Podcast Resources 1280 12

A Practical Path to MFA

While multi-factor authentication (MFA) is at the top of many counties' cybersecurity priorities, implementing MFA is not straightforward. MFA can be overwhelming when counties have to consider selecting the right authentication methods to not only keep their county secure but also make sure employees, suppliers and citizens have a good user experience. On this episode of IAM Pulse, we are joined by county CIOs to discuss how to best implement MFA and what county officials should be looking for in an MFA solution to improve user adoption.


Listen to the podcast:

Spotify | Anchor.FM | Apple Podcasts

Transcript:

William Papa:

You're listening to, IAM Pulse, a podcast, discussing all things, identity access management from defending against cyber-attacks and to enhancing our overall cyber security strategy is podcast is brought to you by BIO-key International and innovative provider of flexible, secure access management and biometric identity solutions. We're sitting down to talk about the impact of identity access management makes on you and your business.

Rita Reynolds:

Today. As I mentioned, um, we have three, three, a lovely ladies and myself included that we'll be talking to you about, about multifactor authentication, really from a strategy perspective, I am the CIO for the national association of counties, and I really enjoy working with all of you in the county, as well as our, our partners in the industry; we are fortunate today to have Sybil gurney with us today. She's the assistant CIO for Alameda county, and I know Alameda county is a little large, however, she has some great practical advice that has really; I think you'll find beneficial regardless of the size of your county; so what I don't want, don't want this, the Alameda county to scare you away here as you'll get to interact with her short light. And then finally we have Kimberly Johnson. She's the vice president of product for BIO-key international; they have a number of multifactor; solutions and approaches, and she really has a heart for the customer. And I think you'll see that shine through as we start this; presentation. So those are the three of us today; just wanted to share from the speaker perspective and you will have our contact information afterwards.

Rita Reynolds:

So let me just spend a few moments; talking about how this came about; in terms of the content, the back in the ballots; may timeframe, June timeframe. We've been working to update the NACo platform; for technology. And one of the areas that we were a little light on; maybe not as specific as we need to be was in the area of cybersecurity. We worked with a number of county, it leaders, as well as talking with other national associations; including NASCIO, um, the national league of cities, national governor's association and the number of others just validating, what are the priorities in cybersecurity? And from those conversations, we were able to put together a publication. I know many of you have probably seen that. Um, the link is as; shared here on the PowerPoint and it's 11 areas that are extremely important.

Rita Reynolds:

, you'll see, in the publication that there's three icons, one talks about how much money's involved. If it's all green, then it's, it's a little bit more costly to implement. The second icon is about what are the effects that are the results we get from implementing. If that's all circled in yellow, you know, that that's, well, it may cost. It's going to save you in the long run because of the benefits it brings to your county. And then the last one is how much effort is it going to take from your, either your resources or outside resources? And if it's all blue, then that means that is going to take a good bit of effort to implement. So as you can see, MFA multifactor authentication is at the top of the list. I can't emphasize how, how important that is. And just this morning, I had a really fast request on how, how our county is affected by cyber attacks quickly put together, you know, short five, six bullets up here are examples.

Rita Reynolds:

And many of those examples came as a result of not having multi-factor authentication in place. We're going to explain it for anyone who might not be clear on what that means, um, in a little bit; but for right now, what I would like to do is to pull all of you as an audience to; get a response from you; you'll see the questions on the other question on the slide here, but I'm going to bring up the poll in just a minute, just to refresh you quickly. Multifactor. If I log in and I put my username and password in, it's going to send me a pin on my phone with a four digit number that I have to put into the, on the screen, on the computer that's multifactor; there are other ways of doing multi-factor, but that's the easiest one to explain.

Rita Reynolds:

So let me start the poll and you will see; we have multi-factor in place for, so do you have that in place for your end users, um, or, and, or your end users connecting through VPN and you should see it now. Um, do you have it in place for server access? Do you have it in place for citizens? So let me explain that one real quickly, citizens, if they are coming to your website, are they required to log in before they put, um, additional information into a particular area, whether it's a permit application or any; thing along those lines. And of course there's always all of the above or none of the above, so I'll give you another minute here; we, a lot of you have already responded and I, I too, um, as, as the person watched it and can see the results and we are almost there, I'm going to go ahead and in about two, well, five seconds, I'll close the poll.

Rita Reynolds:

It's fine if you didn't have a chance to respond., but this is really, um, I think telling, so you should be able to see that 30% of you have it in place for end users. Another half of you have it in place support with the end-users connecting through VPN. And that's really important. We've had a number of conversations about that, and it's not always the easiest. Um, and then the server access is a little bit lower; we have some conversations about that possibly a little later. This is great information for us at a high level to see this because we know we're not there yet. Um, in terms of multifactor authentication, being in place. And our goal today is to give you a starting point and hopefully, um, additional guidance and resources to make that journey. So in order to talk about that journey, what I'd like to do right now is; turn it over to Sybil gurney and let her share the journey that; they've been on and how it started when it came to implementing a multifactor authentication. So Sybil, um, it's, it's all yours. Um,

Sybil Gurney:

I'm Sybil, as Rita said a little bit about them at Alameda county, we're here in California. We have about 10,000 employees. Um, we have; 1.5 million residents. So we are a bit large, but I think a lot of what we've learned, like Rita said, we'll even help the small counties; we smart. We started with MFA our journey back in 2018 summit, bring you back to 2018. If you can remember back when this is actually MFA was not very popular in the environment, maybe with banking and some, some; other; industries, but it wasn't; you know; , rolled out; into too many places. So back in 2018, we had just kicked off our digital transformation. We were going to adopt windows rings, we're going to do patching. We're going to do all of those things. And as we were discussing what our strategy is, ransomware was just attacking everywhere.

