During a recent meeting of the Woodstock City Council, the council members heard from representatives of the Logicalis company, which had been hired by the city to conduct a cybersecurity study.
Drew Frazier with Logicalis said the security risk evaluation Woodstock had the company complete is the first step in the city being able to build a strong security program moving forward.
The council then heard from Bill Lisse and Paul Donfried, who went into greater detail about what the recently completed study and evaluation had found. Lisse said that, in the past, the city had experienced two minor cybersecurity incidents, but both of these were contained and managed well by the city’s IT department. While there have been significant improvements in the city’s cybersecurity through the implementation of various mitigation actions, Lisse said Woodstock is in need of city-wide security governance processes. During the evaluation, he said there were 16 different risk scenarios that were studied to understand the likelihood of each one happening, the impacts they would have and the status of controls put into place to prevent an incident or, should one occur, lessen its impact.
“The No. 1 risk that any organization, whether it’s government or commercial or not-for-profit, is that people are human and they make mistakes. So, in many cases, in fact, some of the statistics are 90 percent or better of breaches where private data is exposed occur because of errors that people make or accidentally expose sensitive data,” Lisse said. “On the opposite side, the malicious threats really come from, as I talked about, cybercriminals attempting to steal money, so ransomware, perpetuating a fraud, stealing credit card information and then using it. That is probably the most sophisticated of groups.”
When looking at Woodstock’s staffing and budget for cybersecurity, the company found that, when based on averages for both other cities and across the board to include companies and other entities, Woodstock is spending less than others, both as a percent of total IT spending and per employee. At the same time, it was argued that one key reason for this was due to Woodstock being a high-growth city, incorporating a lot of new technology in a number of city departments.
“It’s not uncommon that we see that gap,” Donfried said.
The company created a prioritized list Woodstock could follow and move toward an optimal cybersecurity setting. The items on this list, Lisse said, could be broken down into the four categories of quick hits, focused improvements, involved efforts and strategic initiatives. He also said one of the next steps the city should take involved key initial investments, such as creating a cybersecurity governance committee to coordinate policies throughout city departments, developing a cybersecurity incident response plan to be better prepared for events and reduce their impacts and investing in reasonable cybersecurity controls based on the risks identified through the study.
“Overall, we found that everybody in the city of Woodstock was very engaging, recognized where there were opportunities, participated fully and shared information with the purpose of looking to get better. I really enjoyed the opportunity to support the city and hope that you can use this information to better prepare the city and the staff and the citizens for dealing with some of the challenges ahead,” Lisse said.