The officials were worried about their security posture, their ability to respond to threats, and gaps in the way they handled regulated data such as CJIS, PCI, and HIPAA data.
The city contacted CI Security’s professional services team to assess its security baseline across all departments and functions. CI Security’s consultants investigated and went beyond the scope of work to verify key findings; for example, by conducting a network packet capture analysis, CI Security was able to validate the effectiveness of security controls on the network. CI Security identified gaps in how the city was handling both HIPAA and PCI data that threatened their compliance posture.
After the investigation and analysis, CI Security made dozens of recommendations. The city quickly fixed the vulnerabilities and addressed their HIPAA and PCI compliance gaps.
Another key finding was that the city was not satisfying an annual requirement to do security awareness training with employees.
The city jumped at the chance to have CI Security develop a Security Awareness Training (SAT) program, deliver content customized to address the different security threats faced by employees working in vastly different environments and record the sessions to form the foundation of future hire training. CI Security developed three trainings: (1) for the executives and city council, (2) for people working on smart city projects, and (3) for all city workers full-time and part-time.
Our consultants found that while all employees needed the training, maintenance workers had never had training; in the end, those folks were some of the most engaged.
CI Security’s training included not just how to avoid clicking on the wrong link, but life-skills that allowed the city workers to go about their daily lives thinking about internet risks intelligently.
The training was so successful, other cities requested access to the same materials. CI Security was happy to allow reuse by local governments and agencies because our mission is to make sure critical infrastructure is protected and defended.
Communities not only need to protect themselves against digital intrusion, but also develop response plans to ensure resiliency if and when an attack does occur.
There’s no fool-proof way to prevent a cyberattack. Organizations with a good security baseline are well-prepared to deal with threats as they come.
Executive VP of Professional Services at Critical Insight