[Navy blue CAI "We power the possible" logo appears on screen with white background, with www.cai.io below in black.]
[Title slide: The slide title reads: "Cyber resilience in action: County leaders share their strategies". Above the title in smaller teal text reads: "A NACo Webinar". Near the bottom of the slide, two logos are aligned horizontally. On the left under text that reads "CAI is a sponsor of" features the National Association of Counties logo, and on the right features the navy blue CAI logo with tagline "We power the possible".]
[Speaker, John Matelski, appears on the screen with a blue background. In the top right corner, another speaker video of Rita Reynolds is featured, with her name displayed in white text below the video.]
00:00:07 - 00:00:24
John Matelski
Hello, everyone, and welcome to today's webinar, Cyber Resilience in Action: County Leaders Share Their Strategies. I'm John Matelski, Chief Information Officer here at the National Association of Counties, and I'm glad you could join us as we wrap up Cybersecurity Awareness Month with this important and timely conversation.
00:00:25 - 00:00:45
John M.
As many of you know, CAI is a trusted leader in the cybersecurity space and a great NACo partner. We're excited to team up with them again for today's discussion. Counties across the country are working hard every day to protect their systems, safeguard residents' data, and build partnerships that make local governments stronger and more resilient.
00:00:46 - 00:00:59
John M.
Today, you'll hear from some of the leading voices in county and state technology about how they're tackling cyber threats, closing resource gaps, and creating a real culture of cyber awareness in their organizations.
00:01:00 - 00:01:16
John M.
Thank you so much for being here and for everything you do to keep our community safe and secure. Now I'm thrilled to hand things over to Rita Reynolds, Director of Public Sector at CAI, who will be moderating today's session. Rita, over to you.
[Presentation slide 1: The title of the slide reads, "Cyber Resilience In Action: County Leaders Share Their Strategies", in white text. Below the title, the date reads, "Monday, October 27, 2025 | 2:00 p.m.", in white text. The background of the slide is of various colors that create a digital design.]
00:01:17 - 00:01:43
Rita Reynolds
All right. Well, thank you so much, John. It's a pleasure to be here today everyone, and to welcome all of you today, October 27th, for a conversation about cyber resilience. Of course, October is Cyber Awareness Month, and we're going to spend some time talking about the current landscape and some gaps as well, along with partnerships. And round it out with some conversation about culture and how we can all work together.
[Presentation slide 2: The title of the slide is "Speakers". Below the title are two columns that vertically list the speakers with an image of them, their name, and job information. The speakers in the left column are listed as follows: "Adam Frumkin, Chief Information Officer, Franklin County Data Center, Ohio", "John Regula, Chief Information Officer, Bucks County, Penn.", and "Meghan Cook, Director, Cyber Incident Response Team and Assistant, Director, Office of Counter Terrorism, NYS Division of Homeland Security and Emergency Services". The speakers in the right column are listed as follows: "Sybil Gurney, Assistant Chief Information Officer, Alameda County, Calif." and "Rita Reynolds, Director of Public Sector, CAI".]
00:01:44 - 00:02:20
Rita
Before we get started, I do want to introduce to you all our panelists. First, we have Adam Frumkin. He is the Chief Information Officer for Franklin County Data Center in Ohio. We have John Regula, the Chief Information Officer of Bucks County, Pennsylvania. As well as Sybil Gurney, the Assistant Chief Information Officer for Alameda County. And then rounding it out is Meghan Cook, who is the Director of the Cyber Incident Response team and Assistant Director of Office of Counterterrorism with the New York State Department of Homeland Security.
00:02:21 - 00:02:42
Rita
They all have about 25 years each experience in local government, and so we're very thankful to have them here today. As I mentioned, we're going to start talking a bit about the landscape, and the reality is that we're always on guard with cyber. It has escalated to a point where we just feel like it's whack-a-mole unfortunately.
00:02:43 - 00:03:04
Rita
Last week, there was an incident with Amazon, which all of us were like, "Is it really just a DNS or a misconfiguration? Or was there something along the lines of cyber?" So, with that in mind, I just want to talk to each of you. We'll start with Sybil.
[Everyone appears on the screen. On the top row, from left to right, is Rita Reynolds, Sybil Gurney, and Adam Frumkin. On the bottom row, from left to right, is Meghan Cook and John Regula.]
00:03:05 - 00:03:10
Rita
Tell me a little bit about the threat landscape and what you're seeing and the types of attacks right now?
00:03:11 - 00:03:26
Sybil Gurney
We're still on guard for the usual. We're looking for ransomware, we're looking for nation-state attacks. Currently, we're in elections, so we're absolutely focused on deep fakes and social media and what's going around in social media to make sure that there is no false information out there.
00:03:27 - 00:03:54
Sybil
I'm going to say we're also still training all of our staff in order to fight these potential attacks. We do phish tests, we do our training, Cyber Security Awareness month we're all in. But for us, really our focus is still on the big 3 items; ransomware, phish attacks, and nation-state attacks.
00:03:55 - 00:04:00
Rita
All right. How about Meghan, how about you? You represent a lot of smaller counties in New York.
00:04:01 - 00:04:27
Meghan Cook
Yes. So, we support all of the local governments through our cyber incident response team, which does proactive preparedness and incident response. Everything that Sybil said. Another thing that we're seeing is compromises to third-party vendors that are local. So, it could be someone you're working with in the construction industry.
00:04:28 - 00:05:00
Meghan
And so those are getting breached, and then they're using that as a cover for a business email compromise. The hard part here is that almost everything looks the same from that company; the name, the amounts, everything looks the same except a couple of minor details in that phishing email. And so we have seen entities transfer funds over because it's on a schedule, a milestone schedule of payments.
00:05:01 - 00:05:20
Meghan
So, that's something we've seen an uptick in the past several months about. And one of the things that we're talking about is how to look closely at those emails as well as how to verify before any electronic transfers, even if it looks 100% right.
00:05:21 - 00:05:26
Rita
It is really hard to tell those emails apart these days. Adam, how about from your perspective?
