managing cyber and five other technology risks
TRANSCRIPT
![Page 1: Managing Cyber and Five Other Technology Risks](https://reader031.vdocument.in/reader031/viewer/2022030217/5886e28b1a28ab776a8b7e01/html5/thumbnails/1.jpg)
MANAGING CYBER AND FIVE OTHER TECHNOLOGY RISKS
WHAT MUNICIPAL OFFICIALS AND SENIOR EXECUTIVES NEED TO KNOW
CRITICAL ISSUES FOR THE FISCAL HEALTH OF NEW ENGLAND CITIES AND TOWNS APRIL 8 ,2016
Presented By Marc Pfeiffer, Principal Investigator and Assistant Director, Bloustein Local Government Research Center, Rutgers University
![Page 2: Managing Cyber and Five Other Technology Risks](https://reader031.vdocument.in/reader031/viewer/2022030217/5886e28b1a28ab776a8b7e01/html5/thumbnails/2.jpg)
THE TECHNOLOGY MANAGEMENT OPPORTUNITY:
• Integrating new technologies into a government environment that includes:
• Cost/tax/fee pressures • Citizen expectations
• Political dynamics that work against against long-term planning
• “We can defer that purchase for another year, can’t we?”
![Page 3: Managing Cyber and Five Other Technology Risks](https://reader031.vdocument.in/reader031/viewer/2022030217/5886e28b1a28ab776a8b7e01/html5/thumbnails/3.jpg)
KEY TECHNOLOGY MANAGEMENT CHALLENGES • Determining what we need, want, can afford; when and
how we get it, how to manage it
• Understanding that “technology” is more than “information technology”, but also includes operational and communications technologies; and they all have risks to manage
• Understanding the risks; and that technology risks go beyond cyber-security; that it includes the other risks that need to be reckoned with
• Knowing that managing technology and their risks is a not journey with a destination; it is an ongoing and evolving activity
![Page 4: Managing Cyber and Five Other Technology Risks](https://reader031.vdocument.in/reader031/viewer/2022030217/5886e28b1a28ab776a8b7e01/html5/thumbnails/4.jpg)
WHAT IS TECHNOLOGICAL RISK?
![Page 5: Managing Cyber and Five Other Technology Risks](https://reader031.vdocument.in/reader031/viewer/2022030217/5886e28b1a28ab776a8b7e01/html5/thumbnails/5.jpg)
Categories of
Technology Risk
Cyber-security
Financial
Opera-tional
Legal
Reputa-tional
Societal
![Page 6: Managing Cyber and Five Other Technology Risks](https://reader031.vdocument.in/reader031/viewer/2022030217/5886e28b1a28ab776a8b7e01/html5/thumbnails/6.jpg)
1. CYBER SECURITY
• Banking incursions – electronic funds transfer • Data/PII breach/theft • Network breach/use as a remote host • Access to networked control systems • Credit card security • Cyber extortion – DDOS, Cryptolocker/ransomware • Website/Social Media Security
![Page 7: Managing Cyber and Five Other Technology Risks](https://reader031.vdocument.in/reader031/viewer/2022030217/5886e28b1a28ab776a8b7e01/html5/thumbnails/7.jpg)
TYPES OF THREATS – SO FAR Targeted Attacks
• Local government agencies are not usually specifically targeted, but you might be targeted by someone disgruntled or if something goes wrong
Mass Attacks
• This stems from successful email phishing and its cousins, and social engineering attacks
Your Humans:
• Clicking on the wrong link/opening the wrong file Bottom line: bad guys try to manipulate people into divulging personal or business information or tricking them into schemes to defraud
![Page 8: Managing Cyber and Five Other Technology Risks](https://reader031.vdocument.in/reader031/viewer/2022030217/5886e28b1a28ab776a8b7e01/html5/thumbnails/8.jpg)
2. LEGAL RISKS
![Page 9: Managing Cyber and Five Other Technology Risks](https://reader031.vdocument.in/reader031/viewer/2022030217/5886e28b1a28ab776a8b7e01/html5/thumbnails/9.jpg)
THE OTHER TECHNOLOGY RISKS
3. Operational: failure of government to operate; services delivery failure from loss of access to IT resources
![Page 10: Managing Cyber and Five Other Technology Risks](https://reader031.vdocument.in/reader031/viewer/2022030217/5886e28b1a28ab776a8b7e01/html5/thumbnails/10.jpg)
THE OTHER TECHNOLOGY RISKS
