The first round of story workshops in our two municipalities were organised in October and November of 2018. Here are some general findings, based on just a small set of stories that we collected.
First, and this is not a shocking result at all, we can suggest improvements in management of knowledge. There can be more protocols for sharing and reporting of issues and outcomes of cybersecurity incidents in these organisations, between service users (employees of the municipality) and their ict-departments. Similarly, for service-users it would also be good if records of their cybersecurity adventures are preserved, in a structural manner, not only informally. This can for example be useful as well (for any management) in relating information about incidents to the effectiveness of policies.
Second, there are related issues with transparency, and again, this is not extraordinary for municipalities. Transparency means that your actions are open for others. Trust by the general public is related to this; when transactions are unclear and hidden, trust will suffer. Although there are differences in what employees with various roles in their organisation know and understand, it is good if, for example, IT-departments synchronise with other it-departments in how they have been dealing with particular issues. Also it would be good if these departments share their way of working with users, who then may be led towards more understanding of what particular issues are about.
Third, we noted issues with user management, for example in access rights for temporary employees to sensitive information, but also in managing permissions from employees that had already left. Cyber criminals can exploit both.
Finally, we found some stories about users trying to get around regulations, because these regulations frustrated their daily work (e.g. not being allowed to access EU-websites), or were part of their daily work (e.g. having to read all emails), which make the system vulnerable. Compliance with safety regulations (and with the privacy regulations) could be monitored and evaluated, to avoid these and issues to emerge.
Resolution of all of these issues require more than a cybersecurity solution being implemented. But at the same time, we should be aware of these tendencies in user behaviour creating vulnerabilities. More user awareness in these respects can do a lot for avoiding such vulnerabilities to emerge.
Jerry Andriessen
Wise & Munro