This article first ran in Municipal World Magazine’s June 2024 issue.
The dependence on technology by individuals and organizations has reached unprecedented levels – and with it comes the increasing significance of cyber risk.
Due to a myriad of reasons, municipalities are at particularly high risk to the ever-looming threat of cyber incidents. It is critical for municipal decision-makers to recognize that cyber risk is not just a technical concern, but also a pivotal business risk that demands attention and action.
Municipalities often struggle to meet the basic cybersecurity requirements due to:
- limited budgets
- lack of access to the right level of expertise
- complex infrastructure that includes legacy systems and software
- minimal training
Municipalities have become prime targets for cyberattacks. Several have faced this firsthand and fully understand the consequences of being unprepared. The consequences include the significant cost, resources, and time required to respond and clean up from an attack, and the lingering effects such as the loss of public trust and the inevitable decline in services until all the technological issues have been resolved.
Municipal decision-makers – whether elected officials or those in senior administrative or management roles – should understand three key aspects of cybersecurity and risk so they can effectively manage such risks and guide cybersecurity investments where they will have the greatest impact:
- treating cyber risk as business risk
- appreciating that cyber threats involve more than deliberate cyberattacks
- knowing that privacy compliance does not equate to cybersecurity
Cyber risk is business risk
It is common for the term “cyber” to be associated with the technical authority within a municipality, like the chief information officer (CIO) or IT manager. This is problematic for two reasons. First, it assumes that cyber risk is limited only to specific technologies, yet all systems, devices, and data connected to the Internet are at risk. This means business processes, associated software, and operational technologies that support municipal services are at risk.
Second, although technical controls can help mitigate cyber risks, there are also non-technical controls that are not within the purview of the CIO or technical manager, such as administrative actions, employee selection and training, policy enforcement, organizational planning, procurement of non-technical support and services, insurance acquisition, and others.
Cyber risk transcends the scope of technical authorities and should be considered as an overarching organizational risk that translates directly to operational, financial, legal, reputational, environmental, and other risks.
Rather than separately managing them as “cyber” risks and relegating them to the technical domain, municipal leaders should ensure that they are integrated into organizational risk management and are appropriately identified and effectively managed in conjunction with other risks.
Cyber threats include more than cyberattacks
The predominant discussion on cyber threats revolves around deliberate threat actors (such as hackers and cybercriminals) who intentionally target organizations. Despite their various motivations, this is a major concern for municipalities. However, these are not the only threats to cyber resources within a municipality.
The National Institute of Standards and Technology (NIST) defines a threat as an “event or condition that has the potential for causing asset loss and the undesirable consequences or impact from such loss.” Also included in the term “event or condition” are human errors or unintentional actions such as accidents, as well as natural disasters such as earthquakes, fires and floods that may have an impact on the digital infrastructure.
The risks and the consequent impacts of such events on municipal offices, operations, and constituents must be considered similar to those of an intentional cyberattack. Municipal decision-makers must ensure that accidental and natural events are integrated into their threat and risk assessments and the subsequent cybersecurity strategy. They must also verify that such events are considered in contingency plans, including incident response, business continuity, and emergency management plans.
Privacy compliance does not equate to cybersecurity
It makes sense that municipalities are concerned with the privacy of the data they hold, particularly that of constituents and local businesses. An appropriate emphasis is therefore placed on complying with privacy requirements. That said, complying with privacy requirements does not supplement the need for cybersecurity.
Compliance to privacy requirements only ensures that personally identifiable information (PII) is protected. If there is a privacy breach, actions should be taken, as defined by your local privacy commission. However, PII is certainly not the only data that needs to be protected.
In most municipal offices, there is myriad data such as municipal plans, financial statements, procurement documents, election details, and legal confidences that should be protected. They may cause equal or more grievous impacts if lost, manipulated, or disclosed to unauthorized parties. Therefore, it may require similar or greater protection than PII.
Suffice to say that protections applied to privacy data will often do nothing to protect these critical systems and software. Municipal decision-makers must comply with local privacy legislation and protect PII. Still, they must also have a prioritized asset inventory at their disposal that (at minimum) identifies all critical systems, software, and data – including PII – so they understand what they are responsible for protecting and where additional cybersecurity investments may be required.
Integrating cybersecurity into municipal risk management
Cybersecurity is a whole-of-organization activity aimed at protecting municipal digital infrastructure from threats – in whatever form they occur. Therefore, cybersecurity must be elevated from the technical to an organizational function. It is not sufficient to solely rely on technical controls to mitigate cyber risk.
Non-technical controls such as administrative actions, employee training, policy enforcement, and procurement of non-technical services are equally indispensable elements in the effective management of cyber risk. While we must be compliant with regulatory requirements such as privacy, this does not necessarily address all of the cyber risks within the organization.
Decision-makers need to understand cyberthreats and their far-reaching and potentially damaging effects not only on technology, but also on operational, financial, legal, reputational, and environmental municipal interests.
Randy Purse CD, PhD, CSTD, is Senior Advisor, Cybersecurity Training and Education at Rogers Cybersecure Catalyst, Toronto Metropolitan University.
Dan Mathieson is Special Advisor, Cybersecurity and Municipal Engagement in the Office of the President at Toronto Metropolitan University, and the former mayor of Stratford, Ont.