Just like you used to lock the file cabinets and the office door, procurement officials need to take responsibility for safeguarding their own digital systems as well as vetting the products and services being contracted from suppliers for state agencies.
“Cybersecurity is not ‘one and done’.” Leah McGrath, Executive Director of StateRAMP
Cyberattacks on state and local governments were up by 50% in 2020. It is no longer a matter of if it happens and is now a matter of when it happens. Cybersecurity can no longer be left up to the IT department. Cybersecurity and Risk Management have been the top priority for NASCIO for the last 8 years.
WHAT’S AT STAKE?
Does that sound farfetched? It’s not, according to people who study cybersecurity. Election systems, schools, hospitals and health records, city and county governments have all been hit with ransomware attacks (demanding money in exchange for releasing control of systems) or data breaches/intrusions like the SolarWinds attack. These attacks strike at the heart of our governmental infrastructure, disrupting civic life and eroding trust in our systems.
Cost of Clean Up
According to the Poneman Institute, the average cost of a ransomware attack is $3.86 million. In their report The Economic Value of Prevention in the Cybersecurity Lifecycle, the Poneman Institute found “when attacks are prevented from entering and causing any damage, organizations can save resources, costs, damages, time and reputation.” Prepare and prevent, not repair and repent, as my mother used to say.
WHAT SHOULD I DO?
Dugan Petty, NASPO ValuePoint’s Cooperative Contract Coordinator, breaks down the defensive effort into 4 focus areas:
Protect State Data
Do a risk assessment of every contract to see what Personally Identifiable Information(PII) is accessible to the supplier.
Set up terms and conditions to protect data from unauthorized use.
Identify Touch Points
Find out where each product connects to state systems. Even office supply contracts can have access to state systems.
Map Supply Chain Risk
Identify downstream suppliers and do a risk assessment on their level of access to state systems.
Treat Procurement as a Business
Prioritize the integrity of the procurement process. CIOs and CISOs are focused on the big state picture. Procurement officials need to take the lead on protecting the integrity of the procurement process at the digital level.
Develop a good relationship with your state CIO or CISO now. Make them a partner in your effort to harden your systems. Get them involved in specification development of software and cloud services.