Sybil Gurney:

I'm sure all of you remember, um, Atlantic city, that was a big deal. You know, they didn't pay the ransomware. I don't even know if they had the opportunity to do so. They had to go back to manual processes. I think the CIO got laid off, um, that was anywhere from a 17 million to a 26 million, um; , event; while that was going on, we had all the other events playing around in like Davidson county, North Carolina; in; the Colorado department of transportation got hit twice. And we were just; Texas. We were just hearing states, counties, cities, our local sheriff department, one of our local cities where, um, you know, all shut down with ransomware and we were just waiting. We were so concerned that somebody was in our system somewhere, just waiting to attack us that, you know, we got very, very nervous.

Sybil Gurney:

And then over a three-day weekend in February of that year, we had a very large phishing attack. And you would think on a Sunday morning on a three-day weekend in a county that we would be safe, but lo and behold, let me give you some stats on what happened with that phishing attack; 4,000 people within the; the county received the email, um, 390 employees opened the email and the email was taking them to a link that asks for their credentials. It was like an Oracle form. It looked like logging on to do your time sheet. It was really well done and they actually entered their credentials. Now, again, this is Sunday morning on a three-day weekend between I think like five and 8:00 AM, who would have known, right? And the email it's, you can't really see it on here, but it was quite clever.

Sybil Gurney:

It came from a real district attorney; within our county. It has the, this is the only clue it has the district attorney, um, seal on it, but was for the, for the city of Alameda, not the county of Alameda. And if you don't know your logos, you would have been easily fooled by that. So people thought this email was coming to them from a district attorney with the county seal, asking them to enter their information. And so, so they did. And, um, you know, because of this, we knew that we needed to do something. The email itself actually ended up coming from Dubai. So that was that's important to know because that, that played into what our decisioning was, but because of the environment and because of this particular attack, we were almost a hundred percent for the positive. Like I said, that there was something buddy in our environment and they're ready to take us down.

Sybil Gurney:

Like the other large counties. We knew being a large county, that we were definitely a target and are still a target. So this, this, I know Kim is going to talk about assessment and how you assess what you're going to do. We were more in the reactive mode, we were under attack and we had to move fast. So next slide please. So what did we decide to do? Oh, by the way, we had a new CTO at the time. And so everything was new for us. So we knew we had to do something quickly. We're pretty much a Microsoft shocks. So; Microsoft offered of course cost us later, but you know, try this for 30 days. Here's your risky side on how about doing risky sign on, at least that will start protecting you and you can be protected quickly. And what this did was basically say any bad locations like Dubai or; you know, Nigeria or any suspicious place that we know that hackers are coming from.

Sybil Gurney:

Or if somebody's traveling, let's say they're in New York and 30 minutes later, they log in from LA, you know, that's impossible. So we would block obvious, um, outside, log-ins for us. But what happened with that? It was really manually intensive. So if one of our board of supervisors wanted to travel, they would have to tell us or we'd block them. And so travel was actually, there was a lot of travel back then before the pandemic. So anyone that traveled would have to notify us and we'd have to manually work around it. It was just a pain, it was a pain for everyone. So by the end of that year, we decided to start our MFA journey. And our MFA journey was not quick. You know, even though we started in November of that year, it took about a year to get us fully rolled out, which I'll talk about later, but we decided that we would go with office 365, um, MFA because again, being a Microsoft shop, it seems the easy thing to do.

Sybil Gurney:

So we kept our risky sign-on; while we went through our MFA process and our MFA process, you know, it was not easy back then and not easy at the beginning for any of you that work with Microsoft, you know, at the beginning, when they are advertising their products, they may not be all that yet. There are still some bumps and there's still some things not worked out. So we had to work through that. We had to figure out what, what was our MFA going to look like? Was it going to be an authenticator app? Was it going to be a token? What was it going to look like? So a lot of that decisioning, we had to make up front before we could even plan on how to go forward and I'll talk about our rollout later. So we decided to go with, um, authenticator MFA, and we partnered with Dell and Microsoft and; the way Microsoft works, they were able to give us credits that we could work with Dell.

Sybil Gurney:

So the whole analysis really didn't cost us anything, which was really nice and helped us decide what our strategy would be going forward. So that's what we decided with our end point, um, and how we wanted to use MFA. And then of course, on our infrastructure side, we were especially nervous about that. Knowing that if somebody got into our environment and we would have a crawler, you know, we need to make sure that that we're secure there as well. Because if you, you know, you look at the attacks like Atlanta, I think it happened with; you know; ; you know, an open laptop in a fire station or something to that effect. And then they got in and they were able to move around. So we wanted to make sure not to get into those predicaments. So we chose actually duo over Microsoft in this case, because it was just less complicated and easier to use.

Sybil Gurney:

We didn't want to, we don't want to complicate our technology stack, but it seemed to be the right decision. And then we had a cyber security policy that helped us enforce it throughout the county. And just a little bit about the county where we're a federated it departments. So we have an enterprise it department with about 200 people and about 20 departments throughout the county, and five of them have their own it groups as well. We have the enterprise apps, they may have their business apps, but there's some overlap. So we needed a cybersecurity policy to help roll out the discipline. And, and I'll talk about that in a bit. So this is what we chose and why we chose it. And that began our journey.

