New Jersey’s municipalities face cyber-security and other risks arising from the use of their technologies, according to a report published by the Bloustein Local Government Research Center, at Rutgers’ Edward J. Bloustein School of Planning and Public Policy.
These risks cannot be totally avoided because technology plays such a critical role in delivering services to the public. Nevertheless, municipalities could mitigate these risks by following a best practices protocol suggested in the report.
The author of the report is Marc H. Pfeiffer, who retired after a 37-year career in New Jersey municipal government, and is now assistant director and senior policy fellow at the Bloustein Center.
While the findings from this report can be generalized to other states, the basic information for the research came from focus groups and surveys of municipal professionals in New Jersey. The goal was to identify local government technology profiles and risk management practices.
The first focus groups involved selected members of the New Jersey chapter of GMIS International, the association of local government technology managers. The second focused mainly on smaller, rural municipalities, involving members of the TRICO Joint Insurance Fund, a member-supported entity under the Municipal Excess Liability Joint Insurance Fund (MEL) that operates in Cumberland, Gloucester and Salem counties. Later, the researchers conducted an online survey of MEL members to further develop the technology profiles and provide other useful information about current New Jersey local government technology use and administration.
There are many kinds of risk, the report notes, among them cyber attacks, identity theft, data breaches and network intrusions, the failure of big computer systems, and problems entailing legal issues or insurance obligations. Risks can result from the things people do or fail to do; external forces, such as natural disasters; failed internal processes, including those that were designed incorrectly; and system or technology failures involving abnormal or unexpected technical functions.
For example, when technology glitches disrupt essential services, either routinely or in an emergency, they present another set of challenges. “Think about the failure of complicated computer programs that control water and sewer treatment systems, or control 9-1-1 emergency call-taking and dispatching,” Pfeiffer said in a prepared statement.
Moreover, most agencies use a combination of full- or part-time employees and contractors to manage their technology, Pfeiffer added, which means that risk factors can be overlooked. “Many organizations have a decentralized approach to technology management,” he said. “This leads to disorganization, the duplication of services and an increased risk of technology failure.”
Finally, municipal officials must determine how much of their scarce resources they can dedicate to satisfying the information and service needs of a growing number of tech-savvy constituents.
“The public insists that government meet their technological expectations without increasing their taxes,” Pfeiffer concluded. “This paradox is difficult to resolve but requires the attention of political leaders, public administrators and technology leaders to find solutions for their organizations.”
To identify, assess and manage technology risks, organizations need to be technologically proficient, which most municipalities in New Jersey are not, the report noted. In conclusion, the report recommends that organizations attain technological proficiency by establishing and institutionalizing four practices:
1) technology governance that is driven by senior elected and appointed officials;
2) planning that is integrated into governance and budgeting;
3) “cyber-hygiene” institutionalized among employees, including a training program in proper computer security practices; and
4) the development of the technical competency needed to drive the management and delivery of the organization’s technology.
So what can towns and cities in New Jersey do to accomplish this?
Pfeiffer noted that a Supplemental Guide prepared by the Bloustein Center provides specific guidelines for municipalities, along with the steps that they can take. “Generally speaking, the first steps would be to appoint individuals (appropriate to the organization) to develop a governance process; once appointed, they should start to inventory their technology and take the questionnaire that helps assess their risk level,” Pfeiffer said in an email interview. Another guide provides information for leaders who want to transform their local governments.
Asked about the cost to municipalities, he said that costs would depend “on the size of the organization, their technology profile, and what they are, or are not doing now. Also, how creative they may be to manage their internal processes. And some costs should be a normal part of managing technology.”