Working together to reduce the risk of a data breach

State and local governments must prepare for the worst


Across the U.S., more than 94 million citizens' records, under the care of government agencies, are estimated to have been lost or breached since 2009. Multiply this figure by $194, which is the average cost per compromised record for organizations in the United States, according to the Ponemon Institute's Annual Study, and the numbers become astronomical: nearly $18.2 billion dollars' worth of damage.

In Oregon, a 2016 breach at the relatively obscure Construction Contractors Board compromised the log-in credentials for the Oregon Department of Transportation and several local governments. As this example shows, in an age of increasingly subtle and stealthy cyber attacks, state and local governments must prepare for the worst.

The extraordinary amount of personal data collected by public entities makes them attractive targets for cybercriminals and hacktivists, and they face risks from simple human error and disgruntled employees. Unfortunately, the cybersecurity posture of governments is typically lower than commercial enterprises.

The Cyber Oregon initiative is an effort to help government organizations across the state get access to the information and resources they need to safeguard citizens’ data – from undertaking risk assessments, increasing stakeholder collaboration and investing in cybersecurity talent.


Stay current with the fast-changing cyber world.


Find what you need to stay safe online.


Make connections in the cyber community.


Be more secure online with these tips.

Spotlight Profile

Stefan Richards

Stefan Richards, Chief Information Security Officer, State of Oregon

Stefan Richards is the chief information security officer for the State of Oregon and leads the Enterprise Security Office (ESO) which brings enterprise security functions into a single organization. The ESO is directly accountable for the security of state data center operations, real-time security monitoring and incident response, enterprise security policy, enterprise security architecture and dissemination of best practices. In this capacity, he leads a cross-functional team to meet business goals and IT security objectives. Mr. Richards drives statewide information security policy, procedures and standards, coordinating state security efforts with federal partners, including: the FBI, Department of Homeland Security (DHS) and departments within the U.S. military. Mr. Richards also oversees the security operations of the state data center, which serves more than 100 state agencies, boards and commissions. Additionally, he manages the state-level security compliance programs, including NIST 800-53/FISMA, ISO 27001, CJIS, FTI, MARS-E, PCI DSS and HIPPA/HITECH.

Mr. Richards was previously CISO and chief privacy officer for Cover Oregon, building an end-to-end security and privacy program for Oregon’s online health insurance marketplace, working with both the IRS and CMS in ensuring compliance with IRS Pub 1075, NIST 800-53/FISMA and CMS MARS. In this role he led the development of security requirements, supporting technical architecture and security solution implementations across a heterogeneous environment within and across agency and private sector boundaries.

Mr. Richards previously served other public and private organizations in security management and security product development roles, including Intel, GE and Microsoft. Mr. Richards has held leadership roles in the development of security policy and industry security products which are still used today, and has experience addressing both information privacy and information security.

CIO of Oregon

“Cybersecurity is a shared responsibility among both the public and private sector. State agencies, local governments, educational institutions and Oregon’s private sector can’t afford to go it alone. The risks are too great.”

Alex Pettit, Former Oregon CIO

Business / Cyber Alert / Cybersecurity / Education / Government / Individuals / News / Newsroom / Nonprofit / Small Business / Training / Youth

Cyber Trends for 2021: Industry Leaders Weigh In

Kelly Stremel, News Editor / December 18, 2020
Business / Cyber Alert / Cybersecurity / Education / Government / Individuals / News / Newsroom / Nonprofit / Small Business / Training / Youth

Cyber News Roundup: Holiday Cyber Threats; Human Factor; Challenges Ahead

Business / Cyber Alert / Cybersecurity / Education / Government / Individuals / News / Newsroom / Nonprofit / Small Business / Training / Youth

Cyber News Roundup: Cyber Safety Tips, Beefing up Cybersecurity at Work, The Future of Hackers

Business / Cyber Alert / Cybersecurity / Education / Government / Individuals / News / Newsroom / Nonprofit / Small Business / Training / Youth

Cyber News Roundup: Cyber Risks on the Rise for Students, Presidential Election, Small Businesses

Government Resources

Governor Kate Brown’s Executive Order 16-13, “Unifying Cyber Security in Oregon” (EO 16-13) and SB 90 (2017) represent a fundamental shift in how the state of Oregon approaches IT security. The Enterprise Security Office (ESO) is responsible for enterprise security policy, security monitoring of the state network, enterprise incident response, and enterprise security architecture, as well as dissemination of security training, policy, and best practices across state government.

Other resources

MS-ISAC (Multi-State Information Sharing & Analysis Center)
A focal point for cyber threat prevention, protection, response and recovery.

FBI Cyber Investigations
Information and resources from the FBI on fighting cyber crime.

NASCIO (National Association of State Chief Information Officers)
Resources on cybersecurity awareness and more.

Stop. Think. Connect.
Cybersecurity information from the U.S. Department of Homeland Security.

Cybersecurity information from the U.S. Computer Emergency Readiness Team

Upcoming Events

There are no upcoming events at this time.

Help for government staff

Here are some tried and true tips for government workers to help prevent cyber attacks.

1. Lock and password protect all personal and agency-owned devices including

smartphones, laptops, and tablets. This includes locking your computer when you step away from your desk at work. You may not always know the people walking around your office and what their intentions are. Encrypt data and use two-factor authentication where possible.

2. Regularly scan your computer for viruses and spyware and keep your software up to date.

3. Dispose of sensitive information properly and according to your organization’s policies.

4. Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.

5. Take advantage of cybersecurity training offered by your department or agency.

6. Conceal your work badge and identification when outside of your office building,
especially when out in public or when using public transportation.


Contact Us

[email protected]