On May 7, 2019, the City of Baltimore fell victim to an aggressive ransomware attack, the fallout from which will last for years to come. The attack on Baltimore’s systems came less than a month after the city of Greenville, NC was hit with the same ransomware variant.

Cybersecurity in the public sector couldn’t be more relevant than it is today, but for most, it’s prohibitively complex.

What is my level of risk? Where do I start? How will this affect my bottom line?

The June event in Mindgrub’s Outdoor Speaker Series brought together four cybersecurity experts to tackle those important questions and more. 

Read on for their biggest tips.

---

Panelists:

Brian Dykstra, CEO, Atlantic Data Forensics

Peter Jungck, Vice President & General Manager of Intelligence Solutions, BAE Systems Inc. (Moderator)

Larry Letow, President & COO, LG-TEK

Beth Perlman, IT Consultant

 

On what’s changed in cybersecurity:

“The prevailing mindset among small to mid-size business owners used to be, ‘Nobody cares about my business – no one wants our data – they’ll go after the government, or a large company, but not mine.’ Nowadays, if you have a bank account, you’re a target. There’s going to be ransomware headed your direction.” – BD

“People are finally realizing that cyber attacks are also coming from the inside. These attacks are mostly coming from people, and all the technology in the world isn’t going to protect you from man power.” – BP

“Cybersecurity threats are changing everything that we do in business. For example, we used to attach important files to an email, but now we only share the file location. It’s changed people’s everyday lives in ways that we don’t always realize.” – LL

 

On how to prevent or prepare for a cyber attack:

“Preparation really comes down to following the best practices you already know about. Patch your systems and upgrade them in a timely manner. Make sure your data is backed up (not on a USB drive hanging off of a server somewhere), and have a secondary cloud set of back-ups. Keep log files to make sure you know who’s logging in and when or why they’re doing it. All of these simple, ‘mundane’ things really make a difference. It’s important to understand that you need to prepare for something that you absolutely know is coming. If you knew your house was going to flood a year from now, you’d move away before it happened. Take those same precautions that you take in the physical world in the digital one.” – BD

“A lot of people talk about disaster recovery – I say it’s about business continuity. What are the critical systems that you need to run your business? How would you keep your business running if you lost all of those systems? That’s how you should start your preparation for cyber attacks.” – BP

 

On defining the challenge of cybersecurity for the public sector:

“In the government agency where I worked, security was a ‘hobby.’ It wasn’t anyone’s job. That leaves municipalities like Baltimore at great risk. You can make a conscious choice to accept the risk, but you have to understand exactly what those risks are in order to make the right decisions.” – BP

“If they had the money to make the updates on their systems, they’d do it. So how do you carve out a part of your budget and make sure that the work actually gets done when the threat isn’t already upon you?” – BP

“Security is not a product; it’s an ongoing commitment. You can’t buy your way out of it. It’s challenging to make the case for incorporating security into your operations, though, when it doesn’t contribute to the bottom line.” – LL 

 

On creating a culture of security in your organization:

“When educating your company, you must stress that they have a vested interest in protecting your data and your systems. Some of what’s at risk is their data, too.” – BP

“Two thirds of incidents come from inside your organization. It’s just as important, if not more so, to create processes that protect against internal theft as it is to protect your systems from external theft.” – LL

“People don’t just wake up one morning and decide to steal from their company for no reason. There’s usually a behavioral change or a bad review or something else in an employee’s life that leads up to someone making that choice. Not knowing what’s going on with your employees puts your business at risk, too.” – LL

“We recommend annual background checks on your privileged employees. If you were hired 15+ years ago, it’s safe to assume that your life has changed a lot since you were first screened by your employer. It’s unwise for that business to continue to trust people with access based on that first check.” – BD

 

For organizations that are slow to change, where do you start? What’s step one?

“Patching and upgrading your systems. Live by the rule, ‘If you touch a system, you’re responsible for bringing it up to date.’” – BP

“Education for your employees.” – LL

“Take a look at your organization. Take the state of Maryland, for example: Instead of having one CIO who manages a centralized network of sub-CIOs, etc., they have a highly distributed network of people who are responsible for handling state data. That makes it challenging to find out where attacks may come from and to make a plan to prepare effectively.” – BD

 

On finding top cybersecurity talent:

“We can’t get people who are cleared brought on board fast enough. You want the best people, but when you’re working with the government, sometimes ‘innovation’ also means ‘at the lowest price,’ so it’s challenging to strike that balance.” – LL

“You’re going to have a labor shortage in this industry for awhile, so we need to find a solution that’s not driven by the hour. How can we leverage tools like AI and machine learning to scale?” – PJ

 

What were your biggest takeaways from the June Outdoor Speaker Series event? What burning questions do you still have about cybersecurity in the private sector? Leave them in the comments below!