Kimberly Johnson:

And I'll turn it back to Kim fantastic symbol, um, yeah, a lot there, right. In terms of having experienced an actual pack, going through selection, process, different use cases, different methods, right. All things that, um, we're all, all too familiar with if we've been through it or, um, in my case, I've just spent a lot of time with all various industries, but all different customers going through this exact challenge. Right. Um, and even before we just started the webinar, I was saying, you know, what's the barrier. Why, why can't we implement? You know, if, if it's the number one priority, if it's the top thing, if it's, it's, you know, known to be something that's, that's impactful to prevent attack, what's the challenges. Um, and even at the Niko annual conference, right. A lot of folks that I talked to were using passwords. And so it was interesting.

Kimberly Johnson:

We just did a survey. Um, so more from the industry perspective on what some of those barriers are. Um, and that drove a lot of the content for today in terms of the practical steps, where, you know, user adoptions, are people going to adopt it? Are they going to be willing to use it? Um, I'm a big proponent of MFA is only as successful as it is actually adopted. Right. Not good if it never gets used. Um, so that's; that's probably one of the biggest areas of concern is the change management. Um, also the privacy policy regulations, right. Even with those OTPs, the codes being sent to phones nowadays, there's all these regulations coming about, about paying for the phone plan and what do you do for methods? Um, and then expensive, right? , I I'm a vendor, right. Um, on the vendor side.

Kimberly Johnson:

And so it does cost money to do this. And so how can you, and we'll talk about that too. How can you kind of be more cost-effective and as Rita said, start somewhere, you know, start with, start with a point of implementation and, and go from there. Um, and then just aren't sure how to use it or where to use it. Right. We've seen that a lot where, okay. We'll just put it on VPN or we'll just put it on, um, privileged accounts. Right. And so how do you get to; as was recommended even at the conference, how do you get on every single account, um, which is; is a challenge. Um, I think the other thing that stands out is; there's a lot of buzz in the market. There's a lot of terminology and content and just a lot of vendors.

Kimberly Johnson:

Right. And so we all put information out there. We all talk about MFA, best practices, pick us. Um, and it it's confusing. Um, and you know, lately zero trust is a good example of that, where it's been hard on, it's been pushed. I think there's a lot of; where do I start? How do I begin? Um, MFA is a great place to start, but we're also hearing same thing. Resources are limited to be able to implement that. Um, and then finally there was a great report by ISC squared that was talking about the cybersecurity expertise gap, um, and really the talent and skill shortage that we have that it has gone down. Um, but we're still at about a 3 million shortage in cybersecurity professionals. And so it is good to see a lot of educational institutions implementing cybersecurity programs, but still a long way to go in terms of the resources. Um, and then, so turning it back; Sybil to you and obviously to Rita is what are some of specific to counties? What do you think are some of the major challenges you've seen over the years for being able to implement it? And what is maybe the hesitation that's maybe more specific to counties or is it the same as what we saw in the survey? Um,

Sybil Gurney:

Sure. So for us, as I mentioned, that we're federated, so one of our biggest challenges was getting everybody on the same page, whether it be with MFA and why we chose the MFA method we did, or whether it be any of the other security initiatives that we wanted to roll out to. Um, so our, our challenges was getting everyone on board and the things that we did to do that we used, we used actually friendly competition. We would put a report together that would be by department. How many people have BitLocker? How many people have MFA, how many people, you know, have a smart passwords, how many people have expiring passwords or whatever it was that we had at the time. And; you know, put the friendly competition out there. And basically, you know, the department heads would say, oh, you know, the sheriff is doing better than I am, and they'd come back and they get mad at their it teams and their it teams will get mad at us because we told their department heads, I mean, it was all a big vicious circle, but not one of them, you know, because of the environment I described, no one wanted to say, yeah, we're not, we're not going to do anything.

Sybil Gurney:

I mean, knowing that that was not an option. And I think that was probably one of our, that that really helped us move forward. So that was, that was definitely one of the challenges for us is more internal was the adoption by everyone to whatever we were trying to roll out. And the other one is, you know, the tools seem to change and; we seem to get smarter. And what seemed to make sense, like risky sign-on, which doesn't make sense at all now made sense back then. And I think I was saying this to Rita yesterday. So how do we keep current, I mean, the chain, the, the, the tools keep changing and are they, or they're getting more mature and the technology stack and which way do you want to go? Even though we have a roadmap we've got to, you know, sometimes that roadmap has got to, you know, we're going to take turns based on what the market is looking at. So, um, and you're asking about specific changes. And I, I think that, um, I think what I just said makes sense; as what I think the changes are, um, the changes in people, I, the adoption has, it has very much changed. It was a fight at the beginning when I talk about 2018 and trying to get everyone on board. Now, everybody is proud to lead the effort they want to be secure. They don't want to be the one that brings us down. Um, so I think that's a really positive change.

Rita Reynolds:

Well, and I, um, agree with everything. And as simple as said, the one piece that I will add, um, and it was, um; posted in the chat, I think directly to me is that in local government, we tend to have an older population of employees still. And we still have those employees who do not have a cell phone at all, or I know flip phones still exists. Um, so the pushback there is, well, I don't have a cell phone. Um, so what am I going to do? And in early on, that was the only method that was available to us was the pin, um, surprisingly in terms of; the solutions we were looking at, um, and then of course being asked to put it on their personal device was another one, or, well, who's going to pay for those texts. A lot of folks don't have unlimited texting.

Rita Reynolds:

Um, those put that push back in those areas is getting less and less. But when I talked to counties and rural areas, it's still a very big issue. And so I, you know, I'm been pushing for the fact that there's alternative ways to have the multifactor now, not just the four digit pin. And so I remind folks when I talk to them, even now, when I'm on; the banking site, it'll say; you know, do you want us to send you the code in an alternate email or to your phone? And so there are other options that have alleviated some of that, at least that part of the concern, which addresses using the cell phone at all, or using their personal device, then you get the conversation of, well, I don't want to give you my personal email. Um, and yet how many of those same staff, when they get, you know; logged into their payroll account or something similar, that's what they put in there to get the other retirement information, things like that.

