Working together to reduce the risk of a data breach
State and local governments must prepare for the worst
Across the U.S., more than 94 million citizens' records, under the care of government agencies, are estimated to have been lost or breached since 2009. Multiply this figure by $194, which is the average cost per compromised record for organizations in the United States, according to the Ponemon Institute's Annual Study, and the numbers become astronomical: nearly $18.2 billion dollars' worth of damage.
In Oregon, a 2016 breach at the relatively obscure Construction Contractors Board compromised the log-in credentials for the Oregon Department of Transportation and several local governments. As this example shows, in an age of increasingly subtle and stealthy cyber attacks, state and local governments must prepare for the worst.
The extraordinary amount of personal data collected by public entities makes them attractive targets for cybercriminals and hacktivists, and they face risks from simple human error and disgruntled employees. Unfortunately, the cybersecurity posture of governments is typically lower than commercial enterprises.
The Cyber Oregon initiative is an effort to help government organizations across the state get access to the information and resources they need to safeguard citizens’ data – from undertaking risk assessments, increasing stakeholder collaboration and investing in cybersecurity talent.
Stefan Richards, Chief Information Security Officer, State of Oregon
Stefan Richards is the chief information security officer for the State of Oregon and leads the Enterprise Security Office (ESO) which brings enterprise security functions into a single organization. The ESO is directly accountable for the security of state data center operations, real-time security monitoring and incident response, enterprise security policy, enterprise security architecture and dissemination of best practices. In this capacity, he leads a cross-functional team to meet business goals and IT security objectives. Mr. Richards drives statewide information security policy, procedures and standards, coordinating state security efforts with federal partners, including: the FBI, Department of Homeland Security (DHS) and departments within the U.S. military. Mr. Richards also oversees the security operations of the state data center, which serves more than 100 state agencies, boards and commissions. Additionally, he manages the state-level security compliance programs, including NIST 800-53/FISMA, ISO 27001, CJIS, FTI, MARS-E, PCI DSS and HIPPA/HITECH.
Mr. Richards was previously CISO and chief privacy officer for Cover Oregon, building an end-to-end security and privacy program for Oregon’s online health insurance marketplace, working with both the IRS and CMS in ensuring compliance with IRS Pub 1075, NIST 800-53/FISMA and CMS MARS. In this role he led the development of security requirements, supporting technical architecture and security solution implementations across a heterogeneous environment within and across agency and private sector boundaries.
Mr. Richards previously served other public and private organizations in security management and security product development roles, including Intel, GE and Microsoft. Mr. Richards has held leadership roles in the development of security policy and industry security products which are still used today, and has experience addressing both information privacy and information security.
Governor Kate Brown’s Executive Order 16-13, “Unifying Cyber Security in Oregon” (EO 16-13) and SB 90 (2017) represent a fundamental shift in how the state of Oregon approaches IT security. The Enterprise Security Office (ESO) is responsible for enterprise security policy, security monitoring of the state network, enterprise incident response, and enterprise security architecture, as well as dissemination of security training, policy, and best practices across state government.
MS-ISAC (Multi-State Information Sharing & Analysis Center)
A focal point for cyber threat prevention, protection, response and recovery.
FBI Cyber Investigations
Information and resources from the FBI on fighting cyber crime.
NASCIO (National Association of State Chief Information Officers)
Resources on cybersecurity awareness and more.
Stop. Think. Connect.
Cybersecurity information from the U.S. Department of Homeland Security.
Cybersecurity information from the U.S. Computer Emergency Readiness Team
smartphones, laptops, and tablets. This includes locking your computer when you step away from your desk at work. You may not always know the people walking around your office and what their intentions are. Encrypt data and use two-factor authentication where possible.
2. Regularly scan your computer for viruses and spyware and keep your software up to date.
3. Dispose of sensitive information properly and according to your organization’s policies.
4. Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.
5. Take advantage of cybersecurity training offered by your department or agency.