How to Begin Addressing Cybersecurity Risk

IAFC members, fire chiefs and EMS directors aim to save lives every day. Your jobs are fraught with physical danger, and cybersecurity is probably not at the top of your to-do list. However, it’s important to understand why cybersecurity is essential and how you can take steps to protect the information on your connected machines.

The National Association of State Chief Information Officers (NASCIO) represents CIOs whose primary role is to provide IT services to the executive branch of state government. Because state CIOs provide network or broadband services, cybersecurity is a top priority for NASCIO members and has been for the past four years (see the NASCIO Top Ten Priorities). 

According to the 2016 Deloitte-NASCIO Cybersecurity Study (PDF), state officials, including emergency managers and chiefs of police, are more confident in their states’ ability to address cybersecurity (66%) than are state chief information security officers (27%). This confidence gap signals a need for increased communication about cybersecurity risk and methods to prevent and mitigate against potential harm.

While knowing the number of attacks your organization faces every day may be interesting, it isn’t particularly helpful. You can assume that malicious attempts are being made against government and other types of networks constantly. So let’s focus on the resources available to you to learn more about and begin addressing cybersecurity risk within your organization.

A good place to begin is the National Institute of Science and Technology’s Cybersecurity Framework (PDF), which provides an organized way to think about and categorize the many activities necessary to properly address cybersecurity risk. State CIOs report (PDF) that 94% of state governments have adopted the framework; it’s a great resource that many use to organize their security architecture.

For those of you who’d like a simpler list, the Center for Internet Security (CIS) maintains and publishes the 20 Critical Controls, a list of 20 practices that organizations can implement to fend against cyberattacks. CIS’s 20 Critical Controls have been recommended by the National Governors Association, and CIS reports that organizations that implement 5 of the 20 controls can reduce their risk of a cyberattack by 84%; those that employ all 20 can reduce the risk by 94%.

Many IAFC members probably practice emergency-response plans in preparation to respond to potential natural and manufactured disasters. Cyber threats, while not as tangible as a natural disaster, are still a risk that could have severe physical consequences. As such, NASCIO recommends and provides guidance on how state governments and other organizations can develop cyber-disruption response plans that anticipate a large-scale impact from a cyber threat.

Everything mentioned so far speaks to resources for organizations. Information, advice and tips to stay safe online focused on individuals and families can be found at StaySafeOnline.org, which is hosted by the National Cyber Security Alliance. Some of the same lessons to protect yourself and your family can and should be applied in the workspace.

In closing, remember that cybersecurity is not just a job for IT personnel. It’s a team sport and everyone plays a role in securing information and systems. NASCIO has a wealth of information on cybersecurity, including webinars and publications that are all available online without cost. Please take a look at our resources and let us know if we can help.

Related News
You are not logged in.