In spring 2022, the National Association of Counties (NACo) partnered with SecurityScorecard, a cybersecurity ratings company, to help county governments monitor and improve cybersecurity risk. Such assessments were not really necessary as recently as 15 years ago, said Rita Reynolds, NACo’s CIO, but the landscape is totally different today. From the types of attacks that take place, constantly increasing vulnerabilities, and growing automation and digitization, it’s crucial that governments monitor their security.
Challenge
Assessments may be necessary, but they’re not easy. For one, they can be pricey. A midsize organization can expect to pay $15,000 to $40,000, but the level of expertise makes it worthwhile, Reynolds said. They know to look for things that are common across the board, which gives them a starting place, and they dig down from there.
“You of course can do an internal assessment, but it’s always better to have an external assessment done to ask all those questions to check your systems,” Reynolds said. “We have got myriad different systems with different configurations. [You want to know:] Is everything set, right? Do you have permission set correctly? Are you exposed because there’s known vulnerabilities in the software that you’re using and you haven’t applied a patch? All of that comes out from an assessment of your internal system.”
Another downside of county agencies handling assessments themselves is that they can be another drag on what’s already faltering staff resources in many places.
Reynolds didn’t have a percentage of how many of the country’s 3,000-plus counties conduct cybersecurity assessments, but she said many do, at least at some point. “It’s not every year. Some counties can’t budget for the $30,000 or $40,000 or $50,000 for the assessment or the penetration test, so they might do it every other year,” she said.
But many cyber insurance companies now require these assessments before they’ll provide coverage, which government organizations increasingly need. Premiums have doubled and even quadrupled for some counties, and requirement questionnaires demand details on what cybersecurity agencies have in place. Assessments can answer those questions.
Solution
The pilot that NACo organized with SecurityScorecard came about largely because of today’s cyber insurance market. It assesses only agencies’ external, or public-facing, domain, so it looks to answer questions such as:
- Is your website secure?
- Where and how do you provide data?
- Does your platform have vulnerabilities in need of patches?
To use it, users create an account, log in, enter their county’s URL and receive letter grades of A through F based on continuous monitoring of 10 groups of risk factors, including DNS health, patching cadence, and application and endpoint security. Through a dashboard, counties can drill down to see why they earned the grade they did — and begin work to bring it up.
“It could be a type of patch that needs to be applied, and I just didn’t know it, but as soon as I do that, then the finding goes away,” Reynolds said. “I can set an alert that says, ‘Every time my score goes down, send me an email,’ because I want to know if my score drops.”
The two-month spring pilot was open to the 900 county IT leaders who are part of NACo’s County Tech Xchange, an online portal that provides technology infrastructure resources. Thirty-eight counties actively participated in the test, many of which have continued to use the scorecard, although some counties use the platform but were not part of the pilot, she said.
Outcome
“We saw an improvement in the overall scores,” Reynolds said. “We actually had a number of counties that were in the D range and the C range [and] that number went down. And those in the B range, the score went up. The score of A actually went down a little bit, but that’s going to happen; you’re going to go back and forth between A and B.
“That’s the other thing that the pilot showed, it’s not a once and done process,” she continued. “This is a continual, evaluative process.”
What do the improvements translate to? Eight pilot participants who increased from D to C reduced their risk of cyber breach by 140%, she said.
This article appears in our guide “Bright Ideas for Making Cyber Stick.” To see more about how agencies are implementing cybersecurity, download the guide.
Leave a Reply
You must be logged in to post a comment.