3. Operational: failure of government to operate; services delivery failure from loss of access to IT resources
4. Financial – costs of responses to breaches and operational failure
![Page 11: Managing Cyber and Five Other Technology Risks](https://reader031.vdocument.in/reader031/viewer/2022030217/5886e28b1a28ab776a8b7e01/html5/thumbnails/11.jpg)
THE OTHER TECHNOLOGY RISKS
3. Operational: failure of government to operate; services delivery failure from loss of access to IT resources
4. Financial – costs of responses to breaches and operational failure
5. Reputational risks
![Page 12: Managing Cyber and Five Other Technology Risks](https://reader031.vdocument.in/reader031/viewer/2022030217/5886e28b1a28ab776a8b7e01/html5/thumbnails/12.jpg)
THE OTHER TECHNOLOGY RISKS
3. Operational: failure of government to operate; services delivery failure from loss of access to IT resources
4. Financial – costs of responses to breaches and operational failure
5. Reputational risks
6. Society driven risks
![Page 13: Managing Cyber and Five Other Technology Risks](https://reader031.vdocument.in/reader031/viewer/2022030217/5886e28b1a28ab776a8b7e01/html5/thumbnails/13.jpg)
MANAGING TECHNOLOGY RISKS: THE NEED FOR TECHNOLOGICAL PROFICIENCY
![Page 14: Managing Cyber and Five Other Technology Risks](https://reader031.vdocument.in/reader031/viewer/2022030217/5886e28b1a28ab776a8b7e01/html5/thumbnails/14.jpg)
A TECHNOLOGICALLY PROFICIENT ORGANIZATION
…Understands the links between its business processes and its technology
…Understands its technology needs
…Is assured that the technology will work when it needs to, including routine and emergency situations
…Is capable of protecting itself against compromise, including protecting and responding to cyber threats
![Page 15: Managing Cyber and Five Other Technology Risks](https://reader031.vdocument.in/reader031/viewer/2022030217/5886e28b1a28ab776a8b7e01/html5/thumbnails/15.jpg)
DEVELOPING TECHNOLOGICAL PROFICIENCY
To the extent one is weaker than the other, they are all weaker.
Proficiency Governance
Planning Cyber Hygiene
Technical Competency
![Page 16: Managing Cyber and Five Other Technology Risks](https://reader031.vdocument.in/reader031/viewer/2022030217/5886e28b1a28ab776a8b7e01/html5/thumbnails/16.jpg)
GOVERNANCE
Governing boards cannot ignore technology or delegate key elements
• Reputational and financial risks cannot be delegated
• Governing body and chief executive must be engaged
• Includes technology managers, fiscal staff, public safety, operational representation; can include responsible citizens.
![Page 17: Managing Cyber and Five Other Technology Risks](https://reader031.vdocument.in/reader031/viewer/2022030217/5886e28b1a28ab776a8b7e01/html5/thumbnails/17.jpg)
GOVERNANCE
Management needs to set the tone from the top, down:
• Understands technology as an enterprise-wide risk management issue
• Create a technology governance process • Has adequate access to technology expertise • Develop risk management processes • Adopts technology policies • Establish a technology planning process • Ensure reports to elected officials are meaningful
![Page 18: Managing Cyber and Five Other Technology Risks](https://reader031.vdocument.in/reader031/viewer/2022030217/5886e28b1a28ab776a8b7e01/html5/thumbnails/18.jpg)
PLANNING Determines how you spend technology resources
Key elements of the plan:
• Matches organizational goals to technology goals • Assessment of technology assets, services, resources (hardware,
software, networks, contractors, facilities, people) • Identify priorities of changes in technology solutions and activities • Assess and address technology risks • Define the information security management framework • Address “make or buy” decisions • Assign plan execution responsibilities to appropriate staff and tie
plan to organization budget • Use a practical time horizon: No more than 3 years and review
annually (or more often )
