IBM and the Ponemon Institute have reported that the average breach cost in 2022 was $4.24 million. If that is used as a rough estimate, data breaches in state and local governments can be very expensive. There is a lot at risk and budgets are tight. State and local governments really have to look at leveraging what funds they have.

Today’s discussion provides recommendations for sources of information on hardening systems, coming up with action plans, and the role of insurance.

There is no lack of help if you are seeking guidance when it comes to making your system secure. Guides from CISA and NIST give specific information.  Most suggest starting with an accurate evaluation of what is on your system.  There may be situations where people sign up for services with a credit card without informing system managers. System surveys are difficult when one has to look for shadow IT.  

Action plans normally start with ways to respond to an incident.  One weakness in a backup playbook is the time it takes to restore one system vs. ten systems. System managers may have to get ideas on unexpected circumstances.

Best practice is to harden your system and have an action play. The unintended benefit of documenting your security is qualifying for cyber insurance.  Risk assessment can vary in size of organization.  Insurers try to limit exposure – excluding certain events. One certain bet is that it will become more and more expensive to get cyber insurance.

You may not realize that a cyber insurance package can be an 11 page application   combination of entire system – every environment will have a different footprint. Tony Lauro Akamai mentions that an insurance plan must never be considered to be a substitute for a hardened system.