Top 10 Things Cities Need to Address to Improve Cybersecurity
The top 10 items that city leaders identified as areas of improvement in cybersecurity
This article is part of the Cybersecurity for Smart Cities series developed from the recent Smart Cities CIO Summit, convened by the Technology and Entrepreneurship Center at Harvard, and in partnership with City Possible.
Following the cybersecurity panel, attendees were split into groups of five and asked to pick their list of top ways to improve their own security. All groups submitted their top items and then people voted for their favorites.
Here, in no particular order, were the top 10 items that city leaders identified as areas of improvement in cybersecurity:
- Education: Staff needs to be educated on a regular basis on how to spot threats/phishing, etc.
- Patch: cities need to patch new software to close known security gaps.
- Don’t use legacy systems: This one seems obvious, but systems that aren’t supported anymore e.g. Windows XP, are still being used in cities, providing an easy way in.
- Have a strong ‘response plan’: When the city is attacked, ensure everyone is well briefed on exactly what to do. Treat this plan as a fire drill – practice and keep everyone ready to leap into action.
- Have a communications plan: Have a narrative to share with media in advance because you will not have time to construct this when an attack happens.
- Have an IT inventory: ensure you know everything that is connected to your systems and what software they are running.
- Establish a strategic partnership with a cyberattack agency: think of this as the fire brigade – when the building is on fire, you know who to call and they can see a list of who is in the building, giving them the tools to strategize.
- Conduct regular risk assessments: stay ahead of problems.
- Formalize interlocal agreements: neighboring local authorities and cities can help when attacks happen. Discuss this with them in advance, however, not after attacks happen.
- Privilege Analysis: What ‘access’ or ‘privileges’ should staff or applications have in your systems?