00:05:27 - 00:05:59
Adam Frumkin
It's hard to say because we're, I would say yes on everything Sybil and Meghan has said. We're also seeing a rise not only in phishing attempts, but general straight attacks at the website, and websites in general all the way across, not just one, but multiples. And attempts at SQL injection or redirects, like trying to put something on the website that redirects to somebody else or something else, a bad actor.
00:06:00 - 00:06:29
Adam
What they're doing is they're doing that and then they're attacking different entities internally with phishing attacks to direct them to that environment and try to take them off site as well. So, we've seen a rise in generality. I'd just say a rise in threat actors coming against government in general is what we're seeing. Not just our county, but I also talked to some of the smaller counties around us and they're feeling it too.
00:06:30 - 00:06:57
Adam
The difference and I think some of the things that we need to talk about as a whole, is how are the large counties helping the smaller counties identify and understand some of the things that are coming? Because they're not just looking at the large counties, they're looking at the weak links and where they can find it. I'm not saying all small counties are weak links, I'm just saying they're attacking in general and they're doing it in a way that it may take time to find or see. And so that's what we're seeing a lot of.
00:06:58 - 00:07:16
Rita
Well, you made a good point about the linkage between large counties and smaller counties. I know that there are a number of counties out there that help support other counties and have connections, sometimes digital connections. John, what about you?
00:07:17 - 00:07:34
John Regula
Thank you, Rita, and great comments already by my team. I would say my add here is same categories as mentioned, more sophisticated. We are not seeing the Nigerian prince with the bad misspelling anymore. That is 19-
00:07:35 - 00:07:36
Sybil
No, not at all.
00:07:36 - 00:07:52
John R.
That is gone. So, what I think we really have to look at from these attacks is as we've trained our network and technologies to be zero trust, we need to train our users what zero trust means in their environment, because these attacks are targeting people, not so much machines.
00:07:53 - 00:08:15
Sybil
I want to comment on what John said. We've noticed an uptick in our failed phishing tests, and that's because of the generative AI initiated attacks. Because the spelling is perfect, it sounds real, it's no longer, like you said, it doesn't have the misspellings or the accent. So, we are seeing an uptick in our failures that we need to approach.
00:08:16 - 00:08:33
Rita
On that note, that was a very good point, Sybil. We have a poll actually that we'd like for attendees to respond to, and it's specifically about phishing email tests. Basically the question that we're asking is how often does your organization conduct a simulated phishing email test?
00:08:34 - 00:09:05
Rita
You can do multiple answers. Some of you do weekly, some of you do monthly, some of you do quarterly, sometimes it's rarely or during holiday special events. It's okay if you don't know, but we were talking about this in our prep call, and the fact of the matter is doing them more often is important now because of how real they look. So, I will leave this poll open for a few minutes to make sure everyone has a chance to respond.
00:09:06 - 00:09:27
Rita
So, John, I'm going to come to you because the second part of this question has to do with anything special that you've done this month because it is Cyber Awareness Month? Every year, October comes around and we like to focus on cyber even though we have attention on it all year long. So, I would love to hear from you as well as everyone else.
00:09:28 - 00:09:51
John R.
Well, one of the items that we work on is continuous user education. One of the ways we found most helpful is to make it fun and educational at the same time. So, we have come up with 30 or so different screensavers that we push out to our user community with helpful cyber awareness tips that will balance the fun of Halloween with the education needed.
00:09:52 - 00:10:05
John R.
So, our user community really has taken to waiting for the next screensaver to come out and is asking IT now, "When does it come, or when are we getting something new and exciting and fun?" Each one of them has got a grain of truth inside.
00:10:06 - 00:10:30
John R.
For example, one of them has a lot of little phish on it and you have to find the misspelled domain. If people log in and report the right phish with the badbuckscounty.org on it or .gov, they're entered into a gamification. So, we're going to have some prizes in a couple of days. I think it's fun to gamify it and allow your staff to have fun as they learn.
00:10:31 - 00:10:35
Rita
I love it. I would love to see a couple of those screensavers. Adam, how about you?
00:10:36 - 00:10:58
Adam
So, very similar to what John has done. We haven't done the screensavers, I like that idea, but we gamified our phishing emails to the point where it tabulates how fast they saw it, how fast they responded to sending it to phish. And we have a leaderboard and people love going out and looking at the leaderboard.
00:10:59 - 00:11:20
Adam
So, we've done that, and then we've also put talking points together for different entities around the county, so that people can see what is and what they should be talking about. Even all the way up through the commissioners, so that when they're out in public, if people talk about or bring up Cyber Security Awareness month, they have talking points, or they can bring it up themselves.
00:11:21 - 00:11:56
Adam
So, we're doing different things to make sure that it's not just internal, but it also is going out to the community as well. So, we push hard. People will sometimes come back and say they're tired of seeing the phishing emails to the point where they're getting so good that people are looking at them and getting even more detailed, because we put the tiniest little details in to get to see if we can catch them. We've had some fails, but it's okay. I look at this as a learning event and we try to spread it out across the board, so it's good.
00:11:57 - 00:11:59
Rita
All right, Meghan, how about you?
00:12:00 - 00:12:18
Meghan
So, in New York at Homeland Security, we work with government. So, we're always trying to put out programs and services that help government leaders, those who are technology focused, those that are not technology focused to help them understand why these protections are important.
00:12:19 - 00:12:42
Meghan
I think one of the things we heard the other day, somebody said, "Friends don't let friends not have MFA." And we laughed, because this MFA is non-negotiable in 2025. But we also serve the general larger public. So, I wouldn't say that I always know what's going on or trending on Instagram, but we put out little videos just to help people.
00:12:43 - 00:13:20
Meghan
We go with the latest trend, like tell me a secret, and things like if it's an urgent message from your bank, it's probably a scam. So, we try to capitalize on those ways of communicating with the public through our social media platforms. So, it's a whole range, especially when you have to meet the general public at their level of understanding, as well as government officials, many of them who are in a difficult budget time and projects are not getting approved.
00:13:21 - 00:13:40
Meghan
And so it's helping determine what projects, what they should do, what resources they can take advantage of because of the limited resources they're getting from their own municipality. So, that's some of the conversations we're trying to help all across the state.
