Session Prepares State Leaders for Next Cybersecurity Breach

State leaders must evaluate risks and invest in protecting state government against cyberattacks. That’s according to experts who discussed cybersecurity at the 2015 CSG National Conference in Nashville, Tenn., in an attempt to prepare state leaders for the inevitable.

During the Cybersecurity and Cyber Breach Notification session on Dec. 12, sponsored by the CSG Intergovernmental Affairs Committee, Doug Robinson, executive director of the National Association of State Chief Information Officers--or NASCIO--talked about the current landscape of cybersecurity.

“This is certainly a compelling issue of the day,” he said.  

Vinay Dattu, director of Legislative Information Systems for the Tennessee Legislature, posed a few questions to session attendees: What is the most important piece of data during or after a cyberattack? Why is that data important?

He also asked, “If you don’t have that data, how would that impact you? Say you lost it all.” Dattu said the third question is one that isn’t asked often enough in state government.

State governments are attractive targets for hackers because they have a lot of data—Robinson called data the “lifeblood of state government”—including tax information and health records. Robinson said the threat exists 24 hours a day, seven days a week and states need to step up their game to guard information.

However, the issue has become more complex for a number of reasons, including the increasing amount of state government work done remotely and the amount of data on mobile devices. State governments also lack the talent to deal with cybersecurity; Robinson discussed high salaries, internships and other tools that can make state government more attractive to the professionals who can help.

“This is a business risk to the states as opposed to something that should only be talked about within the confines of technology,” he said.

A 2014 NASCIO report showed that 44 percent of data breaches were the result of malicious or criminal attacks, 25 percent were due to system glitches and 31 percent were due to human error.

There are steps state governments can take to prevent these breaches. Security, even password management, shouldn’t be left to individual agencies, Robinson said. Information systems should be tested for vulnerability, he said. Also, security is the job of everyone, not just the chief information officer.

“This is one of those things that takes a village,” Robinson said.

Dattu said state leaders should ask themselves whether they are willing to be embarrassed or lose the trust of the public, and they should protect the data that would cause the most harm.

“You can’t treat everything the same,” he said.

Robinson told attendees to focus on high-value targets. “You should know your risks and those risks should be graded,” he said.