Skip to main content

Board Meeting Cyber Discussions

Illustration of six people in a business meeting, sitting at a table with laptops and coffee mugs.

January 26, 2021 | CSD Team

These best practices can jumpstart your conversation on cybersecurity.

With Board meetings centered on urgent matters, it’s understandable that problems that are out-of-sight and out-of-mind, such as cyber security, don’t always make the agenda.

Only recently did words like phishing, ransomware, and cloud storage enter our vernacular. Even more recent is the introduction of insurance coverage policies to protect members in the event of a cyberattack. Cybersecurity, however, is still somewhat uncharted territory.

Nevertheless, it is more important than ever to make sure the organizations you represent are prepared and actively discussing preventative tips and contingency plans relating to cybersecurity. This is a critical responsibility for board members as they fulfil their fiduciary obligation because it plays a key role in protecting district assets.

The topic of cybersecurity should be a part of each district’s Board agenda annually to ensure Board members assess their cybersecurity goals and allocate resources accordingly. If you’re not sure where to start, here are a few suggested steps to help get the ball rolling.

What Information Do You Store?

The first thing to consider is the information your organization is storing. What data can be found on your computers, hard drives, and servers? Depending on your entity, this can be internal facing information, or if you provide a service to the public, it can include billing details. When evaluating Personally Identifiable Information (PII), consider the data not only of your employees but also of third-party vendors and the public.

To better assess this first question, it might be helpful to think about it in terms of a worst-case scenario. For example, what would happen if you lost all of your data? From that perspective, you can begin to consider which data you can’t afford to lose and what your organization is currently doing to mitigate these risks.

How Are You Protecting Your Data?

After discussing the information you store, begin to explore the ways you are currently protecting your data to assess how secure it is. CIFA (Council of Infrastructure Financing Authorities) recommends a few different ways to best manage the risk posed by emerging cyber threats, and these best practices can be a great place to start when considering implementing new cybersecurity policies.

Your organization’s data is the most valuable asset to cybercriminals. Remember to maintain offline, encrypted backups of up-to-date data as one of the best defenses against a ransomware attack. Backup procedures — whether you have an internal IT department or contract these services out—should be regularly tested to confirm they are accurate, up to date, and functioning correctly.

A ransomware attack occurs when cybercriminals infect your system with malware that locks your data and computers, preventing you from accessing it until you pay a ransom.

However, even if you pay the ransom, there is no guarantee you will regain full access to your systems and data. If your system becomes infected with malware, these regular backups will be the key to restoring your data, computers, and devices.

How Can You Protect Your District’s Assets?

Ensuring that your data is protected with regular backups is often the tip of the iceberg as far as preparedness is concerned. The next thing to discuss with your organization’s leaders is the creation of a cyber incident response and recovery plan. This task can be associated with team members who work with your district’s communications and would potentially include response and notification procedures in the event of a ransomware attack.

If you represent an organization that provides a service to customers, your response plan should include a procedure for communicating with them through avenues independent of your internal network, in the event you lose access.

In addition, it is important to have emergency contacts handy and saved on a device that is not connected to your organization’s network. When operating under the worst-case scenario, where hackers have infiltrated and locked down your system, you might not be able to access anything.

Finally, making cyberattacks a frequent topic of discussion at safety meetings is also important. It is vital that staff—from management down to the mailroom—understand that special districts are frequent and favorite targets of cybercriminals because they provide critical infrastructure that cannot afford to go offline.

Discuss your best practices with staff, train them on how to respond to phishing threats and ransomware, and clarify the various responsibilities of staff members in the event of a cyberattack. By having these conversations ahead of time, you can quickly get out in front of the attack and spend less time scrambling while your system is down.

What Can Be Done Today?

While many of the tips we’ve discussed apply to long-term solutions, there are a few topics to bring up at your next meeting that can be put in place in the interim to improve cyber security.

It is important to make sure all staff members understand the importance of software updates. These updates and patches, while often frequent and bothersome, are critical to keeping your firewall and software functioning properly.

In addition, it’s a good practice to shut down your computers at the end of each day, disconnecting them from your network entirely. Although this would not prevent hackers from gaining access to your system, it would protect the individual devices from being encrypted if your system is attacked.

Resources to Keep in Your Back Pocket

As some of our members have learned, having access to advice from cyber security experts is key after getting hit with a cyberattack.

As we previously mentioned, eRisk Hub, our free member resource, is the cybercriminal’s worst nightmare. eRisk Hub is powered by industry leader, NetDiligence, and provides access to cyber security experts who can walk you through the steps to take if your systems are compromised.

In addition, eRisk Hub provides breach coaches, cybercriminal negotiators, lawyers that specialize in cyberattacks, and many additional cybersecurity resources for use during an attack or to prepare for one. Visit www.csdpool.org/erisk-hub to sign up today and make use of these services at no charge.

Another resource we recommend is our complimentary SmartNotice service for instant employee notification in times of crisis, a cyber-attack, or for event announcements. By being able to access this application on any phone, you can notify staff and contacts within your organization even though your internal networks are down. This service is also free of charge for members.

Finally, for questions on your current coverage and options, or on next steps to take in the event of a cyberattack, our Member Relations Coordinator Vicki Sullivan is available to answer your questions.

For more information, email us at info@csdpool.org.

News

Industry and membership news tailored to Colorado special districts.