Norfolk County meets strict insurance guidelines and improves third-party access management

Canadian Municipality Protects The Systems and Data Serving its 63,000 citizens With PAM SaaS solution

norfolk-goverment building

Company profile

Norfolk County is a municipality on the north shore of Lake Erie in Ontario, Canada, providing services aimed at improving the lives of its 63,000 citizens. These services include garbage and recycling, roads, parks and recreation, fire, long-term care and social services, as well as IT and administrative support for the local health unit. The area is rural and internet connectivity is challenging, so Norfolk County works with service providers to improve broadband access for citizens.

Challenges

When asked what the cyber security threat was for Norfolk County—a municipality in Canada—IT Director Brent Wallace, stated, “The threat level is not if, but when we get attacked. So, we are in the planning stage. If it happens, how are we going to handle it, mitigate it, control it and how can we get things back up and running?”

The municipality already has experienced several incidents such as employee information visible to other staff when a payroll system was changed, or a ransomware attack that was quickly shut down and only infected five devices. Wallace is under no illusions about the devastating costs and steadily increasing risk of a cyberattack. Especially since Norfolk County has increasingly turned to a remote workforce model following the COVID-19 pandemic, leading to new risks of employees accessing systems while working from home.

Over the last few years, the municipality has reinforced the organization’s cyber security defenses by locking down PCs, segregating backup data, implementing antivirus measures, restricting access to servers in accordance with the principle of least privilege, and training staff about cyber security risks.

Limited IT Resources

Alongside the growing danger of attacks, Norfolk County has other security challenges that needed addressing. Like many organizations, its IT and security staffs are limited. To effectively manage the systems and applications required to deliver community services, internal resources are augmented with an increasing number of third-party vendors and service providers. For example, a finance and tax system requires specialized skills to develop, customize and maintain it. Norfolk County has approximately 20 third-party suppliers that have (limited) access to the authority’s IT systems. For instance, the municipality owns the wastewater infrastructure but hires a third party to manage it.

For Wallace, controlling access was a growing concern. He explained, “There were times when we would come into the office, and something was not working right, and we could not understand why. Often this turned out to be one of our contractors coming in overnight and making a change that we were unaware of. So, we needed better control and visibility to see who was accessing our environment.”

Another issue related to access management was keeping track of passwords in an environment where there is a high level of staff turnover. The municipality had a basic vault system for them, but with unique codes. To securely manage unique privileged accounts for PCs and laptops, servers, databases, and network devices, etc, it requires a more secure, automated, and efficient way of managing and controlling both internal and external access.

Faced with the growing risk of attacks, Norfolk County was an early adopter of cybersecurity insurance. However, the municipality’s insurer—responsible for covering the cost of damage and restoration of an attack—was demanding stiffer adherence to insurance guidelines. Failing to meet them created the concern of not only higher premiums but also the inability to renew the policy. Fortunately, insurance requirements were aligned with Norfolk County’s existing security goals.

Solutions

Impressive Ease of Use

Norfolk County has a group purchasing agreement with CDW Canada, a commercial business that helps private and public organizations find and purchase IT products and services. CDW Canada presented Norfolk County with solutions from three privileged access management vendors to evaluate.

“There were several factors that made the CyberArk Privilege Cloud solution the right fit for Norfolk County,” explained Wallace. “We were very impressed with the vendor access portal, integration with our environment that we do not think others offered, and the fact that overall, it was an intuitive and easy-to-use solution.”

CyberArk’s jumpstart services package not only provided the assistance to help Norfolk County get up and running quickly, but also the time to walk staff and vendors through the change, ensuring the municipality could increase security and meet cyber insurance requirements without slowing down IT staff or vendors.

Working together with CyberArk consultants and engineers, Norfolk County has started to deploy CyberArk Privilege Cloud across the organization. It enables the municipality to securely store and rotate privileged credentials for both human and machine identities, reducing the risk of credential theft. The municipality also isolates and monitors privileged sessions performed by both internal IT teams and external vendors across its on-premises and cloud infrastructure; delivering further risk reduction to the business. This allows the municipality’s IT team of 12 members to deliver scalable threat reduction to the business.

Results

CyberArk Critical to Security

“CyberArk is and will be extremely important to the security management of Norfolk County systems and services,” commented Wallace. “Norfolk County has several security defenses but having the CyberArk Privilege Cloud solution to control and manage access is huge. It saves us so much time and makes us more productive. Given the kind of security threats that we face today, CyberArk is right up there with our most important security solutions.”

The CyberArk Privilege Cloud solution is enabling Norfolk County to meet the cybersecurity insurer’s three key major conditions: A formal program for training and educating staff about cybersecurity; multi-factor authentication for third-party vendors; and a high-quality privileged access management solution.

CyberArk also is part of a broader digital transformation initiative at Norfolk County where the municipality is bringing more of its services online, such as paying taxes or parking tickets, and applying for building permits. Building a PAM program with CyberArk helps ensure access to the systems that drive those digital services is securely controlled and managed.

“In the past, there has been some disruption to citizen-facing services because of security incidents. However, now we are starting to see that reduce because the CyberArk Privilege Cloud solution can identify and prevent incidents sooner, and often before there is any impact on services.”
– Brent Wallace, IT Director of Norfolk County

Before CyberArk, Norfolk County found it difficult to monitor and manage how vendors and contractors connected to the municipality’s systems. “Now, the CyberArk Privilege Cloud solution offers us the ability to control external service provider or contractor access to our secure systems and servers,” explained Wallace. “We can see what happens when someone connects to our systems, when they went in, what they did and why there were there. It gives us an open window to what is going on without having to contact every vendor.

Key benefits

  • Protects digital community services and minimizes downtime
  • Helps meet strict requirements to qualify for cyber insurance
  • Increases IT staff productivity with native user experience
  • Creates a robust, flexible internal program to manage privileged access
  • Provides greater control and insight over vendor and contractor access

Talk to an expert

Understand the key components of an Identity Security strategy

Get a first-hand look at CyberArk solutions

Identify next steps in your Identity Security journey