Recovery is also more public. Your neighbors, coworkers, and taxpayers trust you to keep to their information safe. Laws vary state to state, but in Vermont, you are required to report a breach within 14 days of discovery and notify affected individuals of a data breach within 45 days from discovery of the breach. Experts can help ensure information security so data breaches don’t occur. Often, fixes are not expensive or extensive. Take the initiative now to assess where your vulnerabilities lie.
Need Information Security?
Information Security is the practice of securing all information across your business. This includes the review of Information Security as it relates to Legal, Human Resources, Finance, IT and any place within your government that uses information in digital or paper form. At NuHarbor, we leverage common security frameworks to give you a road map to best practices so information is protected any place where it is processed, transmitted, or stored. Want to know more? Click here to read about Security Program Reviews.
