Let Us Sniff Out Your Security


Cyber Risk Assessment Program Update

In July 2016, the CSD Pool awarded six districts a free cyber risk assessment through our partner NetDiligence. These assessments can cost up to $6,000 and are utilized by institutions and corporations large and small throughout the United States to assess their vulnerability to data intrusions and security failures. NetDiligence’s team is world renown for their thoroughness, expertise, and professionalism and we were very excited to bring this skill to bear for our members.

The purpose of these audits was two-fold: to help the participating districts identify any inherent security risks within their systems and to underscore the importance of cyber security to other CSD Pool members. To this end, we selected districts that vary in size and operation to further emphasize the danger of cyber threats to all special districts. These varied in mission, in scale, in location. More importantly, some of them outsourced their IT security and operations and some did not, which provided an excellent cross section.

Below follows our interview with the Executive Directors of two participating districts:

District 1 consists of a small staff and the nature of their operations does not include any online sale transactions with their clients.

District 2 is a larger organization and engages in online business with their clients. We hope you find their respective experiences informative, and consider signing up for the same risk assessment. The CSD Pool will be offering the same opportunity for districts in 2017.

CSD Pool: How was the cyber risk assessment process?

District 1: The audit was a major revelation for us in many ways, and the district as a whole has become much more literate in the area of cyber risk and security. Dave Chatfield, our point of contact with NetDiligence, was instrumental in detailing what was needed, what we should be looking out for, and what to do. He was affable, articulate, and helpful, and immediately set us at ease despite our apprehensions going into the audit. I think when people hear the word audit it makes them feel leery. I think it’s important to mention that the process wasn’t punitive at all; it was more like a visit to the doctor’s than an audit.

District 2: The assessment provided a “road map” for our district to follow. Coming into the audit, we knew there were certain areas that required additional cyber security, and NetDiligence not only clarified those key areas, but helped identify others we hadn’t been aware of.

CSD Pool: How confident do you feel about navigating a data breach or cyber security incident?

District 1: One of the most important things we learned from the risk assessment is how to be proactive in our engagement with cyber security. Something as simple as switching the organization’s email server to a more secure platform should be done in advance, not when an occasion calls for it. The audit really helped galvanize our district into making further improvements to our security measures, and it’s an ongoing process. Recently, our Board of Directors approved more funds to be allocated towards our district hiring on a full-time IT staff member to handle internal troubleshooting.

District 2: We already had certain safety protocols in place, and the assessment helped reinforce some of those measures as well as lend us additional considerations moving forward. We’re actually considering signing up for a cyber risk assessment every couple of years to help us stay on track with our “road map” towards improved security.

CSD Pool: Has your district had the chance to visit the eRisk Hub website since your audit? If so, were there any resources that have proven particularly useful?

District 1: I’ve personally reviewed and downloaded the Business Continuity and Disaster Recovery Plan from there. It’s a great resource!

District 2: We’ve used a considerable number of the templates available through the website.

CSD Pool: Would you recommend other districts to participate in a cyber risk assessment?

District 1: Absolutely. Any district could end up a target and no one is 100% safe from cyber threats. Despite this, the audit personally gave us peace of mind and I think it has a lot to do with staying informed. I can’t stress how helpful and affable Dave was throughout the process. He helped de-mystify a number of things for us, and knowing that there are things our district can do and what our available options are has been invaluable.

District 2: Yes. It’s certainly opened our eyes in a number of ways, one of which includes mandatory processes like the self-assessment questionnaire. We definitely agree that cyber risk is a threat to any organization, and even if your district has had the good fortune of never being targeted by hackers before, it’s imperative that you have a formulated plan and process in dealing with a cyber incident.

We will be bringing you more broad information regarding these assessments in the future, but the best way to determine what risks apply to your district is to participate in a cyber assessment yourself.

Whether your district consists of four full-time employees and a shared email address for client inquiries, or if your district is comprised of several departments and actively engages with clients online, this could tell you volumes about where your greatest opportunities for improvement lie. Even if you outsource your information technology department, this is a good way of assessing how that vendor is doing. Most of us would not have any reasonable way to measure the performance of a vendor like that unless something had already occurred.

For more information about the cyber risk assessment program for 2017, please email us. No district is too large or small to participate!

Simple IT Security Tips

Here are a few tips to help shore up your district’s information technology. These aren’t nearly as technical or in depth as what you will learn from a cyber assessment, but it’s a good place to start:

  • If your district has a website or social media accounts, we highly recommend having legal counsel periodically review your online content. It’s also important to make sure your district is constantly exercising oversight, whether through a contractor or a dedicated staff member acting as moderator.
  • Make sure that the passwords for your district’s common accounts (such as social media, banks, etc.) are shared among multiple people, not uniform across multiple services, and are stored in a place that senior management can access them when and if necessary.
  • shutterstock_4138

  • While we are on the subject of passwords, it isn’t uncommon for most people to rotate a select number of memorized passwords for their respective terminals, emails, and the like. But how strong are their passwords? Password security is something easily overlooked, and you’d be surprised how simple it is to crack. You can learn more about how to improve your password security on our website, or in the article we published in our previous issue.
  • Be sure to regularly run and update your antivirus or malware prevention software! If it’s something you tend to forget or ignore, there’s a good chance you can configure your settings to automatically update and run scans off-hours.
  • Never leave laptops or any physical media (diskettes, CDs, SD cards, zip discs, or thumb drives) with district information in your car. Data breaches due to theft from vehicles is very common, and very avoidable.
  • Avoid using thumb drives as much as possible. Many corporations have banned their use because they are a perpetual security threat.
  • Keep a listing of your IT staff handy in case of a sudden outage of a website, internal system, or cloud storage service. This could be the information for your in house IT staff, outside IT vendors, the contact people at your web host, cloud storage customer service, or others integral to your district’s online presence.
Both comments and trackbacks are currently closed.