By Brennen Schmidt
ALEUS Technology Group
and Allan Bonner
Troy Media columnist
There’s a line item missing from your town’s budget. It’s missing from all government budgets. It should be called Digital Liability.
Even city budget chiefs and national finance officials aren’t dealing with the dangers and vulnerabilities of cyber space.
Here’s an example. Your municipal administrator’s computer is connected directly to the Internet via a router supplied by the local Internet service provider (ISP). It has no physical or software measures to keep it secure. It’s not in a vault and doesn’t have added firewalls. The workstation’s lack of physical and software safeguards makes it vulnerable to online attacks, including being held for ransom – also known as ransomware.
Worse yet, it’s likely running an outdated version of its operating system. It requires several downloads of the latest security updates in the forms of patches – the digital equivalent of welding a patch of metal to a compromised container. In the worst case, the machine may be running Windows XP, an operating system no longer supported by Microsoft. Don’t count on the software giant to offer any help when the system goes awry.
The machine might as well be a jumbotron on the street for all to see or even change.
Some small municipalities may use a local hobbyist, relative or friend for information technology (IT) support. The system keeps running until something goes wrong. With luck, a user happens to click yes to install the latest security update, if prompted.
Larger cities have more money and people available. But they’re vulnerable, too. In this case, they may have multiple legacy systems hat prohibit their operating systems from being upgraded. Or their scale has grown so much that maintenance has become a challenge, if not impossible.
Worse, their servers may be stored in the basement of city hall. With very little physical controls and no redundancy, continuity of operations doesn’t exist in the event of power loss. It would take days, if not months, to recover data – if ever.
Try collecting taxes or utility bills with no records of usage or what’s already been paid.
You’d think these liabilities would be listed in audited financial statements and quantified. A fund could be created, growing with yearly contributions and interest, and sinking as a result of withdrawals spent on security.
Unfortunately, this isn’t the case. Far too many municipalities large and small keep running IT assets like an old car. If it’s still running, they don’t worry too much about it.
IT security vulnerabilities need to be front-and-centre for municipal leaders and taxpayers. The failure to act or fund should be publicly reported. Citizens have a right to know just how cyber safe your community is. After all, it is a liability.
It’s not severe weather, an old bridge or crumbling road. It’s mainly ones and zeros in a computer that too few municipal leaders show an active interest in.
So what should the number be on that line item called Digital Liability? Start with $1 million – that’s the normal actuarial estimate of the value of a human life. Guess how many could be lost and multiply by that number.
What’s the interest on a city’s total tax, electricity and other revenue for a month? That goes into the line item. So does the additional small amount of revenue lost forever in the confusion. Speculate on the car crashes if the traffic signals go out. What if the hospital can’t dispose of contaminated waste?
All quantitative risk assessment involves good guesses.These are some.
Prevention is cheaper.
Dr. Allan Bonner, MSc, DBA, is a crisis manager based in Toronto. His forthcoming book is Cyber City Safe. Brennen Schmidt (BEd, Certiftied PR, CUA) is principal of the ALEUS Technology Group, a boutique digital communications firm in Regina.
The views, opinions and positions expressed by columnists and contributors are the author’s alone. They do not inherently or expressly reflect the views, opinions and/or positions of our publication.