2015 Idaho Cybersecurity Interdependencies Workshop

Executive Summary

The Idaho Cyber Security Interdependencies Workshop was held October 8, 2015 in Boise Idaho at the St. Alphonsus Regional Medical Center. More than 130 participants from both public and private sectors, and from across the Pacific Northwest, took part in the exercise that focused on current cyber threats, common challenges for securing data and continuing operations despite cyber disruptions.

Idaho Lieutenant Governor Brad Little and Brigadier General Brad Richy, Chief of the Idaho Bureau of Homeland Security, spoke at the event along with other experts on cyber security preparedness, response, supervisory control and data acquisition systems.
​
Through this event, participants sought to improve their own cyber plans by challenging their planning assumptions, gained a greater understanding of their interdependencies and built relationships with others across the state and region.

View the Event Summary and Report
View the Agenda

Background

​This workshop was the second event in a three year initiative to develop a public/private sector partnership for resilience in the state of Idaho. In 2016, Idaho Bureau of Homeland Security (IBHS) and the Pacific NorthWest Economic Region (PNWER) Center for Regional Disaster Resilience (CRDR) will develop an Action Plan for the development of an Idaho Public/Private Sector Resilience Partnership.

Meeting Themes and Key Takeaways

One of the most prevalent topics of the workshop was around the need for holistic cyber security—calling on organizations to move cyber security planning beyond the Information Technology departments and involve executive leadership, legal, and human resources. There is a strong need to train all staff members. According to IBM’s 2014 Cyber Security Intelligence Index, 95 percent of all security incidents involve human error. This can take many forms, from clicking on links, giving away passwords, or failing to follow security protocols.

Every company has cyber security risk and should have a cyber security plan. From small businesses to sectors that are not typically seen as cyber focused, like agriculture, there are cyber security risks. There are also many great tools in the State of Idaho for getting assistance in building cyber security plans and responding to cyber security incidents that need to be shared and made more easily accessible to all organizations.

For all organizations, it is essential to have governance and policies around cyber security in place before having to respond to an incident. These would include policies around protecting data and procedure for response, including structure (the incident command system was recommended) and involvement of law enforcement. With these policies in place, organizations can test their systems through exercises and help build a security culture in an organization.

A common theme was the acceptance of breach. Not all information within an organization is equally sensitive and critical. By accepting that some cyber attacks will be successful, and focusing extra levels of security on the most important data, organizations can use their limited resources more effectively.
​
Identifying key information is a vital part of assessing the risk in each organization. The risk assessment also includes security protocols, equipment, software, public presence, business type, and all other aspects of a business that might make it an easy or desirable target for cyber attackers. Risk will never be fully eliminated—as long as computers, automation and the internet are needed to complete business tasks, an organization will have cyber risk.  All parts of a cyber plan should attempt to mitigate that risk, while helping identify procedures for protection of critical data and detecting access to or loss of that data. Too often companies don’t know they have been breached until they are informed by an outside agency. 

Recommendations

Based on participant feedback, planning team input, discussion outcomes, and common themes from the day’s speakers, the following recommendations were developed:

• Develop training materials and regular webinars and other training opportunities to help organizations grow cyber security plans and facilitate information sharing.
• Provide training for executive leadership, legal departments, human resources, and other key departments to encourage organization-wide cyber security.
• Grow state-wide knowledge of the Idaho cyber security annex through training and outreach.
• Provide resources specific to small businesses and sectors where cyber security may not be prioritized (example: agriculture).
• Develop a single repository for cyber security preparedness information
• Develop formal partnership for information sharing around cyber security and other critical infrastructure concerns