Navigating Cyber Threats with Limited Resources and Untrained Staff

By Stephen Williamson
Assistant Director of Technology for the City of Forney

In the current digital landscape, governments often grapple with establishing “good cybersecurity,” particularly those constrained by financial resources and an inexperienced workforce. As reliance on technology increases, safeguarding sensitive information becomes more critical. Securing infrastructure when no one, including senior IT management, is formally trained or well-versed in the ever-changing security tools and the latest attack methods can be overwhelming. While having a dedicated security team monitoring, controlling, and reporting every IT vulnerability is ideal, it is often unrealistic.

Finding qualified individuals to fill security roles is challenging for organizations and agencies of all sizes, but cybersecurity threats will come whether or not there is someone available to address them. This article explains how to implement simple but often underestimated strategies—such as employee training, MFA, and basic infrastructure practices—to reduce cyber liability within smaller government agencies without needing to create fancy security titles or new positions.

If we take a step back and put things into perspective, the first step to securing our environments begins with a simple question. What is the most essential resource to any mission? The answer: PEOPLE! Let’s put that further into perspective and see how people play a role in our security. Imagine an impoverished population suffering from easily treated communicable diseases is recently provided with a hospital hosting state of the art medical technology as well as highly trained doctors. When sick people come to the hospital, they are quickly cured with medicine but are not told how to prevent a reoccurrence. The outcome is obvious: the same people continue returning to the hospital reinfected. Worse than that, for every person that comes back, they bring five newly infected people! Finally, the doctors realize they don’t need the fancy equipment or the most highly trained staff. They only require simple preventative equipment and public education about hand washing as part of general hygiene.

In the same regard that people require general hygiene, they also need “cyber hygiene.” In this case, cyber hygiene can be explained as employees consistently practicing security measures such as using strong and unique passwords, being vigilant against phishing attempts, regularly updating software, and responsibly handling sensitive data to protect the organization's digital assets. But how would the general population know this if someone doesn’t teach them?

In the world of technology and cybersecurity, we hold the same level of expected care as doctors in the medical field. This expectation means that we cannot assume that our staff, executive board members, or even citizens will self-educate on providing cyber hygiene. We must do everything in our power to ensure the message is continual and consistent. The best way to do this is to continue using a state-sanctioned training program, such as those covered under H.B. 3834. Remember, annual training under H.B. 3834 is a minimum requirement, and it would be even more beneficial to expand the program year-round, including perpetual monthly phishing tests.

Now, you may be thinking that no matter how much training you provide, some people still don’t understand it or comply. This sentiment brings us to the next major innovation in “automated protection,” and that is multi-factor authentication (MFA). MFA is pivotal in bolstering digital security because it provides two services. First, MFA offers real-time protection from weak or exposed passwords. With little to no training, this tool can stop or even cause a casual user to alert IT to an attempted account hijacking. Second, it provides a user with safe real-world training if their cyber hygiene isn’t what it should be.

No employee or public servant wants to be the reason that an entire city is brought to its knees, so enforcing MFA for public-facing services, especially email, provides an automated and essential reminder when an employee's poor cyber hygiene leads to a compromised password. Of course, the real value of MFA for governments might be that it is already included in the cost of our existing Microsoft licensing; even if only for email, it matters. For example, my current agency has reduced overall phishing and breaches in the past year since implementing MFA for o365 across the board. The roll-out was painless, we have seen no increase in support issues, and we have saved staff hours by reducing the time spent responding to legitimate phishing campaigns via hijacked email accounts.

Unfortunately, even the best-laid plans sometimes go off the rails. Being connected to the World Wide Web comes with great benefits, but it also comes with extreme dangers. Those dangers are most significant for those hosting information on web servers, public databases, and communication tools (such as email or collaboration systems). It doesn’t matter if those servers are on-premise or cloud; they are all vulnerable to coordinated attacks, such as zero-day where the vulnerability is exploited months or years in advance, lying dormant until a global attack is launched. However, not all hope is lost, and even these attacks can be mitigated with small teams if the proper controls are in place. The three things to keep in mind are as follows:

1. Good Backups, and plenty of them! The best practice is to have server backups (preferably VM-level snapshots) stored in an offline or fully locked state for several months or even a year so that nothing can corrupt them.
2. Change management and repetitive validation processes for firewalls and other protection systems are necessary to ensure that added vulnerabilities don’t exist due to carelessness.
3. Routine updates are one of the most overlooked protections of all time, but not for lack of knowledge. We all get busy or want to avoid downtime and thankless weekends working, but that’s the fastest way to land on national news and not in good way.

In conclusion, straightforward controls often provide the most robust cyber presence and protection. Whether it’s related to personnel training or prevention or the protection of overall infrastructure, all of this falls onto IT’s responsibility. While that notion can be intimidating, most agencies understand that you can only provide services to the level you are staffed and trained. However, failure to cover even these most basic components will inevitably be seen as pure negligence by all involved, and nobody wants that headline in the papers. I hope this article inspires at least one person to step back and consider how they might implement one or more of these protections for the first time. For most of us, this article likely reminds us that we can constantly improve existing systems.

I’ll close with this thought…  The most significant achievement in your career could be one that no one, even yourself, knows about through the thoughtful and diligent protection of your cyber hygiene.