For state and local government IT leaders, lawmakers, and policymakers, cybersecurity is a concern that is always top of mind. Though local governments often have fewer resources to devote to cybersecurity than their state counterparts, they have made progress on raising awareness around cybersecurity. Yet they are also falling short on investigating and using cybersecurity insurance, according to recent research.
According to a recent survey of local government IT executives conducted earlier this year by the Public Technology Institute, 64 percent of respondents had developed security awareness training for workers and contractors. This represents an approximately 10 percent rise over the previous year. Meanwhile, 63 percent of respondents had created a culture of information security within their organizations. Both of these facts are good news, according to Alan Shark, executive director of PTI.
“What’s encouraging is that there are more security awareness programs for workers and contractors, so that is very positive,” Shark says. “These two areas are gaining ground because people are realizing that this is very important. There are so many endpoints that, for the most part, are vulnerable in many ways — more so than anything might have been 10 years ago.”
However, despite these and other positive results uncovered by the survey, there remain a number of areas that leave room for improvement, most notably in the area of cyber insurance, which only 54 percent of respondents indicated they had obtained, Shark says.
“I’m a little disappointed. I think cyber insurance is a sleeper issue,” he says.
Why Local Governments Have Difficulties with Cybersecurity Insurance
There are two main reasons why cyber insurance may not be high on municipalities’ lists. The first is the application process, which can be burdensome.
“It is very difficult to get cyber insurance today without going through enormous scrutiny,” Shark says. “Where the application might have been one page five years ago, today they’re asking people to talk about their backup situation, their programs or awareness training.”
Oddly enough, this particular barrier to obtaining cyber insurance is also one of its main benefits.
“You can look at the application and say, ‘This is our blueprint; this should be part of our plan,’” Shark says. “Whether or not you actually apply for insurance, you could benefit just by looking at the application and asking whether your organization is 100 percent correct.”
The second reason municipalities may shy away from cyber insurance is the cost — a challenge that applies to virtually every aspect of sound cybersecurity policies and practices. To overcome this hurdle, local government CIOs have to be prepared to make the business case that insurance costs are a fraction of the potential costs associated with a data breach.
“For example, what is the cost of money being embezzled, or loss of business? What is the cost of having to provide credit monitoring for a million people at $15 per person per month for three years?” Shark says. “If you start doing the math, suddenly those insurance premiums look very reasonable.”
Local Governments Need to Boost Cybersecurity Planning Efforts
The study uncovered two additional areas of results that are not quite where PTI would like to see them: in the number of governments that have developed a cybersecurity strategic plan (35 percent) or a cybersecurity disruption response plan (27 percent).
“This is kind of surprising and disappointing, because we have constantly talked about the need to do these things,” Shark says. “Unfortunately, we still have people saying, ‘What is a breach response policy?’”
At minimum, Shark says, municipalities should have a plan of action if something happens. This begins with determining what should be done, who should be notified in what order and within what timeframe. In many states, there are stringent laws that determine the answers to these questions, but it is still sound policy for municipalities to have formal procedures in place in case something happens.
With cybersecurity, testing is crucial, but Shark cautions governments against relying on their own testing.
“We think that every local government should have an outside perimeter check every two years, if not every year, by an outside company,” Shark says.
The bottom line? The two most important steps to take are to establish sound digital hygiene throughout the enterprise and to obtain cyber insurance.
“It really starts with employees. This is where employee awareness becomes so important — most of the stuff comes into the system through an attachment,” Shark says. “And to get a good cyber insurance policy, you’re forced to adhere to best practices to get the digital hygiene you want. Having cyber insurance and having awareness programs just makes sense.”