Opinion: Jasper County Allocates funds for Cyber Assessment — Proceed with Caution
County invests in Cybersecurity (Jasper Sun Times):
According to a recent article in the Jasper Sun Times, Jasper County has recently allocated funds in the amount of $40,000 to hire a company to perform a network threat and vulnerability assessment. On the one hand, it is good to see that a local government is paying attention to issues of cybersecurity and is taking steps to gain situational awareness. However, starting out by throwing money at the problem is not the most prudent nor efficient course of action. While I won’t downplay the effectiveness of network threat assessment and vulnerability efforts; those are but one piece in a much larger and more comprehensive approach to cybersecurity. The full text of the article is here.
This is the problem when the media picks up on buzzwords like threats, assessments, hackathons, vulnerabilities and now on an almost daily basis — cybersecurity. This is once again an opportunity for the government to both develop and lend some expertise. If you look at the impacts on individuals affected by a cybersecurity breach and specifically the exfiltration or exploitation of personally identifiable data (“PII”) then it isn’t much of a stretch to see that this goes directly to the state police power (public health safety, welfare, and morals). Consequently, and minimally, States need to be doing their part to ensure minimum levels of cybersecurity hygiene across entities operating within their states and so too, the Federal government should be tackling this issue and providing education and guidance to the public as well as private sectors.
Neither municipalities nor small businesses should be saddled with the burden of having to understand and tackle complex cybersecurity issues. Certainly, applying time and resources to single-point aspects of the problem are not going to provide a good return on investment and one could almost analogize the hiring of a network assessment company to hiring a security guard to surveil a warehouse while failing to require access control for employees/contractors or even implementing background checks. This seems to be part of an ingrained mentality amongst many that “doing something” is somehow better than “doing nothing.” This simply isn’t always the case. The $40,000 that this county is going to spend on having a network threat assessment performed could be used to actually review the IT systems, controls, processes, and procedures and to understand exactly what PII is stored and where and what access controls are in place. The point being that one has to develop a baseline understanding of what assets they need to protect before they can begin to develop the requisite situational awareness necessary to do so.
I hope that other municipalities or small businesses facing similar issues will begin by understanding the cybersecurity issues they may face and then determining which areas require further investigation and exploration. As someone preparing to enter the cybersecurity law and policy field I certainly don’t wish to preclude any future contracts. However, I would like people to spend their money wisely and ensure that they are applying resources to the entire cybersecurity issue and not merely one small facet.