Rita Reynolds:

So, um, that's what I would add there, Kimberly; in terms of how have things changed. It's definitely a lot easier to require it to be mandatory. Now; you still have pushback from elected officials; just read a recent article of, um, it was not a county council member, but a counseling council member of a government entity. And by pure pressure, he eventually said, okay, but they, yeah. Um, so it's the; the mandatory part I think, is, is getting better. And with all of the recent attacks and the change in the environment, making it mandatory has become a little easier.

Sybil Gurney:

I mean, I w I wanna agree with that. We have, we have a hundred percent adoption. You either have MFA, or you don't, you can get in, or you can't, it's, it's very thin cut. And it's funny because your electeds and your, um, you know, board of supervisors are, are the, the targets. And they were, Hey, we're one of the last that we got on board, but we got them all on board. Again, the, the, the fear of being the one that, um; you know, brings it, it brings in at attack is pretty strong, but th they, they didn't like the change. And once they changed, they were fine. We don't even, in fact, they're now advocates for it. They're going out there and saying, make sure you're on MFA. Make sure we're doing videos with them. That they're, they're all in now. But at the beginning it was pretty tough. They were like our last people that we were able to convert.

Kimberly Johnson:

Yeah. Those, those champions, especially if you can get, um, one or two, I have some background in healthcare and clinicians, I would say, have taken the cake for the most difficult, um, as; they used to cut up their smart cards and glue them into the readers in the UK and do all crazy things. Um, but I think that that other piece that I would highlight too, is, is this migration or evolution of MFA when it first came out? I don't know if you remember, it was financial only, and it was password and it was questions. It's both something, you know, and I was like, so then they, they rearchitected the, the controls and said, actually, it's gotta be something, you know, something you have, you know, something you are, and you can't just use two things, you know? So they, they re refactored it.

Kimberly Johnson:

And then you had an industry from the vendor perspective, you had the Fido Alliance and you had the big guys, the Google, the Microsoft, right. Come in and phone based phone factor based became the way to go. And so what we're finding now is what you've highlighted along the way, which is you need options even. I mean, we're 16 different methods. What we support. Um, it's not a plug for us. It's just literally what we've been had to include and integrate because of all the scenarios you've come across. Right. And I think that's a really key part. We talk about how to select those, um, and just a few minutes. And so I think from that, the goal today, right, we've talked about kind of what it is, what you need, Sybil, your story is fantastic as to like firsthand experience. Um, and we wanted to make sure to provide everybody listening with a practical path, right?

Kimberly Johnson:

It's one thing to say, like, attacks are happening. You need MFA, but how do you get there? Um, and one of the sparks for this, I was, um, at the annual conference, I'll keep referencing it, but I was, I was talking to somebody, um, I, I won't call it her name, but she was fantastic. She goes, listen, I just started putting in password expiration policy. And I was like, you know what, that's something and you've started. And that's the place to start because you have to start doing something to start putting in these security controls. So we wanted to give, um, really a practical perspective and these five steps that you can follow along the way to, to get there. Um, so Sybil mentioned the reference. The first one that, that I start with, um, is risk assessment and assessment in general. Um, it's interesting.

Kimberly Johnson:

I worked in an organization that was actually a monitor of cybersecurity risk. And I was like, oh, risk and security are the same thing. And it's like, well, actually you don't know what security you need until you know how risky you are. Right. Um, and so they, they go hand in hand, but are not the same. And so this is all about assessing your situation. And these are some examples of what it, risk assessments look like. It can be as simple as take all your assets, whether they're servers or applications or scenarios, and just rank them, put them in criticality, right. How important are they? Um, she's a county and two operations and what happens if they go out and how can we solve it? Um, and so that's just a high level assessment. Um, you know, ideal scenario is you can inventory every single asset that you have, but also at a high level, you know, mostly the big applications, you know, the big devices, the servers, the infrastructure, at least get that down and start understanding where those, those weak spots are.

Kimberly Johnson:

Um, and then the other assessment is a to workflows user workloads. So Rita, you made a great point. There are people that don't have cell phones, they don't have smartphones, right. And so what alternatives do you have for them? And if you haven't planned for that, then when you go to purchase the solution, it might be difficult to say, okay, this is what we're going to need for that user population. Um, and then the last one I'll mention that I'll turn it over to Sybil, you and Rita for comments. Two is the compliance and actually the cyber insurance requirements. So we're finding a lot compliance is a big one, but believe it or not, this year has been a compelling event of cyber insurers starting to basically say, we are going to raise premiums, even double them or not insure you at all, if you don't have MFA. So it's just really important to get your landscape and your situation down, because otherwise you might just pick methods or you might just implement a solution or try to get user adoption, just not have the full picture in place. Um, Sybil, any thoughts there, or I know you said you, you didn't have the assessment part down.

Sybil Gurney:

That's right. We were, we were unfair, but you know, we do have a security roadmap and the security roadmap is designed, um, around our, what our risks are. And we look at it two ways you asked what changed earlier, what used to be the security around the data center. We had the perimeter around the data center and that's how we did our security. And that's how we decided what we wanted to do now, especially with the pandemic, we, we, we have what we call the hybrid workspace. Well, now the security has got to be around the individual. So what does that security around the individual? It's physical, its, its its network, its MFA, it's all of those things. And based on that, we do our risk assessment and then we decide, you know, where we are in our roadmap and what we're going to do going forward.