00:13:41 - 00:13:46
Rita
All right. Last, but not least, we know Sybil always has something during October Cyber awareness. So, Sybil.
00:13:47 - 00:14:09
Sybil
Oh, if you're talking Cybersecurity Awareness Month, it's been one busy month and it's still time to go. This is our all in month. We saturate everybody with everything cybersecurity. We start with a welcome with one of our supervisors, we do a proclamation with the board, and then every week we do a major event. We send out tips and tricks or we have industry speakers come and talk.
00:14:10 - 00:14:41
Sybil
This year, we thought it'd be great to hear from departments, so we had department reps come in and be the interviewers of our industry experts. But the most fun that we had was we did a, what is that called? A county feud, a take-off on Family Feud, and our security manager grew a mustache, put on a nice suit. We took people from the different departments to come up and be teams and it was so popular, it was extremely popular. So, that might be a return event. So, we just finished with that and then we'll have some closing videos.
00:14:42 - 00:15:04
Sybil
But as far as phish training, I did want to say that we've done our phish training, we give awards when you report a phish where you have targeted communication. But I'm wondering if the communication is getting saturated. And I say that because as I mentioned earlier, our phish results have gone down and people even know it. They say, "Oh, my gosh, I clicked, I shouldn't have clicked."
00:15:05 - 00:15:32
Sybil
Sometimes I wonder, is our phish testing getting too hard? Because we take real phish message, modify them and send them back to the staff. And so now we got to do targeted, we're going to do targeted teaching again of phish, but it's got to be something different. So, I listened to John and his screensavers and other things, because I think we have to mix up how we're doing the training at this point. At least we do in our county. It's time.
00:15:33 - 00:16:04
Rita
Well, and I think we've made it into 15 minutes without using the phrase artificial intelligence or augmented intelligence. Because we all know that that has contributed to the voracity, the accuracy, and the realism of those phishing emails that we're getting. Great ideas. I've jotted down a few, and of course, I did take a look at your pre-video for the Family Feud or the Cyber Feud. Excellent idea, Sybil.
00:16:05 - 00:16:06
Sybil
Very fun.
00:16:07 - 00:16:28
Rita
We always say Sybil comes up with these great ideas. But all right. So, let's move on and let's talk a little bit about what we call resource gaps. Unfortunately, well, I'm going to generalize for a minute in that we all just assume larger counties have a lot more budget and have a lot better handle on cyber.
00:16:29 - 00:17:03
Rita
Not always true because I think the larger you get, the harder it is to know who's on your network at times, and to monitor the departments what they're doing individually. But irregardless, we have larger entities, we have smaller entities, how do we ensure cybersecurity for all? So, it's not just the well-resourced counties, which could be medium or large, but how do we take it beyond that in terms of a community? Meghan, let me start with you.
00:17:04 - 00:17:25
Meghan
So, in New York, one of the things that we have a very strong cyber shared services program. So, our governor, our legislature have come together and we provide endpoint detection, attack surface management, as well as we have a SOC that does all of the SIM work there.
00:17:26 - 00:17:51
Meghan
We've also taken the State Local Cyber Grant program. So, we're taking the first 2 years and we're using it for multifactor authentication, and that is where all municipal corporations can apply for MFA. So, I think when we think about New York state, we're really trying to do quite a bit, and it's not every municipality, you can't get to all of them.
00:17:52 - 00:18:16
Meghan
But it's the 5 big cities, it's all of the counties, and then it is the 2 largest municipalities within each county we're also able to expand that. So, I think as we see not only at the federal level, some funding being cut for things that are important to county, city, town, village, we're funding as a state.
00:18:17 - 00:18:54
Meghan
The other thing we're doing is that in New York, many of the state agencies who have connections to all of the municipalities come together and we talk all the time. So, we're able to understand what potential vulnerabilities might exist in areas of our state, and then we work together on the state side to say, "How do we help them? How do we come together on the state side and do that?" Whether it's just targeting conversations, talking to them, maybe prioritizing, helping prioritize projects if they're in need of that.
00:18:55 - 00:19:18
Meghan
And then there's also the sounding board. So, the cyber incident response team, we get calls all the time whether something is going on or something just doesn't look right, and we need help figuring out if this is actually a compromise. So, we spend a lot of time just working through sharing screens and helping IT leaders just work through different problems.
00:19:19 - 00:19:49
Meghan
So, that covers all. One more thing. We hold a cyber capability workshop for all the non-technical leaders, which helps them assess their organization, their whole government on 12 dimensions. It's not scientific, it's meant to be as a way to talk about things such as data management and why that matters in cyber. Procurement, why attention to terms and conditions is meaningful in protecting.
00:19:50 - 00:19:58
Meghan
So, we try to get all of the different levels in each of the local governments in a different way that maybe meets them where they are.
00:19:59 - 00:20:21
Rita
Meghan, I've known you a long time. I don't think I've ever heard you say the 12 dimensions of cyber. So, now I'm really interested in following up with you, and I see them shaking their heads as well. Adam, let me turn to you. How about you from the community perspective and the smaller not as well-endowed with finances?
00:20:22 - 00:20:47
Adam
So, let me take a step back. First, the state does offer some tools and things for each of the counties that wish to partake. The cybersecurity grant money was done and put into what is our state SOC to provide security tools. So, there are things available to the smaller jurisdictions.
00:20:48 - 00:21:11
Adam
I'm obviously the largest jurisdiction in the state of Ohio. I did not take part in the Cybersecurity Grant program process, because of where we are and what we have funding for and what we do. It did not behoove us to go into the tools that the state had, because we already had tools that we had already purchased.
00:21:12 - 00:21:36
Adam
From our perspective, being a large community or a large county, I've always made sure my team is available and we reach out. First, we reach out proactively, but we also are available reactively to allow and understand what the jurisdictions of the smallest jurisdictions around us may need or questions they may want to ask, and go from that perspective.
