Canadian municipalities and school boards facing financial constraints still can do much, in addition to repairing their infrastructure, to boost their cyber security. techno west The panel on cyber security in the public sector was told this month.
“As the first line of defense it is really important that our employees are aware of cyber security risks”, said Brad Labrange, Chief Security Officer (CSO) City of Calgary. “The more awareness we can raise going forward, the better we can respond to threats.”
The training is worth it, he said, noting that click rates on phishing tests drop when the municipality runs its annual cyber security awareness program.
Darin Young, Chief Information Officer (CIO). Delta City, BC, said that the municipality adopts a balanced approach, educates the employees about the cyber landscape and the risks that come with it. Not only does the city have an annual mandatory training program, it runs phishing tests throughout the year. Those who “fail” an exam are required to take remedial training courses. “The click-through rate has come down significantly over the years,” he said.
Another relatively inexpensive security booster was told by Trevor Butler, general manager of information services and digital transformation downtown lethbridge, alta.: Having a Disaster Recovery Plan.
Cyber security awareness is also key for municipal councils or school boards to increase security funding, the panelists agree.
“We make sure our councils and business units understand their own risks,” Labrange said. “And what is there to mitigate it. Ultimately it allows business unit owners to make risk decisions on their own. Having them as a collaborative partner is important.
“It’s a collaborative relationship with your business partners,” he said. “As they make decisions on how and where to spend their allocated budget, they obviously have a role to play in understanding their risks. If we are good partners, we can go a long way in helping them understand that. It would be good to explain what the risk is, and allow them to decide. I don’t think we present risk as all-or-nothing. We often present them with different levels of risk and different levels of mitigation. and then allow business owners to decide based on their budget.
“When you have limited resources, the first thing you want to do is figure out where the greatest risks are and apply those resources where it makes sense,” Young said.
Asked by panel moderator Richard Freeman, a Portfolio Manager at Enterprise Workflow Solutions rico canadaOn how to empower employees to make smart security decisions, Butler cautioned against taking a punitive attitude toward those who make mistakes. “That’s not world empowerment,” he said.
“Naming and shading” is not part of education, Labenz agreed. Calgary has been hit twice by major cyber incidents – one was ransomware – and both times errant employees reported their errors to the IT service desk. He would not have done so if he thought he would be “ostracized” for starting the incident, he said.
Peter Holowka, Director of Education Technology West Point Gray Academy, a Vancouver private school, noted that cyber security awareness of staff at the institution has increased since the pandemic. “You can expect a level of sophistication [now],” They said.
Finally, when asked about cyber insurance, several panelists said that their municipality had it. But with premiums and deductibles rising and coverage decreasing, many people are looking to “self-insure” — meaning taking the money being spent on insurance and funneling it into IT.
