We are committed to helping organizations everywhere stay connected and productive. Read more

By now, you’ve probably read a lot about the Internet of Things (IoT), the term referring to the massive connectivity of devices to the Internet. By 2020, it’s predicted that more than 50 billion objects—everything from built-in automobile sensors to health monitoring devices—will be part of the IoT.

It’s an exciting, transformative trend which we all stand to benefit from in a big way. For example, city leaders will be able to use the IoT to offer more efficient citizen services, which will use sensors, mobile devices, and apps to manage their families, jobs, and health in new ways.

With change, however, comes additional responsibility and requirements to ensure that people and their use of the technology will be safe and secure.

As IoT takes off, ensuring security and privacy will become more challenging and complex. That’s because many popular devices today aren’t built with security as the top priority, and data sent and received from many devices may not be safe, either in transit or at rest. And with billions of devices in the process of being connected to the Internet, there are legitimate concerns to be raised about the management of all this information, as well as about disclosure and privacy regulations.

Because so much of the world’s population lives in urban areas, cities are uniquely positioned to pilot innovative new cybersecurity approaches to manage these challenges. And Microsoft is ready to help city and metro leaders keep their communities safe and protected.

So why should you trust Microsoft to help your city with Security, Privacy, and a cybersecurity strategy?

Well, for starters, we are committed to making our own products safe. To address product vulnerabilities, Microsoft uses its Security Development Lifecycle, a security assurance process for new products. We also utilize a patch management system that enhances operational security through standard, predictable, and regular releases of software patches. And we take advantage of Privacy by Design at Microsoft, which describes not only how we build products, but how we organize ourselves as an accountable technology leader.

Microsoft also draws on years of experience in dealing with cyber threats around the world to help cities develop cybersecurity strategies. Each month, we receive threat information from more than 600 million systems in more than 100 countries and regions. We also work closely with governments, city leaders, organizations, and individuals to get a first-hand view of how risks within their environments are managed.

Based on this vast knowledge of security threats and direct experience, Microsoft has created a six-step approach to help cities design and implement their cybersecurity strategies:

  • Build a risk-based approach to cybersecurity. The first step in developing a cybersecurity strategy focuses on the risks to be identified, managed, mitigated, and accepted. A risk-based approach must look at the overall structure of a city’s systems to determine how to mitigate vulnerabilities to reduce the likelihood of system failure.
  • Establish clear priorities and security baselines. The threat model and risk assessment act as a foundation to help cities establish clear cybersecurity priorities and security baselines. Cities can begin by taking advantage of existing standards like NIST’s “Framework for Improving Critical Infrastructure Cybersecurity,” as well as the Council on Cybersecurity’s “Critical Security Controls for Effective Cyber Defense.”
  • Coordinate threat and vulnerability information. Sharing information quickly with specific mitigation guidance or updates to remediate vulnerabilities is crucial to defeating cyber threats. Working hand-in-hand with the private sector and other government entities to identify vulnerabilities is just part of the picture. There must be actionable steps that city agencies and citizens can take after vulnerabilities are exposed.
  • Build incident-response capabilities. A city’s cybersecurity strategy should include a definition of which threats fall under the city’s purview and which belong to the private sector—with a communication plan that bridges the two. Threats should be prioritized and a hierarchy of threats and associated responses should be developed that are structured based on the anticipated impact.
  • Boost public awareness, education, and workforce training. Cities play an important role in equipping employees and citizens with tools and resources to be cyber smart. Preventive education not only protects data, systems, and infrastructure but also saves money in cybercrime enforcement and cleanup. Workforce training for city and private sector employees is also an important part of a cybersecurity strategy.
  • Structure public, private, and academic cooperation. Cooperation should also be developed among city agencies, local businesses, and academic institutions. A city’s cybersecurity strategy can formalize the creation of public-private partnerships (PPPs) to benefit everyone. The European Union Agency for Network and Information Security published the “Good Practice Guide on Cooperative Models for Effective PPPs,” which offers 36 recommendations on how to build successful PPPs for resilient security. It’s an excellent starting place for cities looking to formalize partnerships.

I hope this approach helps reassure you that Microsoft can be a strong and trusted partner to assist your city in devising a cybersecurity strategy and putting it into place.

For more information, you can visit Microsoft CityNext

Gary Wachowicz
Industry Managing Director, Worldwide Public Sector