Sybil Gurney:

Um, it's it's um, I feel like this is all we've actually been doing in the last three years. Um, you know, like you talked about whether it be passwords, whether it be MFA, whether it be BitLocker, whether it be patches, um, all of that, you know, and you have to decide what you're going to do first and what you're going to hit first. And I, I've not been hit by the insurance issues. I heard that discussion yesterday. So now I'm, I'm thinking, do I, do I reach out and ask or do I wait for them to come to me?

Kimberly Johnson:

Yeah. Way, you know,

Sybil Gurney:

All right. Cause now I'm getting nervous. I was a big conversation about it yesterday and it's like, oh,

Kimberly Johnson:

I seen any specifics on like what they require. I have also heard that the first, you know, year, maybe this year you'll get the, Hey slap on the wrist. You should have by next year, you're going to have an impact. Um, but you know, they're, they're paying too much ransom. I, it that's what it's come down to is they, I don't think they thought people would collect on these policies, which are hard to collect on it. That's a whole other conversation, but I don't think they expected to pay out as much as they have been. And especially with 2020, just off the charts. So

Rita Reynolds:

Yeah. Yeah. You're so right, Kim; the, um, and it was a discussion on the tech exchange a week ago with, um, it directors and CEOs about this coming Sybil hate to say it, if you haven't heard it, they're coming for you. It's turning into, I want to say a nightmare. Um, but there, there, many of the major carriers are now questioning whether they should even provide an option for cyber insurance and, you know, Kim, your comment about; they didn't expect it to be these many claims, um, that gets to their bottom line and the P and L so I think that's a, um, a consideration, but my one comment I want to add; Sybil mentioned it, you know, years ago we only had to worry about the physical room, the physical building, all even go back, date myself, the physical file cabinet.

Rita Reynolds:

And we knew where the data was. And now the landscape is so much larger. And, and in many cases, it's, I won't say it's nebulous because eventually it's physical somewhere kind of, um, is in somebody else's building. But the, you know, you, you can only protect what you know. And so which, what I don't know is what I don't know. Um, and that I put it in the chat, um, data asset inventory. Yes. Do you want to complete one, but start somewhere? And I will say that was one of the things early on in our cyber insurance questionnaire. How many records do you have with that, that would fall under this. And I'm like really seriously, how do I calculate that? So, you know, you did a little bit of analytical work and you gave a number well that I think I have X number of records because I extrapolated out isn't going to fly anymore; you really have to be a little bit more; focused on your methodology, but at least take those, those applications where, you know, you have data and, and, and data that needs to be protected. You don't need to protect everything it's that the back to the assessment, but you got to, you've got to have a data asset inventory. Um, if you don't today, that's, that's another takeaway from this, this webinar. Um, so that's what I would add there. Um, Kimberly,

Kimberly Johnson:

Yeah, no great point. Um, I think again, I think that you got to start somewhere. It's probably going to be the theme for most of this conversation. Um, the last thing I'll mention too is I did a lot of third-party risk management, um; product marketing and information at one of my roles and same thing; the suppliers, right? The outsourcing. So we talked about moat and castle, right? We've all had it. I remember I was standing at the RSA conference and someone walks up to me and he goes, the perimeter is here and he like walked away and that, but it's true. That's as far as, you know, the perimeter goes, there is no such thing. And now you have third party and suppliers involved. So just as much as you have the data asset inventory of your system, it is important to get your critical providers down, right.

Kimberly Johnson:

Um, who are the main providers of technology that you're using and, and just make sure you have good assessment or at least, you know, SOC two compliance and all those, those good best practices for that as well. Um, so we'll move on to step two; so you, the assess you've taken a landscape as best as you can at least focus on the critical pieces. And then we're really getting into the next piece of this, which is what methods do you use? Um, I think it was great Rita, you know, I'll keep going back to that example you gave, we've heard it too. It's like this pool of users cannot use phones. Um, sometimes it's like no cell phone reception or; literally we have some, um, groups we've worked with, can't bring it in because it's actually forbidden because they were taking pictures of data, right.

Kimberly Johnson:

Like insider problems. Um, and so just as a reminder out there, so it is always two things, um, discrete things, right. Something, you know, something you have and something you are, and depending on the person and who they are like an employee or a citizen that might change wildly. So like a police officer's here, right. We've used fingerprint because that's something that's very quick, they can put it down, but it's also how much do you have to know that person truly is who they say they are not just the token or the phone is present, or, you know, a code's been typed in, um, versus somebody that; working from home may not have critical; access, right to sensitive data. They might be fine using an SMS, a one-time passcode or an email code or anything, or people that are of an older age.

Kimberly Johnson:

We have printed codes. You can literally print them out and cross them off. Right. And so it's about mix and matching and flexibility and options. And I think Sybil year point on Microsoft and duo, I, a lot of companies, organizations I talked to are in the dozen range for how many providers they've built, because as MFA's basically evolved, oh, shoot, you know, phone's out enough for this use case or I'll buy a hardware tokens or this one's not enough. So then I'll bring in, you know, whatever. And then biometrics is a, is a lot of our differentiation. And that's just had a hard time coming up in popularity. And now we have touch ID and face ID and other things. So it's just, it's interesting because it's, it's no one size fits all. You have to look at who you're trying to give this to and what works for them. What's the best thing that you can give them, um, as a method. So; Sybil, any, any other thoughts there from actually having handed some of these things off to; your employees and users?

Sybil Gurney:

, no. I'm going to talk about it in a minute, but consistency, whatever you choose and whatever, whether I will use the authenticator app and we basically say, you don't want to use it, then you don't get to work from home. So, you know, there's some carrots that we have now, but I would just be consistent, whatever you decide, it gets too confusing if you have too many different products.

