Cyber Security and Municipalities: Balancing Risk and Budget

Cyber Security and Municipalities- Balancing Risk and Budget - riskaware.jpg

Weak or nonexistent cybersecurity programs represent a massive organizational risk for municipal government agencies across North America, and of course Canada. Municipal leaders are often unaware of these risks because they assume that security is addressed or believe that a threat is minimized as a public sector organization.

In 2018, reports from three Ontario municipalities one in BC and one in Quebec surfaced. All around ransomware, and all impacted adversely the operations and privacy of their records and impacting their constituents. Each also had a financially impact to the municipalities as each had to work to eradicate the malware, recover data or pay ransoms.

While ransomware attacks are often indiscriminate and are about disruption, other attacks are imminent that also hinge on weak security measures and experience. Theft of data from the public sector is valuable and should not be overlooked. Land deeds, mortgage information, birth and death records, SIN numbers and more, all constitute Personally Identifiable Information (PII) and all can equate to valuable dollars to those who can use them for further criminal activity.

Municipalities need to be looking at various areas to shore up cyber security for their offices and staff and help reduce the risk associated with these threats. Actions can include but not limited to:

  • Developing a cyber security strategy to combat threats and understand security posture

  • Implementing technology and security tools to handle threats as they emerge

  • Awareness training for staff to help know when threats like phishing email are present

  • Developing a information security policy for all staff to follow

Cyber threats is a multi Billion dollar industry for cyber criminals. Municipalities are not immune to the threats that are present every day. Each municipal leadership team should look at their own areas and determine what steps are needed to be performed. In the end it is not IF a cyber attack will affect them but rather WHEN and HOW impactful it will become.


Why You Need a Virtual CISO (vCISO)


Cybersecurity issues up to the board level