00:21:37 - 00:22:06
Adam
My security team, I'm very fortunate to have a very large security team. But my security team, I have multiple members of my security team on the state cyber reserve team as well. So, we're also action oriented and our team will go out and help from a cyber reserve perspective. But the other nice thing about that is we also get other types of threat intel faster from our perspective, but then we try to share that out as fast as we can.
00:22:07 - 00:22:17
Rita
That's awesome. Great in terms of the sharing information. John, and then Sybil. You're on mute, John, sorry.
00:22:18 - 00:22:42
John R.
Thank you. A theme really developing here is peer collaboration, large county, small county. I really want to impress upon my colleagues in the audience that in order to use resources, you have to know they're available. So, you have to really make a conscious effort to find out all of the different free or reduced cost resources that might be available to you and that does through interaction.
00:22:43 - 00:23:12
John R.
I would not be afraid to have a smaller county call and have a discussion as far as what resources might be out there to meet and greet and discuss, because everybody knows something I don't know. The best way you can find that out is by having the dialogue with them. I will encourage you at this point too, to also get involved with the association. Certainly NACo works, certainly your state association. The list of free and reduced services that Meghan rattled off at the beginning of this was remarkable.
00:23:13 - 00:23:37
John R.
So, now we all have to move to New York to get served for cyber, but that's okay. They have a big tent, I'm sure they'll let us in. But your own state and your own municipalities in larger counties, like Adam's and Bucks, may be able to help you to serve some of your needs or point you in the right direction. Specifically, with the resources you have, 3 items to take away.
00:23:38 - 00:24:13
John R.
One, MFA all the way. You can do that within your own scope. Two, a .gov domain and website. The third is to really use an email system that has your own registered domain. I will tell you that I have come across counties that are still using publicly available email transport systems to correspond with county business. I think that regardless of the size of your county, you can get through those 3 hurdles and make yourself more resilient and effective regarding cyber without breaking the bank.
00:24:14 - 00:24:33
Rita
Good. All good points. And quickly, I will just mention NACo has a CIO reserves program and they have helped several counties already to move to the .gov platform. So, that resource is out there and maybe, Susan or Kimberly, can put a link in the chat to that information. Sybil, how about you?
00:24:34 - 00:24:57
Sybil
Well, here in California our counties are pretty large. Our counties and our cities are pretty large and they're very independent. They all have their cyber security teams or team person in their individual groups. But to John's point, we do get together in an association. We do get together in a Northern California group, where we get together and talk about what could happen.
00:24:58 - 00:25:24
Sybil
To Adam's point, we're a large county, but what we tend to be able to do with support and it's unfortunate, but we can support counties and cities in a reactive mode more than a proactive mode. In proactive, we're discussion and talking about what could be and what we do to prevent it in. A reactive mode, we've learned through time to have kits put in. For instance, we house the centralized criminal justice systems, and if a city's been attacked, they can't get the necessary information they need.
00:25:25 - 00:25:39
Sybil
We now have a kit that we can immediately bring out that allows them, through a VPN, to get right to our system rather than worrying about how to bring their systems up, et cetera. So, I think we're a great support in reactive mode. We haven't gotten to the proactive point yet.
00:25:40 - 00:26:02
Rita
Well, and that brings the point about whack-a-mole is what I call it. Really trying to get out of that for sure. So, moving on, just talking a bit about the state and local partnerships. We've heard a bit about both already. We also know we're in an environment where some things that have been working aren't necessarily working now.
00:26:03 - 00:26:24
Rita
What I'd like to hear from you is what is still working and is helping? The question is which leads? State taking the lead, local government taking the lead in cyber, or is it a combination, or one or the other? So, I'm going to jump to Adam first.
00:26:25 - 00:26:56
Adam
Figured you would. So, honestly, I have a different point of view. So, I think that the state should have a hand in one, setting some guidance and some rules on what we should be doing from a cyber perspective. But I think they should include the counties as part of that conversation. At the same time, I also think that setting those guidances or guide rails, there are different sizes, different types of communities.
00:26:57 - 00:27:13
Adam
It could still be a large community or a large county, but have very little resources just because it's a large mass, but not a lot of people. So, I think if you get into very rural parts of different parts of the US, you can have large counties, but very little people.
00:27:14 - 00:27:40
Adam
So, I think that you need to look at each county separately and understand do they have the ability to provide resources, or do they need help with getting resources? But I think overall, the state can take a hand on giving some guidance, but then those that can, should move forward in getting and building those security capabilities and those that need help.
00:27:41 - 00:28:01
Adam
I don't always think that centralized cyber tools or cybersecurity is the answer. Sometimes I think it's financial help so they can get those tools. Or there's an overarching enterprise license for the state that each municipality or local entity could then take part in.
00:28:02 - 00:28:25
Rita
That's a great example. I know a number of states, Pennsylvania being one, where the phishing tool was procured for the entire state for the election offices and then eventually to all the counties. And that was long before AI showed up as an emerging technology. So, Sybil and then John.
00:28:26 - 00:28:58
Sybil
I agree with Adam. Our state, they have great policies and a great toolkit that you can go in and look for items that might be of help, but we are still independent. What I really wish is that the state would get more involved and help us procure, get a better deal on procurement and help us all come up with products and tools that would make us more secure. But with their power behind us, we could get better deals. Right now we procure on our own independently and that's the cost we have to pay.
00:28:59 - 00:29:00
Rita
Absolutely. John.
00:29:01 - 00:29:17
John R.
Well, one of the interesting challenges for counties is that we are in some respects a middleman. We want to be autonomous when we looked at the state, but we would like to be powerful when we look at our communities. So, we are actually wearing both hats.
00:29:18 - 00:29:40
John R.
I would really suggest that the way we look at the partnership with the state, what we're looking for are some dialogue and help with acquisition of services, but not necessarily dictating what that is. We may want to bring that same posture when we start talking about the townships and boroughs that are inside of our county.
00:29:41 - 00:30:01
John R.
Because I would suggest that it is incredibly important to our cyber posture to make sure they are as resilient as possible as well. Because as a trusted partner, a lot of the challenges of attacks are coming in through networks, fire, EMS or whatever, they may be attached to our networks. So, as resilient as they are is important for us as well.