Kimberly Johnson:

Yeah. We give 'em. The other thing I'll say too, is if you can, and not just biochem, there's probably other solutions out there to do it, but give the user an option. So always have like a fallback and you'll see that sometimes, like, I don't have my phone with me. Oh, I can use this method instead. Um, so it's, it's good to have kind of that fallback or the emergency out. Right. If they just don't have that hardware, tokens and notoriously lost, what if I don't have my hardware token? What happens? Um, so it's good from that perspective, Rita, any thoughts there on, on common methods or things you've also seen from

Sybil Gurney:

No, I, I agree with everything that's being said, I've really nothing to add on, on this particular area or this particular step.

Kimberly Johnson:

Okay, great. Um, and just, oh, last point I'll make is when we did look at security to least secure passwords or least secure probably goes without saying most secure hardware, tokens, authenticator apps, like Microsoft, Google, um, and biometrics. So, you know, if you're looking again based on the scenario, um, you know, put the most security in place that's required. So, all right. And so I'm gonna turn it over to Sybil you for this step because you just had such an amazing approach to it. Right. Um, and so just the next step is really defining your security policies after all this assessment and picking methods, right. It's really the security policies you set and maintain and everything that enforces it. So can you just talk a little bit about how you approached it and what security policies you have in place?

Sybil Gurney:

, yeah, so we, we discovered that even though we had grand plans, we had our digital transformation and our security roadmap that not all departments were going to agree that they wanted to do this. We wanted to do, you know, Microsoft, someone else might want to do duo, but we knew that that, but if we could get a policy like cyber security across, but we did. And I would say that it was one of the smartest things we did because all the change we wanted to introduce in the last three years, which is actually tremendous. If you think about even what you guys have all gone through, um, this policy has been incredibly helpful. I mean, it basically said department department head, you're responsible for making sure that your departments are secure. I following what it says that we need to do, it gave authority to our CIO and the county administrator to say, you set the policy, the roadmaps, you determine the tools.

Sybil Gurney:

Everyone else has to come on board, but it's your responsibility. Um, we wanted, as I mentioned earlier, consistent behavior across the county, we didn't want one department to be doing one way and other doing it, the other, or the one department saying I don't have to. And all of that. So it has to be consistent across the county. And then it recognized that all employees play a key role in the safety. So they have to get their cybersecurity awareness training. They have to make sure their work environments are secure. They have to, you know, watch the videos, et cetera. Um, and they, and if we do it right, they want to be able to do that. So this policy then gave us the ability that when we said we're going to bid blocker, or we're going to have smart passwords, we're actually now going to windows, hello, that everyone has to come on board.

Sybil Gurney:

You don't get to doubt and you know, and no one wants, um, central it to be big brother. Right. So that's the tough part. That's where the rub comes in. So we've developed committees where we get together and we talk about what we're doing and it's no longer a surprise and, you know, communicating with our, with our partners so that we can roll this out. And the policy has really, for those folks that just don't want to come on board. You know, it ends up being our stick. You know, it's like, here it is. If you don't want to, um, you know, if you don't want to roll out BitLocker, then have your department head, go to the board and ask not to do it. Well, we haven't had a single one do that. No, one's going to go to the board and say, I don't want to play. So it has been very, very successful for us. I recommended a good policy.

Kimberly Johnson:

, I'll put you on the spot a little bit, but how long is this document? Like if you were to look at your security policy and, and read it end to end,

Sybil Gurney:

It's actually, if you include the board letter, it's only about five, six pages.

Kimberly Johnson:

Okay. Cause it's good. Like, I, you know, people, sometimes security policies, I've had people be like, they're kind of mythical things. Like, I'm not sure what that is, you know? And so

Sybil Gurney:

It's very precise. If I move, remove the board letter, it's like four pages and there's, there's the pomp and circumstance that you have to put in policies, but there's some real stuff in there too.

Kimberly Johnson:

You have every new hire employee. Is that part of what they're like, how, how did the adoption at policy happened? Did you, do you make everybody read it? Is it only of the department heads enforcing it? Or how did, how did you roll out the policy?

Sybil Gurney:

Yeah, I would say that the policy is definitely the department head level and it's at the it level. And I, you know, part of our onboarding processes as, you know, tech technology use, um, protocols that people have to follow and then they have the training every year and then we have, we do, and I know we're short on time, but we also do, you know, October is our big cybersecurity awareness month. So everyone is

Kimberly Johnson:

Right. Yeah, no, that's that's um, and we're getting the communication. And then in terms of, um, policies in like, are you setting them in active directory? It, you know, from like an administrative perspective on the it side, there's also like the actual setting of technical security policies. So like we have a security policy configurator, but I'm assuming you have an admin doing that and putting those things in place as well.

Sybil Gurney:

Yes, we do. And we've been consolidating, we had like 11 different active directories we're consolidating and one we're getting rid of; you know, admin access. Cause that's a big risk. All of those projects are going on in the background as well.

Kimberly Johnson:

Yup. Excellent. Um, yeah, I think it's just important because it's, it's a lot of times we talk security policies, like just on the tech side, but you have this like very concrete document. It doesn't have to be extensive, but it's clear about what the approach is and agreement is. So I think that's fantastic. Um, and hand in hand with that goes with the communication strategy. So can relate before you go ahead, Rita.

Rita Reynolds:

Well, I need to make sure we have that on our checking change portal. I think we do, but if you don't mind sending that to me afterwards, we'll do. And then the other thing that in talking about this, it just reminded me the policies is great. And, and knowing that you have a team that's implementing the policy and maybe you believe you're fully implemented, but you get new employees and new it employees, I just made a note to myself. It's good to get a periodic update on this, on the, whether this is actually all in place or not from your network engineer or your it director, even a administrator that work administrator, whoever handles that, because I bet you money. Somebody something somewhere is not following a hundred percent and it's not without a doubt.

