I recently had the privilege of presenting at the California Special Districts Association 2023 Emergency Preparedness Summit. My topic was cyber security, and in my talk, I went through the components that make up a foundational security strategy.
When it comes to special districts and municipalities, the level of cyber security sophistication is all over the place, just as it is for businesses. Some have minimal defenses, and others are quite advanced.
One thing that I noticed, however, is that there are fewer organizations saying that they don’t need cyber security. They know they need it. But often, they don’t know exactly what to do or how to do it.
This is an extraordinary mindset shift because when people understand the why we can move faster to the how. When we’re talking about the how, business, municipal, and special district leaders quickly realize that they need help.
Cyber Security Tactics Have Evolved
I shared a slide in my presentation (starting at 33:17) that illustrates how the discipline of cyber security has evolved.
If you look at 2005 as a starting point (which was two years before the first smartphone was introduced), you can see that the security layers that you needed were pretty basic. At that time, it was well within the realm of an IT manager or small IT company to implement and manage those tactics.
Jump to 2010, and there were more security layers to handle as cybercriminals evolved their tactics. Then when you compare 2010 to today, security looks a lot different. It’s more complex, and even though it’s extremely easy for anyone to buy the software tools, it takes a great amount of expertise to put them together with the right recipe to get the right outcome.
The Outcome of Security is Not Just Prevention
That brings us to the next mindset shift that needs to happen, which is to change what we think of as the result of security because it’s not just prevention. Preventing cyber attacks is certainly a goal of security, but what’s equally important is detecting intruders and then doing something to stop them after that happens.
As I shared in my talk with special district leaders, it’s detection and response that’s going to mean the difference between a cyber emergency and a cyber catastrophe. Avoiding a catastrophe is all about planning what you’re going to do when you have an intruder event.
Every organization should have a documented incident response plan. Not only should there be a plan, but employees need to be trained on how to follow it, and they need to practice it.
This isn’t so different from how you prepare for other disasters like a fire. You have smoke detectors to alert you when a fire is happening; sprinklers to react immediately when there’s an alert; a plan for what the people are supposed to do, and experts to call in to handle what you can’t.
Unfortunately, most organizations are probably more likely to encounter a cyber attack than a wildfire. Best to be ready for it when it happens.
Thank you to the California Special Districts Association for inviting me to be a part of their mission to provide the resources that special districts need to serve their constituents.
You can watch Corey’s presentation on YouTube starting at 31:38