However, the work does not end there. It’s now necessary to work systematically with security to ensure that personal data is protected properly. This applies in particular to municipalities and other public sector parties, where NIS opens up opportunities to utilize the new law and build something positive that increases the citizens' confidence in the authorities through smarter services and more transparency. But this requires that there is a clear plan to make cyber security a guiding principle for the entire organization. Here are some tips on this.
For a long time, cyber security was something that municipalities invested in when there was money left in the budget. Today, however, it’s something that has to encompass all operations. One thing to keep in mind is that the human factor is as important as the technical side in terms of cyber threats.
Research shows that in almost half of all cases where data from municipalities have experienced a data breach, it has been the result of an activity caused by an employee, not a sophisticated attack by a hacker. For example, an email sent to the wrong address, or a document stored on a computer where others can access it.
Therefore, it’s important that all organizations have a clear policy on how data is handled by employees, and which employees should have access to data in different systems. You have to educate people on common mistakes and regularly update them which procedures should be used when it comes to printing materials, making backups of important information and installing security applications on one's mobile phone for example.
Another important step is to introduce role-based rights to systems and databases. Only those employees who really need access to certain information should have the opportunity to do so. In many municipalities, there may be employees who have worked in the organization for 15-20 years in a variety of roles, and over time gained access to a variety of systems they no longer need. The more users who can log in to a database, the greater the risk that someone's username and password is stolen.
The biggest challenge is weak passwords. Even today, many use the same password at work as they do in private accounts in eg. Facebook or private email. Millions of such combinations are targets of attack. The problem of multiple passwords is a familiar one; there are many different passwords to keep track of. Luckily, the solution is simple: a password manager.
Data security also involves having a secure network and good infrastructure. But even if you spend millions on IT security, no system is ever completely protected against hackers and phishing attacks.
The easiest way to get into a system is to find vulnerabilities, and sometimes these may lurk in unexpected places. It is important to constantly keep all software up to date, even when it comes to software seen as unimportant. For example, many municipalities have Wordpress blogs on their websites, but there are countless weaknesses in older versions that a hacker can attack. Updating is the key here; always keep your applications updated.
With more technical solutions, one of the most important things is to provide controls that quickly detect suspicious activity. One way is to use SIEM (Security Incident and Event Management), services that constantly monitor the activities of a system and can alert if it detects suspicious logins, or if it appears that data has been compromised. Such solutions are able to see if eg. a username that usually only logs in to a database once a month suddenly starts downloading personal data for thousands of people at once.
Organizations must analyze which is the most sensitive data they handle; with municipalities, it is usually personal data. Sensitive data needs to be encrypted every time it is sent by email or stored on a USB stick. This way, it is not that dangerous if someone unauthorized gets access.
New security related legislation, such as GDPR, are primarily seen as problems and hindrances. The key to working effectively with them is to see what opportunities they provide for creating better services. For municipalities, they provide a chance to build greater trust among citizens through more transparency. Tieto recently conducted a survey together with Sifo, which showed that many Swedes find it impossible to find out what information the authorities have about them. This is especially important; due to the Transportstyrelsen problem, citizens have less trust that authorities can protect sensitive information.
The key thing is that citizens trust authorities; in the cyberage, this is especially important. This requires that there is a plan in place, with dedicated resources - and that everyone is onboard. It's only when every employee is involved in the process of security that one can really succeed.