00:30:02 - 00:30:11
John R.
So, I would suggest that we're not only managing up, but managing down at the county level. And then we have to be aware of that as we go through all these different partnership discussions.
00:30:12 - 00:30:18
Rita
We're going to have a bit more conversation about partners and trust in just a moment. Meghan, to round this out, anything to add?
00:30:19 - 00:30:48
Meghan
Well, I think I talked about the statewide shared services and we do get economies of scale and it's offered to the municipalities, so they opt in or opt out. So, it's whether they would like to participate in that. I will say we do get very high participation because it's tools they were procuring or would procure anyway. And so even if it can be funded, they certainly take that. But it's also-
00:30:49 - 00:30:50
Sybil
Sounds like a great model.
00:30:51 - 00:31:12
Meghan
Yeah. We can't cover everyone. There's a lot of municipalities we can't get to and I've got to answer the phone and say, "I'm sorry. I wish we could, but we're not there yet." So, hopefully at some point. But we do take that very seriously at the state and we're turning back out the things we're learning through those shared services.
00:31:13 - 00:31:29
Meghan
One of the things is the really small municipalities with managed service providers, who are maybe not taking all of the steps that should be taking in these really small municipalities. One of the things we've been able to do is take some of those lessons learned and give them out to the associations.
00:31:30 - 00:31:51
Meghan
So, association leaders can say, "I understand these are happening in the smaller towns and villages. Now I have some fodder, some language to use with officials to help them ask the right questions and what to look for in the answers." So, we're really trying to do that feedback from what we're learning in this program back to the smaller municipalities.
00:31:52 - 00:32:16
Rita
So, it made me think of something Meghan, as you were talking, and we're going to move into in just a moment here our next question, and it has to do with our external partners. I know over the years there have been situations where a particular vendor was supporting a number of local governments, and their home office was in their garage.
00:32:17 - 00:32:41
Rita
Do you think we still have that? I'm just wondering, it was one of those thoughts that came to mind. And then how secure is that type of environment? And then how do we move beyond that? So with that framework, nobody's answering my question and it's okay. What I'd like to, well, let me stop here. Anyone want to comment on that one?
00:32:42 - 00:33:12
Meghan
So, I'm not popular among some managed service providers in our state, but I am popular with other ones. So, I don't think where their office is located, I've seen really small ones do a fabulous job, because they get it and they understand it and they don't say, "Well, they never asked for that." They're the ones pushing to their governments, here are the safeguards you need in place.
00:33:13 - 00:33:27
Meghan
On the flip side, I've also talked to some that said, "Well, they never asked for that." Okay. Well, I know you don't work for the government, so it's hard. There's really no size fits all in this. So, I've seen some really small ones be absolutely great.
00:33:28 - 00:33:52
Meghan
But then I've had some interactions, gone toe to toe with a few that have been telling their municipalities not to participate in the state program, and small municipalities to get that funding would be helpful. So, it's all over the place. But most of the time, I would say 75% of the time I have a good experience.
00:33:53 - 00:34:26
Rita
So, the takeaway from this I think is with asking the questions. I think that we have some great relationships out there for sure, but you don't know if you don't ask, so I think that's important. Moving into the next section. So, have them partnerships be formed, first of all, if one of our entities, or municipality, or another department even that maybe has a separate IT organization, if there's an attack on one, it's an attack on all of us.
00:34:27 - 00:34:54
Rita
I know over the years one of the things we've learned is sharing quickly what you can about this is happening. And that's where we've had some great national alerts that have assisted with that. So, the question I have for you is how can the partnerships promote the sharing and accountability for those best practice implementations? I'll go to Sybil first and hear your thoughts on that question.
00:34:55 - 00:35:18
Sybil
Well, I think if you're talking our vendor partnerships and maybe some of our federal partnerships, they're absolute key for us to be successful. We do not know everything. Our forensic partner that helped us through an attack last year eventually became our team SOC, and we depend on them for their knowledge. We depend on them for their foresight, what they know and how they can help us, because that's what their focus is. Our focus is not.
00:35:19 - 00:35:40
Sybil
So, we have that advantage of being able to partner with them. If there are times where we don't feel that they're meeting our expectations, we tell them because we need to revisit are they the right partner? Is it time to move on? Even though they've been so good for so long, there is always to change in leadership and whatnot. I would say the same thing for our federal partners.
00:35:41 - 00:36:11
Sybil
CISA, for example. We just really, really appreciate working with CISA. They haven't been impacted by the recent budget things, but they have been impacted by lower staff. We are concerned about them because they've brought so much to the table for us, whether it be elections, whether it be telling us of a potential threat, or attack, or training, or tabletops. They're an incredible resource and I use them as an example that we've really become dependent on them and appreciate them.
00:36:12 - 00:36:30
Sybil
But I would say that with all of our vendors in the cyberspace, they're all important. They all bring something special to the table and we need to take advantage of that. We also need to talk to them about what they're doing going forward. What is their roadmap? Where is it going? How do we make sure that we're ready for it or that we're taking advantage of all the services?
00:36:31 - 00:36:46
Sybil
Because there's times where we may look at a product that we purchased or a vendor that we partner with and we're like, "Wow, we're only using a portion of what they provided us. There's so much other good stuff." So, I think our vendors are so important, our partners are very, very important.
00:36:47 - 00:37:11
Rita
Well, before I jump to, we'll go to Adam next, redundancy is not a bad thing. Having dual coverage in certain areas is actually a blessing. And so you may have engaged more than one partner to do something similar and maybe just does it in a different way or again, completely redundant. So, Adam, how about you?
00:37:12 - 00:37:33
Adam
So, one, I want to take a step back to what Meghan said earlier. It doesn't matter what the size of the vendor is, it's about how you validate what that vendor does and do a vendor risk analysis. And you have to know what your risk tolerance is to what level. And then that goes right into the use of what this next question is.
00:37:34 - 00:37:53
Adam
Honestly, I think that what we need to do is what we don't do, and that as vendors that we currently have need to do more public postmortems with their clients, not publicly. Because if you do them postmortem publicly, then other people learn how to attack. Other bad actors learn how to attack.