![Page 19: Managing Cyber and Five Other Technology Risks](https://reader031.vdocument.in/reader031/viewer/2022030217/5886e28b1a28ab776a8b7e01/html5/thumbnails/19.jpg)
CYBER HYGIENE
![Page 20: Managing Cyber and Five Other Technology Risks](https://reader031.vdocument.in/reader031/viewer/2022030217/5886e28b1a28ab776a8b7e01/html5/thumbnails/20.jpg)
BECAUSE… The bulk of successful attacks come because an employee clicked on something they shouldn’t have, so…
• Train (and retrain) your humans • Consider intrusion testing • Have informed employee policies
![Page 21: Managing Cyber and Five Other Technology Risks](https://reader031.vdocument.in/reader031/viewer/2022030217/5886e28b1a28ab776a8b7e01/html5/thumbnails/21.jpg)
TECHNICAL COMPETENCE
Implement the plan with technical competency
• Keep Governance updated on activities
• Apply and enforce policies
• Ensure that all tech employees are trained and contractors are secure
• Keep aware of changing circumstances and technology, and SHARE information with peers
• Be consistent; do not slack off
![Page 22: Managing Cyber and Five Other Technology Risks](https://reader031.vdocument.in/reader031/viewer/2022030217/5886e28b1a28ab776a8b7e01/html5/thumbnails/22.jpg)
http://blousteinlocal.rutgers.edu/managing-technology-risk/
![Page 23: Managing Cyber and Five Other Technology Risks](https://reader031.vdocument.in/reader031/viewer/2022030217/5886e28b1a28ab776a8b7e01/html5/thumbnails/23.jpg)
TECHNOLOGY PROFICIENCY MATURITY MODEL
• Unaware Stage 1 • Fragmented Stage 2 • Top Down/Evolving Stage 3 • Managed/Pervasive Stage 4 • Optimized/Networked Stage 5
![Page 24: Managing Cyber and Five Other Technology Risks](https://reader031.vdocument.in/reader031/viewer/2022030217/5886e28b1a28ab776a8b7e01/html5/thumbnails/24.jpg)
RISK
PO
TEN
TIAL
UNAWARE
FRAGMENTED DEFINED MANAGED OPTIMIZED
MATURITY LEVEL
MATURITY AND RISK POTENTIAL
![Page 25: Managing Cyber and Five Other Technology Risks](https://reader031.vdocument.in/reader031/viewer/2022030217/5886e28b1a28ab776a8b7e01/html5/thumbnails/25.jpg)
TECHNOLOGY PROFILES
BASIC
![Page 26: Managing Cyber and Five Other Technology Risks](https://reader031.vdocument.in/reader031/viewer/2022030217/5886e28b1a28ab776a8b7e01/html5/thumbnails/26.jpg)
![Page 27: Managing Cyber and Five Other Technology Risks](https://reader031.vdocument.in/reader031/viewer/2022030217/5886e28b1a28ab776a8b7e01/html5/thumbnails/27.jpg)
![Page 28: Managing Cyber and Five Other Technology Risks](https://reader031.vdocument.in/reader031/viewer/2022030217/5886e28b1a28ab776a8b7e01/html5/thumbnails/28.jpg)
WHAT SHOULD I DO?
![Page 29: Managing Cyber and Five Other Technology Risks](https://reader031.vdocument.in/reader031/viewer/2022030217/5886e28b1a28ab776a8b7e01/html5/thumbnails/29.jpg)
PUT TECHNOLOGY PROFICIENCY ON YOUR ORGANIZATIONS AGENDA You can’t do this overnight; it will always be a work in progress.
It will likely cost new resources of time, attention, and $$
Remember, proficiency and cybersecurity are an ongoing process and challenge, NOT a destination! And every organization is at a different spot on the map So… START
![Page 30: Managing Cyber and Five Other Technology Risks](https://reader031.vdocument.in/reader031/viewer/2022030217/5886e28b1a28ab776a8b7e01/html5/thumbnails/30.jpg)
STUDY CONDUCTED BY: Marc Pfeiffer, Assistant Director
Bloustein Local Government Research Center Bloustein School of Planning and Public Policy Rutgers, The State University 33 Livingston Street, New Brunswick 08901 [email protected] 848-932-2830 http://blousteinlocal.rutgers.edu/managing-technology-risk/ Under a grant provided by the: Municipal Excess Liability Joint Insurance Fund
9 Campus Drive - Suite 16 Parsippany, NJ 07054 (201) 881-7632
With an assist from Dr. Alan Shark, Director of the Center for Technology Leadership at the Rutgers School of Public Affairs and Administration, and Executive Director, Public Technology Institute
All materials © 2015 by Rutgers and the Municipal Excess Liability Joint Insurance Fund