“Your account has been locked.”
“Password check required immediately.”
“Billing information is out of date.”
“Unusual account activity detected.”
These subject lines, often delivered via email or text, may be linked to phishing and cybersecurity attacks. Just as you need to be prepared to protect your personal data and accounts, your employees need to be prepared with knowledge and information to protect your entity.
The cybersecurity landscape is ever-changing, with bad actors developing new and more sophisticated attacks each year. Many of these attacks have caused disruption of public services and systems.
While VRSA understands that cybersecurity is not your organization’s top challenge or concern – it remains a significant exposure that can be mitigated through in-place controls which are updated and monitored regularly.
By implementing these controls, your organization can decrease the likelihood of service disruptions for your community.
VRSA offers cybersecurity resources and services to help you identify and implement controls that will reduce the likelihood and/or impact of a cybersecurity incident. Below are some recommended security controls:
Minimum Cybersecurity Standards
- Training and Awareness
- Conduct periodic end-user training and simulated phishing tests for topics such as:
- General Cyber Security and Awareness Training
- Phishing Training
- Social Engineering Training
- Fraudulent Transaction Training for Accounting Staff
- Emerging Fraud Trends (e.g. smishing, vishing, and pharming)
- Conduct periodic end-user training and simulated phishing tests for topics such as:
- Account Security
- Implement password complexity
- Use pass phrases in lieu of substitutions
- Use Multi-Factor Authentication
- On all systems for all privileged users
- On network accounts and email for all users
- Leverage security options in email such as
- Flagging emails from outside your organization
- Quarantining suspicious emails
- Secure service accounts against compromise
- Implement password complexity
- End-Point Protection
- Implement an End-Point Protection solution (anti-virus/anti-malware) for all devices
- Using End-Point Detection & Response is preferred
- Patching
- Apply critical and high severity patches within 30 days of release
- Install patches for critical and high severity exploits within 7 days of release
- Backups
- Establish regular backups which are encrypted, segregated from your primary network, and protected with anti-virus or continuously monitored
- Test recovery from backup at least once a year
- Ensure the ability to recover critical systems in 4-8 hours
- Ensure all systems can be recovered in 24-72 hours
- Planning & Policies
- Document and tested plans in place for:
- Business Continuity
- Disaster Recovery
- Incident Response
- Plan for end-of-life software and operating systems
- Dedicate funding to security protection and training
- Document and tested plans in place for:
- Secure Remote Connection Protocols
- Use secure VPN connections for remote access
- Enable network authentication
Training
Through the VRSA Online University, members have access to free, unlimited training with many courses focused on cybersecurity, including Preventing Phishing and Security Awareness.
Members also have access to training through YourCISO, including awareness training, consulting, sample documentation and policies, incident response, and a security health check to help benchmark your organization’s cyber risk.
VRSA’s financial strength allows us to offer comprehensive cybersecurity protections with stable pricing to ease our members’ worries. VRSA’s cyber protections include:
- Privacy liability
- Network liability
- Data breach expenses
- Social engineering
For more information on VRSA’s cyber coverage and resources, contact your member services representative.
Cybersecurity Planning Committee
Through the State and Local Cybersecurity Improvement Act, more than $1 billion in federal grant funding will be distributed to the states, who will then award grant funding to local governments.
The Virginia Information Technology Agency and the Virginia Department of Emergency Management are serving as the State Administrative Agency. Through the Cybersecurity Planning Committee, meetings are being held regularly to develop and approve plans and priorities for distributing this funding.
VRSA is committed to keeping our members informed about the future grant process, and will routinely attend meetings as the committee moves forward. As more information is gathered, VRSA will ensure members are notified of opportunities that may benefit them.