00:37:54 - 00:38:24
Adam
But I think that one of the things we need to do is when we have a vendor that we're working with and they walk somebody else through another government client or even a commercial client, I think they need to get better at going right back to the vendee network and share this is what something that did happen and here's what we ended up walking them through. Are you there and have you protected against that, because we're finding it in the marketplace?
00:38:25 - 00:38:47
Adam
That's some of the things, the landscape information that we would get from the CISAs and the MS-ISACs and all those. Those things are very much valuable to all of us because it gives us that ability to not have foresight, but it is foresight because we're seeing what others are going through and how they recovered from it, and it gives us an ability to start looking for things.
00:38:48 - 00:39:11
Adam
So, I think that having the ability to learn from others in real time or close to real time as soon as possible, helps us a lot more than just 100% reliance on vendors. I think your other point around having one or 2 vendors is having primary insurance and secondary insurance for healthcare.
00:39:12 - 00:39:39
Adam
There are tools that we own that sometimes has a component to it that we turn on, that is like a secondary insurance package to our primary tool that we're using. It's important to have those things. You should not always have duplicity across everything because it's cost prohibitive for a lot of things and a lot of reasons. But there are certain things that make sense to have a duplicity and a secondary check on.
00:39:40 - 00:40:08
Rita
Right. Right. Excellent. To your other point, I do want to add, I think it's important as well as local government where appropriate in the right framework, to share security incidents that maybe they've encountered. It could be the malicious email that spread a virus, and so to hear how did that entity, that county react? What did they learn from it? We learn from that as well. John, how about you?
00:40:09 - 00:40:25
John R.
As I think about the subject of partnerships and leveraging and evaluating them, I'm thinking that there's one partnership that many counties have that may not be leveraging or using to its full. And with that teaser, I will say that vendor partnership is with your cyber insurance company.
00:40:26 - 00:40:39
John R.
I think you and that cyber carrier have a vested interest in making sure you are resilient and effective. I think many counties may err on the side of saying, "I don't want them in my door, I don't want them to know what's happening here. I don't want to have to pay another nickel for this."
00:40:40 - 00:41:03
John R.
Where I think leveraging that relationship will actually give you an opportunity to get better. They can get better knowing you and servicing you, and they may have wraparound services that you could avail yourself to. As part of a policy, you may have access to an annual or biannual pen test, and they may want to fund that just out of their own self-interest in keeping you safe.
00:41:04 - 00:41:25
John R.
Or you may be able to negotiate certain amount of hours with your impaneled remediation company to come in and do a lay of the land of your network before an event. A cyber carrier really is invested in making sure that you succeed. I would like to make sure that you leverage that partnership.
00:41:26 - 00:41:27
Sybil
Agreed.
00:41:28 - 00:41:59
Rita
Yes, 100%. I wonder how many of you have actually reached out to your cyber insurance carrier, you know the contact person? John, you're exactly right. They will give you free additional education and overview. Though, the thing you want to try to avoid is this is the first time we need you. Rather, what can we expect if we need you? What should we be focusing on? That type of questions for short.
00:42:00 - 00:42:06
Rita
And so that's probably one of my takeaways at the end. Meghan, how about you? And then if Sybil wants to add anything else?
00:42:07 - 00:42:30
Meghan
So, in New York, we're decentralized in cyber, so there's many organizations. But when I think about it, I think it's because there's 2 that are really strong. So, we have the New York State Local Government IT Directors Association, been around for 30 years, and they're able to bring together a lot of people, a lot of information. So, that structure is there and it's strong.
00:42:31 - 00:42:46
Meghan
The Division of Homeland Security is also one of the most trusted partners. So, that information funnels through there. So, those 2 together. But there's a couple of people I know on this call who are just jumping up and down and so excited about what John said about cyber insurance.
00:42:47 - 00:43:14
Meghan
So, we have the New York NYMIR, the New York Municipal Insurance Reciprocal who has a cybersecurity specialist, who is also out there talking with us and we're getting on the same page. We're promoting each other's informational sessions. So, I feel like with these organizations; DISHes, Homeland Security, brings in New York State ITS, the New York State Police Cyber Analysis Unit, the FBI, we also bring in CISA.
00:43:15 - 00:43:34
Meghan
So, with those anchors there, I feel like it's easier for local governments to know where to go to, because it's a couple of points that I can go to and I can get a lot of information. Or see the person and be able to meet them, so I know who to go to for future.
00:43:35 - 00:44:00
Meghan
Twice a year, we hold what's called a Cyber Whole of State Update, and that is we bring in the head procurement agency, we bring in the court administration, we bring in elections, we bring in ITS. And on the state side, every single one is giving a short presentation on what investments they've made, what questions they've heard, so you can see a face and a phone number and an email, so you know who to call.
00:44:01 - 00:44:20
Meghan
I will admit they're getting long because lots of agencies want to participate, but those are, I always think it comes back to relationships. When you know the name of the person and you know who to call, I just think it makes the information sharing easier and we've got some good anchors of that in New York.
00:44:21 - 00:44:28
Rita
I was just thinking about the word relationships, how important that is. Sybil, anything you want to add to this part of our conversation?
00:44:29 - 00:44:44
Sybil
In part, relationships are important. I wanted to second John on contacting your cyber insurance partners, because they can move fast, they have connections, they have experience. It's important to know what their rules are and guidelines are when you need to connect them. So, absolutely agree with John.
00:44:45 - 00:45:10
Rita
Well, there is in the chat a comment about knowing what your cyber insurer will provide, but also knowing what is not covered. I like both parts of that because you don't want to be caught by surprise if there's an incident, and you go to utilize cyber insurance and you find out that particular piece isn't covered.
00:45:11 - 00:45:45
Rita
So, let's move into this last section, last part of our conversation. It really has to do about building a cyber culture. We know this definitely has gained a lot of attention being October Cyber Awareness Month, but how do you embed and sustain this culture through the entire year? Especially when you think about elected officials, not just your staff, but elected officials and even the public that you're serving. And what we'll do, we'll go to Adam, Sybil, John and then Meghan.