Sybil Gurney:

Yeah.

Rita Reynolds:

So just, just a refresher for everyone since it's October, you know, coming up here in cybersecurity awareness month, that's probably a good thing to just say, Hey, run this, run this tool for me, tell, you know, tell me who might not be compliant.

Sybil Gurney:

Oh, I, I, you know, I can't share this story because it shows a big hole we found, but we found a big oldest recently. So you're absolutely correct. You're absolutely correct. I'll leave it at that.

Kimberly Johnson:

Okay. I would say all these steps are not points in time. Maybe that's a good way to put it too. It's like all of these things, aren't just do it once and leave, right? Like you should assess and policy driven. So

Rita Reynolds:

Before you leave there, um, a Amy Middendorf has a question she has posted and we're a little short on time. So let me ask it, does your policy only address the network security or does it address training and data security? And do you put the policies it needs to follow separate, then that's a good point because I actually have a separate it acceptable use policy that our it department signs off on.

Sybil Gurney:

Right. This is the overarching policy that basically says it. And the county administrator has authority in all things security. Then there'll, there'll be smaller; policies or guidelines on specifically what your passwords are specifically what your endpoint looks like. So there would be other, um; usually; guide guidelines; to, to match, roll up to the policy.

Rita Reynolds:

We might have to do a separate session, Sybil on how you've structured, all of that.

Kimberly Johnson:

I see it. I want to see that, like we talk about them so much, but to see someone's actual policies is excellent. So, okay. All right. All right. Well, I'll turn it back to you for communication strategy, because a lot of this, I know my first question after talking about the policy with wait, so the board was on board, you know, and you're like,

Sybil Gurney:

That's right. That's right. It did. We're actually giving them an update in a week. I'm going to just say this really quickly. And this is MFA specific. It's almost everything we do specific, but you can't communicate know, and we communicate, communicate, communicate, and someone will still say, but I didn't hear about it. It's like Al told everybody. And I mean, we, we have this thing where we have to start with the department has what I told you earlier. And then the department, it teams and one over the other and who goes first. But, you know, we have our hierarchy. We need to make sure everybody knows because of the disasters that happened in 2018, we actually did a road show to go out and tell people what was happening in the community and with Atlanta. So we had no arguments going forward when we got to MFA.

Sybil Gurney:

We, um, we created guidelines. We, um; you know, created; communication; protocols. We, um, would make sure that when we were going to actually do the MFA turnover, we did it by department, by department that we sent, you know, emails a week in advance, a day in advance. On the day we have people standing by to help. We had people ready to do questions. And then we did a survey. How did we do, what could we do differently? And then we would do that for the next rollout. Um, it took us a year to actually roll it out to all the departments, which I'll talk about on the next slide. Um, so we had lots of time to get better and better and better as we go. But communication was just, um, the most important thing that we did and that, and what we learned on this, we've actually been using on all of our other rollouts. So I, so anyways, so communicate, communicate, communicate. That's what this is. Yeah,

Kimberly Johnson:

Yeah. I think that's, um, I had originally too, like, you're kind of in marketing, like welcome to my world, absent a webinar. It takes three reminders. They're going to sign up the day before, but it's, and it, and, and know your audience. And I think the other thing I would point out I've seen work really well is, um, and you know, just kind of the marketing best practices, know your know, who you're talking to, but what matters to them? It's one thing to say like, Hey, you need to be a compliant and put MFA in place. If you're talking to somebody that doesn't know why that's important or what their responsibility is. And I think Sybil you've, you've just highlighted that you've made people a part of this movement almost. Right. It feels like everybody has a stake. Everybody has the ability. And so there's like a heroic feeling, I guess, to like, there is do your part, you know, you know, do your part,

Sybil Gurney:

Be cyber smart.

Kimberly Johnson:

See, yeah, I like it.

Rita Reynolds:

Just one quick thing I would add here. And that is the fact that, um, it's, it all boils down to relationships; many of us have been through the professional development academy leadership program, and there's a really big emphasis there about getting to know your department has, um, as much as you can, the elected officials, county administrator and building the relationship now, like you may be brand new. You might've been there a couple of years, build that relationship. Now before you have to bring things like this to them, because you have credibility and you have that, that you've already been communicating and now you're putting something tough in front of them and the rapport is much better and the outcome is much better as well.

Kimberly Johnson:

Yep. Yeah. We used to pick, um, when we work with customers, I just worked with customers for years. We'd be like, all right, who's, who's the person that's not going to want to adopt this, like the head doctor, the, you know, county commissioner, whatever it may be. We're going to make them our best friend and our champion. And that was the goal. We set out a lot of times because if you can get that person to do it, they actually end up having a lot of clout and respect within even the community that you're trying to get it into, get that one person to be your advocate in the face of the change. And, and that's, that's helped a lot too. Um, and then so Sybil; you know, staying with kind of your story and, and what we've seen. Um, I've seen this too is like phase rollout, you know; and I think this goes back to starting somewhere. Um, and even if it's on your privileged accounts, right. Even if it's on VPN, as we saw in the poll, um, you're starting somewhere. And so, um, just talk a little bit about, you know, how did you do that, your phased approach? What do you recommend? And any lessons learned that you may have, right?

Sybil Gurney:

So you can see it eat your own dog food. We always start with it. Like I said, we have about 200 people in the central it department. It's the perfect place to start on the downside. Our desktops are typically different than the rest of the county, because we have something that they don't, we experienced an issue with that recently. But, um, start with your own department. We actually did our whole rollout plan with our it department. First, we did the exact same, and then we did everyone else, but we used all the materials, all the communication plan, everything that we had done to see how it worked. And then we can use those key learnings to help with the departments. We then went after friends and family. So those friendly departments are early adopters that we know there'll be a little bit forgiving if we, you know, make some mistakes.

