Data security for municipalities
In celebration of Cyber Security Awareness Month, the Municipal Property Assessment Corporation (MPAC) is proud to share its top 10 tips for keeping data and systems safe.
As Ontario’s property assessment agency, MPAC maintains a comprehensive database of information for more than five million properties in Ontario. This amounts to more than 125 TB of data – across 27 office locations and more than 5,000 physical and virtual devices – that we safeguard with a small data security team.
Every organization’s data security experience is unique, but as threats continue to become more sophisticated and challenging, we can learn from each other by sharing advice and best practices.
In 2019, MPAC achieved our ISO 27001 certification, an internationally recognized standard that speaks to our commitment to the highest standards of information security practices. Achieving the certification demonstrates that we have put in place the systems, policies and procedures that help us protect property assessment data and increase our resilience against cyber-attacks; it is also reducing costs associated with information security and reinforcing a “security first” company culture.
To help the municipal sector advance its security practices, we’ve compiled a list of our top 10 ways to improve data security, which we are sharing at the MISA Ontario 2020 InfoSec Virtual Conference & Trade Show Conference for Ontario municipalities. Here are the highlights:
1. Passwords and passphrases
- Many passwords are based on old industry standards of 5-8 characters. MPAC has recently increased our minimum password length to 15 characters. Modern cracking solutions are able to crack shorter/simpler passwords in seconds or minutes, so more complex ones are safer.
- Make a point of keeping professional email addresses and passwords separate from personal accounts, and don’t share passwords.
2. Multi-factor authentication
- Multi-factor authentication, or two-factor authentication, is a critical security measure and free solutions are available. A multi-factor can be:
- Something you know (i.e. a password)
- Something you have (i.e. a trusted device that is not easily duplicated, like a phone)
- Something you are (i.e. biometric scanning, like a fingerprint)
- Multi-factor authentication helps to protect against attacks if an employee’s credential loss has already occurred.
3. End user security awareness training
- Your employees, as users, have the potential to be the weakest link in your cyber security chain. It’s important to educate them about cyber security risks in their work and home environment.
- Awareness training should include topics such as: malware, phishing, social engineering, mobile devices, social media, online safety, passwords and authentication, and portable storage devices.
- There are many free training resources on the internet and YouTube is a great place to start.
4. External email identifier
- Email continues to be a popular method to deliver malicious content, and organizations are increasingly being targeted with malicious attachments like Excel, Word or PDF files containing malware or links to malware.
- Email banners can be a useful tool to help your employees identify when an email may be spoofed, meaning it is coming from an outside source pretending to be a municipal employee.
5. Onboarding and offboarding processes
- Proper processes, and following them, are key. Organizations must manage inactive or expired user accounts as they can provide an unmonitored avenue that may result in unwanted access to your IT environment.
- If you can only do one thing to increase your security posture, patch your systems regularly. Microsoft releases important regular patching every month, and don’t forget to patch other solutions, such as MS Office, Adobe, Java or internet browsers like Chrome or Firefox. When possible, the use of auto updates is ideal.
7. Open source security tools
- There are many great open source security tools to help you protect your IT environment. All you need to do is Google “free security tools” to find them. Some examples to get you started are:
- Kali Linux – a prepackaged operating system with numerous security tool preinstalled.
- Ssllabs.com and securityheaders.com – online services that can be used to verify some of the security setting on your public facing websites.
- A ‘phish’ is a practice of sending emails purporting to be from reputable companies that encourage people to reveal personal or financial information.
- Part of our ongoing employee training is an email phishing campaign designed to educate users in identifying and reporting suspicious email activity. We test employees’ reaction to emails designed to emulate a phish.
9. USB storage devices
- USBs have the potential to be used as an attack vector and can deliver malicious content into your network. As a best practice, only allow and use USB devices that are scanned and verified regularly. Better yet, you can reduce your risk if you can block usage of USB storage devices within your organization.
10. Security information threat feeds
- Information is key! Many free sources of security related information are available to keep you abreast of emerging security risks. Some examples include:
- Verizon data breach report
- News groups, and Vendor or RSS feeds