00:45:46 - 00:46:13
Adam
So, reality is Cyber Security Awareness month is just a time that we turn up the heat a little bit, but it's the same things we're doing all year round. We're still doing phishing campaigns, we're still doing awareness, we're still doing training on a regular basis. We're trying to make sure that that monthly training, things like that are done on a regular basis, and that we're just drawing a little bit more awareness to it in October.
00:46:14 - 00:46:43
Adam
But reality is everybody understands what they get on a monthly basis and what our expectations are. We're actually pushing a little bit further into this cyber security training. Starting in January of '26, everyone will have 90 days to get their annual training done. And if they don't get it done, they get turned off until they get it done, and that's the only thing they'll have access to. And then we still do the monthly training as well.
00:46:44 - 00:46:59
Adam
But we're pushing it a little bit harder to make sure that they are paying attention to it. And then we're going to do some targeted campaigns for those that have missed certain questions or have fallen to a phishing attack, we may do some targeted campaigns against that or with that.
00:47:00 - 00:47:09
Rita
Really good practice. The annual review is so important in addition to everything else. Who's next?
00:47:10 - 00:47:30
Sybil
I'll go. So, trying to make it part of your culture is so important and we've been trying everything we can to do so. We now have IT people go to the onboarding processes for new employees for the county, and they talk about security and the importance of security. They threaten if they don't close their laptop that they'll do it for them, and they do. But definitely hitting the onboarding.
00:47:31 - 00:47:51
Sybil
We have departmental meetings where we go in and talk about AI and whatnot, and it's even part of that. We're going to talk about security and the importance of security. We have town halls coming up, we're adding cybersecurity. Even though the topic isn't on cybersecurity, we're just making it part of everything we do. So, we spend whatever amount of time we feel is important to talk about cybersecurity.
00:47:52 - 00:48:15
Sybil
We produce videos that go out throughout the year. We do our tips and tricks of course, that go throughout the year. And then we use the non-October month. That's the good time to implement tabletops around the county, train and update the board and all of those things. But it does have to be part of everything you do. I think especially for onboarding, we've been very successful lately.
00:48:16 - 00:48:47
Rita
So, on a personal note, we all have our cell phones and hopefully still have them password protected in some fashion. I have adult children and the one walked by my phone and he thought it wasn't password protected and he got all over me. And I was like, "I'm really glad you noticed that my screensaver hadn't kicked in yet." But it's a culture not just in your workplace, but in your personal life as well. Meghan and then John.
00:48:48 - 00:49:27
Meghan
So, I truly believe that everyone wants to play a role. No one wants to click on the email. Everyone wants to figure out where they fit in. Sometimes it's hard if you don't speak the lingo and you're not in the meetings. And so back to our translation of technology to those who are leading the business, it's about talking about why a centralized procurement process that has a security review of any product, why that's important. And Sybil is laughing.
00:49:28 - 00:49:29
Sybil
Yeah. They hate it.
00:49:29 - 00:49:41
Meghan
Right. We do this in our workshops and we have a definition of what's a low capability organization and what's the definition of a high capability organization on cybersecurity and procurement. People go up with their little dots and they put it closer to low or high.
00:49:42 - 00:49:59
Meghan
The procurement people, this has happened a couple of times, will go over to the wall and start laughing hysterically, and we're like, "What's so funny?" They're like, "People think that we're high capability and we're not. Because not everybody is following the process because every technology investment needs a security review," and then it opens up that conversation.
00:50:00 - 00:50:26
Meghan
So, I really think that everybody is just trying to figure out their hook, where do I fit in to helping protect the organization? And so I think those sessions are a way to just get people to say, "I might not be on the technology side, but I do play a role in helping my entire unit know that it's important that we do all the training. And I hold people's feet to the fire and that's the role that I play."
00:50:27 - 00:50:56
Meghan
Or I'm in a county-wide meeting and I'm going to ask about cybersecurity, because I haven't heard it brought up yet and the technology person is not here. That's one of the things, having a champion, having a cybersecurity champion or ambassador that's not someone on any IT or cyber team. When they're saying it in meetings, you know you've made a little bit of headway within your organization. So, when we hear things like that, that's what we try to promote.
00:50:57 - 00:50:59
Rita
Absolutely. John.
00:51:00 - 00:51:17
John R.
So, I have 2 takeaways on this topic. One, Rita already mentioned, so I'm going to give it another shout out, because it's so important. When you provide messaging and education to your employees on cyber, make sure that they understand it impacts their personal life just as much as their work life.
00:51:18 - 00:51:35
John R.
They are so much more invested when you're talking or using examples about a personal banking site that they might be going to, and why MFA is so important for their banking experience, and what it means to set up their personal phone, or how to interact and make that safe. Those skills are transferable to work.
00:51:36 - 00:51:58
John R.
I want to flip it on its head. Usually we tell them about work skills that they might be able to take home. We are much more effective when we're talking about how to manage and be safe in your personal life. They're much more invested in how those skills transfer into the work life. So, it's all in your discussion and how you point the tools to them and make it relevant for them in their personal life first.
00:51:59 - 00:52:24
John R.
The second thing I will talk about is something we, when I say we, I mean I, am not very good at. I'm not very good at promoting our successes. Every day we have many of successes and wins and we've stopped many of challenges. But the thing is in our cyber world, when everything goes well, nobody really cares, and when things go bad, IT broke something.
00:52:25 - 00:52:47
John R.
So, what we've got to do is try and flip and fix that messaging. One, to make it not an IT problem. That is the biggest thing. That this is a whole of government approach to this. It is just not an IT problem to solve or an IT issue to resolve and get finished with. It takes a village, it takes a team, it takes everybody. We're all in this to make this happen.
00:52:48 - 00:53:17
John R.
And secondly, allow yourself to have not just the bully pulpit, but the celebration pulpit when things do go well. Or when you stopped a phishing attempt because your tools worked. Or you were able to provide education that got promoted well. Allow that to resonate not just with your own security team that you might be doing well, but please, bring that up to leadership. Let people know throughout the government that you've got their back.
