Working together to reduce the risk of a data breach
State and local governments must prepare for the worst
Across the U.S., more than 94 million citizens' records, under the care of government agencies, are estimated to have been lost or breached since 2009. Multiply this figure by $194, which is the average cost per compromised record for organizations in the United States, according to the Ponemon Institute's Annual Study, and the numbers become astronomical: nearly $18.2 billion dollars' worth of damage.
In Oregon, a 2016 breach at the relatively obscure Construction Contractors Board compromised the log-in credentials for the Oregon Department of Transportation and several local governments. As this example shows, in an age of increasingly subtle and stealthy cyber attacks, state and local governments must prepare for the worst.
The extraordinary amount of personal data collected by public entities makes them attractive targets for cybercriminals and hacktivists, and they face risks from simple human error and disgruntled employees. Unfortunately, the cybersecurity posture of governments is typically lower than commercial enterprises.
The Cyber Oregon initiative is an effort to help government organizations across the state get access to the information and resources they need to safeguard citizens’ data – from undertaking risk assessments, increasing stakeholder collaboration and investing in cybersecurity talent.
Alex Z. Pettit, PhD, CIO, State of Oregon
Alex Z. Pettit serves as the chief information officer (CIO) for the State of Oregon where he is responsible for all of the state agencies’ information and telecommunications systems. He was appointed to his position by Governor Kate Brown in January 2014.
Since his appointment as State CIO, Dr. Pettit has worked to implement HB 3099 (2015), a law that permanently reassigned responsibility for IT service delivery at the state data center and designated the State CIO as an independent official, directly responsible to the Governor as the primary advisor on statewide IT policy and operations.
Among other provisions, the bill also codified an incremental funding and development process for IT projects over $1 million and provided a delegation of authority over enterprise IT and telecommunications projects. Additionally, Dr. Pettit served as the interim CIO for Cover Oregon following its failed launch and directed the successful transition of the state to the federal health exchange.
Prior to joining the State of Oregon, Dr. Pettit served as the first CIO for the State of Oklahoma from 2010 until December 2013. As the CIO for Oklahoma, Dr. Pettit developed a comprehensive and measurable framework defining, delivering and supporting the activities of the 132 agencies for the State.
Dr. Pettit completed his Ph.D. in Information Science from the University of North Texas, where his dissertation focused on the study or requirements analysis within software development practices.
Previously, Dr. Pettit held other IT leadership positions within public, private and higher education institutions, including: vice president at Marsh McLennan Risk Consulting; chief technology officer for the City of Denton, Texas; and senior manager at Ernst & Young. He also developed and tested disaster recovery plans during the renovation of the Tom Watkin Jr. data center at Brown University and served as a consultant for the U.S. Environmental Protection Agency.
Governor Kate Brown’s Executive Order 16-13, “Unifying Cyber Security in Oregon” (EO 16-13) and SB 90 (2017) represent a fundamental shift in how the state of Oregon approaches IT security. The Enterprise Security Office (ESO) is responsible for enterprise security policy, security monitoring of the state network, enterprise incident response, and enterprise security architecture, as well as dissemination of security training, policy, and best practices across state government.
MS-ISAC (Multi-State Information Sharing & Analysis Center)
A focal point for cyber threat prevention, protection, response and recovery.
FBI Cyber Investigations
Information and resources from the FBI on fighting cyber crime.
NASCIO (National Association of State Chief Information Officers)
Resources on cybersecurity awareness and more.
Stop. Think. Connect.
Cybersecurity information from the U.S. Department of Homeland Security.
Cybersecurity information from the U.S. Computer Emergency Readiness Team
smartphones, laptops, and tablets. This includes locking your computer when you step away from your desk at work. You may not always know the people walking around your office and what their intentions are. Encrypt data and use two-factor authentication where possible.
2. Regularly scan your computer for viruses and spyware and keep your software up to date.
3. Dispose of sensitive information properly and according to your organization’s policies.
4. Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.
5. Take advantage of cybersecurity training offered by your department or agency.