If there is any benefit from the massive workplace disruptions caused by the coronavirus outbreak, it may be that there is a wider understanding of the massive cybersecurity risks within state and local governments.
Everyone now understands that security isn’t just an IT issue, says Maria Thompson, chief risk officer for the state of North Carolina. “One of the pros of COVID-19, if I can say that, is some of the agencies that have been more resistant to a unified approach to cybersecurity have come to the realization that they have to work together, because we're all dealing with the same levels of the deficiencies that we may have,” she says.
Network endpoints have shifted rapidly in recent years, and the pandemic intensified that shift.
“Within the cybersecurity team, we’ve known for some time that the boundary has shifted, that it's no longer contained and it's at the individual endpoints,” Thompson says. In the coronavirus era, “everyone is getting a better appreciation of that shifting landscape.”
Thompson’s comments came during a recent webinar discussion of how states have been forced to rethink their cybersecurity approach as a result of the pandemic. The webinar, Cybersecurity at the Edge, was part of a new series of conversations for the Crisis Response Initiative, a joint program between Governing and Government Technology to help equip state and local leaders with tactics and resources to respond to crises.
The new work-from-home normal has vastly expanded the threat landscape for state and local agencies, as well as the potential for fraud and abuse within programs such as unemployment benefit applications. Thompson says the entire North Carolina IT team has been working hard to manage those risks, address vulnerabilities, detect fraud, push out security awareness training to remote employees, and work with vendors to implement new solutions. The process has been a reminder, she says, that good solutions can come from anywhere.
“A personal lesson learned for me was the understanding that, as a cyber professional, we don’t have to have the answers for everything. We need to work together with all the operations team, because sometimes they have solutions that can answer our cyber needs. But we tend to sometimes be in our own corner. We look at the tools and capabilities we have, not understanding there are other solutions out there that can be leveraged to meet those needs.”
The crisis has shown how vital it is for states and localities to have strategic plans in place ahead of time, says Mark Weatherford, a former first deputy undersecretary for cybersecurity in the federal Department of Homeland Security.
“It became very clear that having documented and tested business continuity plans is critical,” says Weatherford. “The worst time to figure out you need to execute a business continuity strategy is during a disaster. A lot of threats that were formerly directed at government and business organizations are now being redirected at those same employees who are working from the kitchen table or the sofa. It doesn't take a big leap of imagination to see how conducting business and accessing systems and critical data from your home computer creates huge gaps in the overall security of an organization.”
The webinar conversation, which also included former Michigan Chief Security Officer Dan Lohrmann, focused as well on solutions that are helping governments meet the demands of the new security environment. Those include things like virtual desktops, enhanced endpoint security measures and stepped-up cybersecurity training programs for employees.
You can learn more about how governments are meeting the challenges of the pandemic at governing.com/crisisresponse.
This content is made possible by our sponsors; it is not written by and does not necessarily reflect the views of e.Republic’s editorial staff.