00:53:18 - 00:53:40
John R.
By the way, having that relationship is absolutely going to help you when you tell them that you have to review every app that they on their smartphone device. And they're saying, "But why? It's only an..." "No, sorry. It's got to go through our security review and it's going to take you a month to get that app." At least you've got the credibility and they can have that trust with you to know that you've got their back. So, 2 takeaways in this.
00:53:41 - 00:54:03
Rita
Absolutely. And you're back to the relationship piece. So, I want to give the attendees an opportunity. If there are any questions we have staff that are monitoring the chat, we'll just give it a minute or so. And then I just want one 30 second or less takeaway from each of you. John, I think you already gave 2, but you can give another one.
00:54:04 - 00:54:22
Rita
But are there any questions from attendees? Anything in the chat? Any raised hands? All right. Well, feel free to put a question in the chat. 30 seconds or less. Meghan, one takeaway for our attendees today. One key point.
00:54:23 - 00:54:48
Meghan
So, I think when you are building a cybersecurity culture, you never really know how people need to hear information. So, you might need to say it multiple ways in different ways that are funny, not so funny. And that's hard because, as John said, we don't always talk about everything, we just put out straight information. So, crafting the message needs extra time to meet people where they are.
00:54:49 - 00:54:50
Rita
I agree. Sybil.
00:54:51 - 00:55:18
Sybil
I like what Meghan said, she said it perfectly. But I would add what I'm taking away from today is relationships. I think that was the key word, and you've mentioned it several times. Whether it's relationships with cities, whether it's other counties, whether it's the people on this call, whether it's your federal partnerships or your vendors and your cyber insurance, can't forget John. All of it, I think is really important and relationships are key.
00:55:19 - 00:55:40
Rita
Before we go to Adam, I see a hand raise. Paul, you have a question? Do we need to unmute him? Give us a second, Paul. We'll figure it out. All right. I think you're unmuted.
00:55:41 - 00:56:07
Paul
Hi. PJ is good. Paul is too formal. I appreciate that. I just wanted to say I'm a member of the Board of Governors from NYMIR and I know the cyber is a piece. I know Meghan mentioned the events or the effort. So, there is a big push from NYMIR. Really excited about what we've done and that aspect of the portfolio has really grown. We have a meeting coming up, I believe the 6th and 7th in Albany, so I will bring that.
00:56:08 - 00:56:30
Paul
But anything you'd like for us that I could share, I could bring back to this committee as well. But again, really excited that there is an interest. About a year ago, there was very little when it came to cyber insurance, and obviously carriers have realized that it is a very important part of the profile and coverage for counties.
00:56:31 - 00:56:38
Rita
Thank you, Paul. It's great information. I appreciate that. Adam, one thought, one takeaway for our attendees today?
00:56:39 - 00:56:58
Adam
I'm not going to add on to what everybody else has said because Meghan took mine. So, my biggest one would be build a relationship, and Paul actually said this. Build a relationship with your cybersecurity insurance vendor. Know what they have, what's available to you, what they can help you with.
00:56:59 - 00:57:14
Adam
Don't be afraid to talk to them and don't call them only when you need something, call them in advance. Understand the process, understand what they can give you, and how they can help you and guide you along the way as you go through this journey on a daily basis.
00:57:15 - 00:57:27
Rita
It's like maintenance. If you do the maintenance, it's not near as bad when something goes wrong, hopefully. John, last word there, and then I'll have a couple closing remarks.
00:57:28 - 00:57:42
John R.
My takeaway is that remember, nobody can do everything, but everybody can do something. I encourage you to find that something you can do and act on it and make that work for you and your county. Thank you.
00:57:43 - 00:57:50
Rita
Excellent. All right. I just love the thoughts that have been shared here. I have a few takeaways myself.
[Presentation slide 3: This slide is divided vertically into two sections. The left section features the "CAI" logo and tagline "We power the possible™" in white text. Below is a QR code and text that reads, "Thanks for joining us!" and "Scan the QR code to reach out and get to know us better", followed by contact information: "www.cai.io," "inquire@cai.io," "+1 (888) 824 - 8111," "@CAI," and "@CAI_Insights," each with respective icons. The right section contains an image with a colorful padlock icon positioned on top of what looks like a stacked microchip or digital platform.]
00:57:51 - 00:57:59
Rita
But just a couple highlights. Really appreciated the screensaver idea that John shared. You can do that all year long. It doesn't just have to be in October.
00:58:00 - 00:58:18
Rita
And then the leaderboard, Adam, that'd be really interesting to see who's at the top of that leaderboard, because we know we have a lot of competitive individuals in local government. So, I am just really thankful today that we've shared some tips on cyber awareness with our attendees.
00:58:19 - 00:58:33
Rita
I know that there'll be a follow-up email going out with the recording, as well as some additional information. So, thank you everyone for joining today, and let's give a virtual round of applause to our panelists.
[Closing slide: Blue CAI "We power the possible" logo appears in middle of screen. Company website www.cai.io appears at the bottom center of the screen.]
[{"asset_name":"www.cai.io","asset_url":"https:\/\/www.cai.io","asset_type_code":"site"},{"asset_name":"Resources","asset_url":"https:\/\/www.cai.io\/resources","asset_type_code":"page_redirect"},{"asset_name":"Events and Webinars","asset_url":"https:\/\/www.cai.io\/resources\/events-and-webinars","asset_type_code":"page_standard"},{"asset_name":"Cyber resilience in action: County leaders share their strategies","asset_url":"https:\/\/www.cai.io\/resources\/events-and-webinars\/cyber-resilience-in-action-county-leaders-share-their-strategies","asset_type_code":"calendar_event_single"}]
Watch this on-demand webinar, hosted by the National Association of Counties (NACo), and featuring experienced state and county leaders as they share strategies to protect local government systems, staff, and constituents from evolving cyber threats. Gain valuable insights into how counties are building resilience, addressing resource gaps, and fostering partnerships to enhance cybersecurity efforts.
Learn more about how we can support your organization.
