The officials were worried about their security posture, their ability to respond to threats, and gaps in the way they handled regulated data such as CJIS, PCI, and HIPAA data.
The city contacted Critical Insight’s professional services team to assess its security baseline across all departments and functions. Critical Insight’s consultants investigated and went beyond the scope of work to verify key findings; for example, by conducting a network packet capture analysis, Critical Insight was able to validate the effectiveness of security controls on the network. Critical Insight identified gaps in how the city was handling both HIPAA and PCI data that threatened their compliance posture.
After the investigation and analysis, Critical Insight made dozens of recommendations. The city quickly fixed the vulnerabilities and addressed their HIPAA and PCI compliance gaps.
Another key finding was that the city was not satisfying an annual requirement to do security awareness training with employees.
The city jumped at the chance to have Critical Insight develop a Security Awareness Training (SAT) program, deliver content customized to address the different security threats faced by employees working in vastly different environments and record the sessions to form the foundation of future hire training. Critical Insight developed three trainings: (1) for the executives and city council, (2) for people working on smart city projects, and (3) for all city workers full-time and part-time.
Our consultants found that while all employees needed the training, maintenance workers had never had training; in the end, those folks were some of the most engaged.
Critical Insight’s training included not just how to avoid clicking on the wrong link, but life-skills that allowed the city workers to go about their daily lives thinking about internet risks intelligently.
The training was so successful, other cities requested access to the same materials. Critical Insight was happy to allow reuse by local governments and agencies because our mission is to make sure critical infrastructure is protected and defended.
Communities not only need to protect themselves against digital intrusion, but also develop response plans to ensure resiliency if and when an attack does occur.