City Voices: Cities Identify Their Most Urgent Cybersecurity Threats
City leaders share what they consider to be the biggest risks in cybersecurity now, and propose solutions to address them
This article is part of the Cybersecurity for Smart Cities series developed from the recent Smart Cities CIO Summit, convened by the Technology and Entrepreneurship Center at Harvard, and in partnership with City Possible.
Experts were invited to share what they considered to be the biggest risk in cybersecurity right now, as well as recommend solutions for them.
Marcelo Peredo, Chief Information Security Officer of the City of San Jose, said that more than ransomware, he sees a real problem with business email compromise.
“[Hackers] get a hold of an account and they wait for the right moment to make the right interaction to intercept the payment of an invoice or the exchange of sensitive information. And that’s when the payoff takes place,” said Peredo. “We experienced one that, lucky for us, was not that of a significant amount. But in resolving that situation, I learned that it’s actually paying a lot more than ransomware to the bad guys.”
Chris Seidt, Director of Information for the Louisville Metro Government in Kentucky, said that vulnerabilities exist, first and foremost, with the user. Seidt echoed Peredo’s sentiment regarding business email compromise, stating that several of Louisville Metro’s partners will receive an email from a legitimate source, but the request is out of the ordinary.
“A nonprofit organization might ask to have a meeting with you… or ask for a financial commitment,” said Seidt. “They’re not going to ask you to go out and buy them a prepaid cell phone. I think there’s still an opportunity to train people beyond ’this is a phishing email.’”
Celeste O’Dea, Oracle’s Business Development Director of PS Technology for Federal and Canada Applications, noted that data security is the biggest exposure threat for cities.
“Data analytics are becoming even more critically important in everything,” said O’Dea. “[With all] the data that’s being generated by IoT sensors, open Wi-Fi access, and migration to the cloud, [probably your biggest threat] is the ability to breach through those various mediums and get to the data that is critical to your operations.“
Simon Hunt, EVP of Cybersecurity Protocols at Mastercard, agreed that users are the first line of defense against attacks.
“Our users and community are not part of the fight with us,” said Hunt. “How many of you use the same password on more than one website? The problem is that we are lazy but the hackers are a little less lazy. Somehow over the 30-year history of cybersecurity, we still haven’t got the basic education in place and we still don’t have the population helping us in this fight against the criminals. The biggest threat is that we continue [to become] more digital and yet our employees are not a part of this endeavor with us.”
Mark Wheeler, Chief Information Officer for the City of Philadelphia, noted that some analysts across the city government, especially in health and human services, do not take the cybersecurity training provided. As a result, these departments will take approved platforms but add data to them that becomes exposed to the public.
“Our HIPAA is mandatory and our cybersecurity is mandatory,” Wheeler stressed, “and I think for analysts, we’re going to have a third component that’s specific for them.”