There’s a saying that we’ve always liked: It’s a poor artist who blames his tools. There are other versions of that. They usually replace the word artist with workman, but we like our version better. Either way, though, the point is the same. Failings can rarely be blamed on the tools used in the execution.
The same thing can be said about network security breaches. Rarely do they happen solely because of bad equipment. Instead, there is almost always some other reason that the criminally minded were able to get into a network. Old software left a door open. Poorly installed equipment weakened defenses. Or – most often – someone unintentionally gave away login credentials because they simply didn’t know any better.
All of this points to the need for a change in approach. We have to stop thinking about security in terms of tools. And in some cases, there are some industries where misconceptions about security are so rampant that we need to clear those up before we can even talk about network protection. One of those industries is one where we have quite a bit of experience: local governments.
What we’ve found is that there are six common misconceptions believed by local government employees that hold them back from making their networks as secure as they could be. Over the next few posts, we will share those misconceptions with you and also provide ways that you can battle them if you find a particular misconception is something your organization is struggling with.
Misconception No. 1: All of our information is public, so a breach isn’t really that damaging.
While open records legislation has been wonderful for helping shine light into some areas of government that have been dark for too long, it’s also created a bit of confusion for those tasked with controlling who can see what.
The clerks working in some local government offices may see so many requests from activist groups or reporters or the public that they assume all information is public, so keeping the data digitally secure isn’t really necessary.
The truth is, most information that’s being held by local governments and agencies isn’t inherently public. Some of it can be obtained through the proper channels, but putting security in place to protect it is still necessary.
How to battle this misconception: This is a battle fought on two fronts. The first is employees who don’t know any better. You have to educate them about what information is public, what is private, and when the court can order that information be turned over. While state and local governments do not have to adhere to federal Freedom of Information Act rules, all 50 states have adopted some type of open records law. So step one in fighting this misconception is making sure employees are familiar with the regulations that apply to them.
The second front in combatting this misconception is disorganized data. Too many local governments can’t tell HIPAA data, from criminal data, from Social Security numbers. This presents two problems. First is that without classifying data simply as either public or private, you are making the work of your local clerks twice as hard. Data has to be managed in a whole different way. It has to be segmented. It has to be segregated. It has to be classified. And second, if you don’t know what information is private, you don’t know what information to protect. You don’t know where to put your stoutest defenses and build your highest walls.