Sybil Gurney:

And that was how we kind of chose the order of the departments, smaller departments, first larger departments. Our largest department has 2,500 people that, um, department that's our social services department. We broke up into about four different groups, but the method that we chose, we used for every single one of them. So it was rinse and repeat. Um, so we would start with a pilot group in each department. Cause you don't know if MFA is going to break any application. Everyone has their unique ways of doing things. So we wanted to be sure that we understood what the person, the, with the staff would go through and what the impact would be before we rolled it out to the larger department. Um, so we did that consistently. And then, like I said, any of our key learnings, then we did it again. Um, I can't underestimate you, can't underestimate user adoption.

Sybil Gurney:

And I've heard that the questions and people talking about it throughout this experience, I think MFA is one of those where you need to really be empathetic. You need to understand what that user experience is. Some people are tech savvy and will get it some won't. You need to know what they're going through, and then you need to share that. Um, and one of the examples I want to give is native email. In our case, your native email, you know, I used to be able to do my account email and my Gmail all in one in the native email account on my, my; my apple phone. And I loved it. I just went through my mail. I mean, I was sold on it. And when they gave me my MFA and they took away my; county email from my native email and I now have to use outlook, I was.

Sybil Gurney:

It's like I have to go to two places to do my mail. And it made me angry, you know, and I hated it by the way. Now I love it. I think it's like fantastic. But when I went out and was being the champion for this project, I could go out and tell people that before they told me they hated it, I could already tell them that I hated it. And they were, and why I hated it. So I already diffused them before they could get all over my case about this. So it was really understanding what their experiences and making sure the it teams and everyone that was supporting them, knew what that was, so that they could go out and be there. We would keep people for about three days after we transitioned people to answer questions and be helpful and just listen.

Sybil Gurney:

Cause most of it's just whining because it's a change. But you know, that I think really helped us. And as people got used to it, they told other people and then we were, you know, we couldn't keep up. Now we had more and more departments that wanted to get on board and you know we couldn't move fast enough to, to get them all done. And then maybe at the end we had like three holdouts, but we got them. So anyways, it was good. It was a good project. I don't know who likes MFA. I don't like using MFA. I mean, I, we have to have it and I use it

Kimberly Johnson:

All the time. I don't like it. I mean, like that's, and I think that,

Rita Reynolds:

And then scare them to death about bringing the county down.

Kimberly Johnson:

Right. The other thing I say, um, the other; so I think phase role, that's huge. The other thing I always go with people, everybody it's either been security and usability, scaring, convenience, whatever you want to call it, but put other things in place. So we have single sign-on is a fantastic way to consolidate to one very secure login. So yes, it's a little more painstaking, but it's one time. And then you can at least get into multiple applications. Of course, if something's very sensitive, you can step up and require more authentication at that point. But, you know, that's a nice way to give people, um; you know, adoption incentives, um, is we'll eliminate the amount of passwords you got to manage. Um, self-service options. Like I forgot passwords, or I can't do things. Or like I said, give people like two options. I forgot my hardware token.

Kimberly Johnson:

So today I can use my authenticator app. Right. Um, to give them a little bit of leeway when possible, obviously for those really critical situations, you're, you're not gonna be able to do that. So. All right. Okay. So I'm going to put up all five steps real quick. Um, you know, good to have it all. Obviously we said we'd set up a slide, so you'll have all this information. Um, but one assess your situation to pick the right authentication methods for who the person is and what their workflows are. Define the security policies, maybe a whole nother session on that at some point sounds like, um, communicate, you cannot over-communicate and phased rollouts and user adoption really work with people to, to get this in place. All right. So Rita, I will; turn it over to you. And just one second, I think we talked about step one, start somewhere, start with the assessment, and then I'll, I'll turn it over to you to just go through some of these resources that are fantastic for folks.

Rita Reynolds:

Sure. And we'll share this PowerPoint afterwards on the URLs right there in case someone wants to type them in real quick or just Google the title there. But I always recommend the center for internet security; many of you are familiar with the controls and benchmarks that's for your it person. Um, this second one, anybody, I encourage you to go to that page; , um, which is your cybersecurity and infrastructure security, um; agency. They just redesigned their whole website and it's fabulous to get to tools and information now. And they actually have a document called what are bad practices? Let me tell you it's one of, yeah, exactly. Um, Kevin one, two and three; single-factor authentication is bad. That is, that is on their list. Um, and there's a thing about passwords as well. Um, it's great to be able to show that to your elected officials.

Rita Reynolds:

This is yep. Take the screenshot, take the URL, put that in your PowerPoint. Um, NIST of course has a wealth of information on MFA. It gets a little bit more in the weeds. Um, and then I came across a really nice article from Microsoft about implementing, um, MFA. Um, and then finally we have some great conversations. Gosh, almost every day on the Neko tech exchange. Um, if you're a, it person is not a member, I highly encourage you to, to give that slide to them and let them click on that link and join. Um, but for today, we're, we're just about out of time. Um, similar Kim, any last words? No, it was great. It was great meeting with everyone. Yeah.

Kimberly Johnson:

A lot of fun to put this together. Um, I think the, the mantra, whether you're sitting there and you're one person, it person, or a team of 200, like start somewhere like a critical area and, and try to roll it out, you know, like I think hesitation is what we're seeing and, and we know at times, so

Rita Reynolds:

Any progress is much better than no progress. Have a great day, everyone.

Kimberly Johnson:

Bye everyone. Thank you.