[TLP:RED]

The following list contain “nuggets of personal sensitive knowledge shared in weekly coffee rounds that would typically not be shared officially. The nuggets are summaries only and more details can be requested in a personal conversation. The numbering is unrelated to priority / importance – each one is critical and comes from professionals with decades of experience. The list is updated weekly along with the blog summary of weekly updates.

Weekly [TLP:RED] for Publicly Elected Officials:

  1. When a cyber incident occurs, immediately call your lawyer to ensure you have someone to talk to under client / attorney privilege.
  2. When a cyber incident occurs, immediately have a “scribe” shadowing you to capture all communications and other evidence that will be needed in the future. Ex-police officers are good at this for example.
  3. Ensure you have a communication professional trained in handling the media during a cyber incident available and delegate ALL communications to them immediately.
  4. Usually you are not permitted to pay ransomware. Others (like insurance companies) may however be able to do this unofficially for you. Ransomware is paid more often than you might imagine.
  5. A major Cyber Incident will occur – I just have to make sure the Crisis Response Team convenes immediately.
  6. Expect it to take about 7 signatures to get something approved – 5 of those are “followers” – the other 2 are not always obvious. Ask a middle-manager with at least 30-year experience in the organisation (“Left-Overs”) to help you find them BEFORE starting.
  7. EU Funded projects are great – but make sure your Head of IT signs them off as well.
  8. Test new solutions yourself (with the assistance of an expert) – never let others do that for you.
  9. The best new budgets come from a level higher – create the regional / national initiatives your administration then benefits from.
  10. When you lose a service due to cyber issues – communicate only the service outage and any temporary measures to citizens. There is no need to explain reasons which are “under investigation”.
  11. The best crisis centre coordinators are ex-military with combat experience; get one.
  12. Woman are better crisis managers (see https://hbr.org/2020/12/research-women-are-better-leaders-during-a-crisis).
  13. Yes, you must officially report some cyber incidents within certain timeframes – but you can ask for an extension – the later the better!
  14. Make sure you have a back-up mobile phone with an up-to-date contact list.
  15. Innovation is “bleeding edge” – if you don´t want to bleed in public, don´t innovate – JOIN projects of others.
  16. The Head of IT should be on your leadership team.
  17. Make sure the line items of all purchases are checked to avoid importing IT solutions not approved by IT (i.e., web-based services).
  18. Cyber startups are popular but only a cheap enhancement if they themselves are secure – validate.
  19. Publicly share stories on the cyber security successes of your administration.
  20. Provide third parties with space in your offices to increase availability and response speeds.
  21. Benchmark your cyber security – being good is attractive and can be flaunted.
  22. If a threat that can trigger legal liability is officially minuted, then you have become legally aware of it and can be held liable for penalties if an incident occurs.
  23. Let your CEO/CIO decide whether to go “off-grid” in the case of a cyber incident – this makes them responsible for it.
  24. Good relationships with the leaders of your police and fire services departments are crucial for making a crisis centre work.
  25. Ensure that any AI systems used in the administration are appropriately and formally audited by independent third parties.
  26. Offerings for NIS2 compliance audits are exploding and you will fail. Become CIS18 compliant first.
  27. Use benchmarking to demonstrate you are not the worst administration in your region.

Weekly [TLP:RED] for Essential Services Managers:

  1. The higher the cyber-risk is on the risk register, the more likely an upgrade to your systems will be funded.
  2. Funding projects is often best achieved by helping sector level organisations fund larger projects that yours is part of. A project covering multiple administrations (including yours) is probably easier to fund than a project just supporting yours.
  3. Talk to the IT Help Desk, make sure they have a list of “super users” of your systems and treats them as “VIPs” when they call (or make sure they are considered as your official delegates).
  4. You can control the interval of password changes for staff to be shorter than any central policies – stay safe by implementing a departmental policy for changing them every three months.
  5. A major Cyber Incident will occur – I just have to make sure I can provide my services without IT (Business Continuity Management).
  6. Elected officials are not professional managers and some of their decisions cannot be implemented. It is sometimes ok to let them fade away gracefully into forgetfulness.
  7. Never accept stand-alone “agile” projects from vendors – you can embed agile “tasks” into waterfall projects though.
  8. Reduce your costs by making sure only IT buys IT services – an informal conversation with Finance can help identify whether non-IT staff are buying third-party IT services at your cost.
  9. “Citizen Development” of solutions is the only way to keep control – but design for security from the beginning.
  10. We can design for project slippage to free up funds to make the most of the year-end rush.
  11. Developing citizen solutions on nationally / regionally provided cloud services (i.e., PowerApps, Sharepoint, PowerBI) is often the most effective way to improve processes – let IT (security) guide you though.
  12. Have up-to-date paper versions of all forms available for copying when you must return to “pen and paper”.
  13. Make sure you have access to data backups of your key transactions; plus a local in-office solution you can use for Disaster Recovery.
  14. Test disaster recovery of IT services yourself regularly by switching operations to the back-up solution (and back) and working off that – six months here, six months there.
  15. Copy the processes of your peers to ease transferring your processes to them in the event of a breach.
  16. Regularly review your application landscape and security concerns with IT – usually IT struggles to maintain a robust overview of the applications and this gets you on the radar screen.
  17. Walk the floor to make sure everyone logs out of PCs/laptops when leaving their desk. There is no digital security without physical security.
  18. Discover where USB ports are being used to read/write data and find alternatives – they are the open backdoor for breaches. This includes USB drives, cameras etc.
  19. Encourage the use of secure online services for file transfers with external organisations.
  20. Report movers & leavers asap to HR and in parallel to IT to ensure access rights are removed as quickly as possible. Remove them yourselves for legacy systems if possible.
  21. Keep copies of your legacy system admin passwords – just in case the current admin does not leave on friendly terms.
  22. If you can get a threat that can trigger legal  liabilities minuted, then you have transferred that liability.
  23. NIS2 may declare your services as critical – make sure IT and leadership prioritise investment accordingly.
  24. Make sure you can operate key processes without an Internet connection, save key transactional data on USB drives and are able to transfer that via USB to another PC/laptop at your regional administration. “Sneaker Interfaces” must work.
  25. Forbid the use of AI chat features to avoid inadvertent GDPR infringement you will be held liable for.
  26. Need to delay a digital project – ask for the results of the penetration test.
  27. Ensure all staff with admin rights on your applications receive regular cyber awareness training and use unique complex passwords on each application.

Weekly [TLP:RED] for IT Leaders:

  1. Put “VIPs” in a dedicated and separately protected network segment – their use of technology assets cannot be trusted to follow policy.
  2. Public tenders can be designed for ensuring preferred suppliers are at least short-listed. Value for money / best price must of course always be achieved and the key is taking the time to understand the specific activities being purchased by “look and see” / talking to the actual operators.
  3. IT service outages due to cyber incidents are usually the best “sellers” for improved budgets. It can make sense to choose a “reactive armour” strategy in some spaces – let “contained” breaches occur…
  4. Often we cannot prevent users from installing insecure software from the Internet. We can however ignore fixing technical issues preventing them from working…
  5. We are heroes when it comes to getting old kit back running… not making the effort and letting it fail is the fastest route to new kit.
  6. Tenders should never contain requirements that the preferred solution provider does not explicitly call-out in their specifications.
  7. Always order more than you truly need and connect it to the network as “hot” standbys for when other kit fails.
  8. It usually pays off to hire good service / supplier managers without IT skills than asking IT professionals to do that for us.
  9. You need budgets for your own tools – “hide” them in research agreements.
  10. Front-load as much of your project costs as possible – the longer you wait to spend, the less likely the money will still be there when you need it.
  11. A “potential” compromise treated seriously is probably the fastest way to get all IT assets patched up to date…
  12. Don´t wear your best business clothes in budget negotiations – if you are dressed better than others, why should you get more money?
  13. Gigs for staff in other administrations are very helpful for learning different ways of doing things.
  14. Put 24×7 remote monitoring capability of all servers / firewalls supporting essential services in place, regardless of whether operated / subscribed / outsources.
  15. Buy the same software and hardware as your peers to ease supporting each other in the event of a breach.
  16. Third-party compliance needs (i.e. to banks) include minimum IT standards that can be leveraged for prioritizing cyber investments.
  17. Before purchasing licenses from a vendor, check whether there are cheaper in-country major customers of theirs that you can leverage instead.
  18. Ensure all laptops connect at least monthly directly to the network for 24 hours to receive updates. The longer devices are remote, the greater the chance of an update divergence leading to growing security concerns.
  19. Place non-standard IT assets (i.e., iPads for senior leaders) in their own network segments.
  20. Make sure you have personal liability insurance for your role.
  21. Long term technical assistants to the CIO/CISO are the critical knowledge repository for successors – treat them well!
  22. Formal minuted meetings of budget presentations can limit your liabilities in the case of incidents.
  23. When you are managing a breach, many third-party individuals will visit your facilities – you should have a way of informally verifying their identities through official channels.
  24. Expect that securing a solution will cost up to 3x the cost of the solution itself.
  25. Any patches can trigger incidents with significant time-delays. Make sure you have thoroughly mapped services over at least an 18-month time-period.
  26. When your mayor recommends a supplier, add them to the bottom of your shortlist.
  27. Buy software towards the end of the supplier financial year to get the best rebates.