Cybersecurity—Make Sure Your Town is Prepared

NJMMA Spring 2019 Conference -- Cybersecurity

Cybersecurity was not always a part of the job description for information technology (IT) professionals, but now it is one of the most vital part of their operation. With the rise of cyber-attacks around the globe, a recent session at the spring conference spoke to the importance of having a cybersecurity plan for each municipality’s technology. Speakers for the session were Jean-guy R. Lauture, the Information Technology Manager for the Township of Bloomfield, NJ and Steve Newsome, the Director of Information Technology in Egg Harbor Township, NJ.

Recently, the Township of Bloomfield was the target of a cybersecurity attack and the town’s contingency plan was put to the test. Lauture and Newsome stressed the importance of being prepared for a cybersecurity attack. Each municipality should have a plan of action for addressing an attempted or successful attack. For Bloomfield, regular tests are performed on their security systems.

“If you are prepared for the attack,” said Lauture, “then your systems will not be down long despite any attempted at infiltration.”

So how do you start to make your own plan? “There are many templates online, including one from the FBI itself, for creating a cybersecurity plan for your organization,” said Newsome. “While these checklists are not intended to be a blanket cybersecurity plan, they can be a good starting point for you to begin with and go through with your team.”

A large part of a cybersecurity plan is creating obstacles to an attack, and making the systems harder to target. Ninety percent of attacks come from emails, and common sense, and a simple task that can limit your infrastructure’s exposure, is blocking emails from foreign countries. As municipalities, there shouldn’t be any need for employees to be interacting with those emails.

“Ultimately though, the greatest asset to your organization is training your end user to recognize problem points, as it is impossible to protect against everything,” continued Newsome. “If your employees are trained well enough to stop fraudulent or problematic emails or websites, then the majority of attacks can be thwarted before they become a problem.” 

Lauture provided an important reminder not to reprimand those who may initiate breaches. Rather, managers and the administration should educate them about the issue, so they will not shy away from reporting future issues. “You do not want an end user to be too embarrassed or ashamed to report a future problem or security breach to your system,” he said.

What do you do if you’ve been infiltrated? First and foremost, isolate the issue and take down the devices or drives that have been compromised until you know what is going on. If your organization is properly prepared, then each person involved should know exactly what to do when a breach has been identified. Trust between the leadership and the administration and the IT team is important for the operation to work properly. There cannot be room for hesitation or argument while in the middle of a crisis scenario, and everyone must be on the same page.

“If you have an IT department, use them. If you have an IT professional, keep them,” Newsome said. “If you just need to appoint someone to this effort, allow them space for training and mentorship.”