With the internet and advances in technology, the world is becoming more connected. This has enhanced our ability to communicate and provide education, as well as do business. Organizations around the globe are both taking and seeking opportunities to connect into this infrastructure. As the ease of doing business has increased with the internet and a connected economy, so has the risk for a breach. Cybercrime continues to grow as the primary motivation for breaches, growing from 77 percent to just above 82 percent in 2018.1
There’s a heightened awareness in the need for cybersecurity for tribal organizations. In mid-2018, the National Congress of American Indians encouraged U.S. lawmakers to increase funding to expand field infrastructure and support tribal nations’ access to cybersecurity services and funding.2 The purpose of this is to help develop better infrastructure, including cybersecurity, for the 573 federally recognized Native American tribes in the United States.
Tribally owned businesses often are highly complex and dynamic in structure, with operations in several industries, including entertainment, hospitality and federal government. Not unlike other public sector entities, these organizations can be difficult to protect in terms of risk management, information governance and internal controls.
In a recent webinar, “More Connected, More At Risk: Addressing Cybersecurity Concerns for Tribal Organizations,” we offered the following actions your organization can take to help mitigate cyber risk:
- Knowing Your Inventory – It’s important to understand and know your inventory. Not all assets are the same, and organizations should consider classifying their data. Which information is more critical to protect? Private health information, credit card information and other confidential information may be more valuable than others.
- Educating Your Team – Education is key. Technology isn’t a substitute for employee, board, executive or vendor education. It’s important to document and distribute your security policies. Developing a robust incident response program that you annually review and test also can be beneficial.
- Limiting Access – The principle of least privilege is vital when it comes to both physical and virtual access. Organizations should control the use of administrative privileges and limit access to only those functions an individual needs to perform job tasks. Don’t forget about maintaining adequate physical security as well. Make sure guests, service delivery personnel and vendors are properly vetted and escorted when in sensitive areas of your facility.
- Planning, Preventing & Preparing – Consider initiating controls to help mitigate the risk that could be caused by your workers, such as locking laptops when they’re away from their workstations and filtering out suspicious emails addressed to employees. Develop a cyber incident response program with a policy that’s communicated across the organization, and consider cyber insurance if you don’t already have it.
- Establishing Backups – Implement a regularly scheduled backup program that meets the needs of your organization and records retention requirements. It’s recommended that your backups are stored at a different location to provide better security. There are benefits to using cloud-based backups. Also remember to back up not only the data but the applications as well.
- Making Use of Available Federal Resources – The U.S. Computer Emergency Readiness Team (US-CERT) through the Department of Homeland Security hosts a site that provides resources for state, local, tribal and territorial governments. This site provides best practices and case studies, as well as a toolkit to help organizations recognize and address cybersecurity risks. It’s not intended to be a 100 percent solution, but it does help organizations get started. For access to these resources, visit US-CERT’s site.
BKD Cyber professionals are dedicated to helping tribal governments and other public sector entities assess their cybersecurity risks, improve their cybersecurity protections and respond to a breach. For insight on the dark web and additional recommendations to help you mitigate risk, watch the webinar mentioned above.
Contact Rex, Cindy Boyle or your trusted BKD advisor if you have questions.
1 Hackmageddon, 2018 Master Table ↩
2 The National Congress of American Indians Resolution #DEN-18-012 ↩