NACo - Current Cyber Issues for County Executives
Bryan Hurd
Board Member, Executive, Global Thought Leader. Chief of Office, Aon Cyber - Stroz Friedberg, -CISO -Fmr Intel Director Microsoft Digital Crimes Unit -Founder US Navy NCIS Cyber CI Program
Honored to be a panelist on a special Cybersecurity and cyber insurance webinar hosted by the National Association of Counties (NACo) - (Naco.org) the only national organization that represents America's 3,069 county governments in the United States.
Myself and fellow panelist Tom Finan and Michelle Lawson of Willis Towers Watson discussed with executive leaders of counties across the US regarding the growing threats to US counties from various threat actors around the world and especially in light of COVID-19. We also had interactive polls on the call and Q&A around the importance of cyber-security insurance has grown in recent years, what to look for when acquiring cyber insurance, and what IT best practices should be in place in order to avoid common pitfalls and also benefit the most from cyber insurance.
Some great insights shared by Tom and the panel included:
- Over 2/3 of ransomware attacks were directed at local governments and public sector organizations and that is expected to continue and increase.
- Organizations that are paying the first encryption ransom and the adversary provides the keys to decrypt the file, but then the adversary uses the data they EXFILTRATED during that same attack and later comes back for a SECOND extortion ransom to not publish that data.
I specifically covered the things county executives can do today:
- BACKUP, BACKUP, BACKUP - and have a copy of the backup FAR AWAY from online access assuming that the adversary will compromise the very system administrator account your team uses to back things up and delete them FIRST if the bad guys get in.
- Train staff on common phishing attacks and defenses and tell them in times of crisis, the adversaries rely on our fear and distractions to strike MORE OFTEN
- Improve email filtering and endpoints to not allow malicious code to get a foot hold when users accidently DO click on a bad link or file. (because they will once in a while, no matter how smart or well trained - we all are human)
- Have a response plan for incidents and especially Ransomware - AND PRINT OUT the ransomware playbook so it is available when all of your systems are encrypted.
- Have a zero dollar incident response contract in place with my team at Aon Cyber Solutions / Stroz Friedberg or other reputable and insurance company authorized providers who are on the appropriate insurance panels to help your county or organization quickly in an emergency.
Thank you to the leadership of NACo, those government executives on the call that are serving and protecting our families every day, and to the CyberSecurity Collaborative for this opportunity.
Please reach out to me if you have other questions from the webinar or if my team can help.
Bryan Hurd
Aon Cyber Solutions / Stroz Friedberg
Senior Vice President | Threat Intelligence | Information Sharing & Terrorism Risk Assessment | Former DHS Senior Strategist | Former U.S. H.R. Subcommittee Director | Former FBI Assistant General Counsel
4yBryan, Really great conversation, and your point about how counties should prioritize several key -- and free -- cyber hygiene steps really resonated. Doing backups "the right way" now (i.e., traditional AND air gap backups) won't cost them anything. Failing to do so, however, could cost them everything. I also completely concur with your and Michelle's points about the human element. Fully 63% of cyber incidents are caused directly by employees. Training on how to avoid phishing scams and exercising cyber incident response plans are critical for "bending the curve" toward greater cyber resilience.