As we’ve seen over the past several years, government agencies continue to provide appealing targets for phishing and ransomware attacks. Cybercriminals have found they can acquire valuable information, or block government access to that information, by attacking unprepared state and local agencies.
Often, state and local governments haven’t planned ahead to protect their systems. This mistake should be addressed as quickly as possible, and the first step agencies should take is to determine what data and IT assets they have on their hands and the best way to secure them.
Agencies hold information on citizens, including sensitive data such as Social Security numbers, and this may prove attractive to cybercriminals. But a recent survey by the Public Technology Institute finds only 35 percent of local government IT officials say their agencies have a cybersecurity strategic plan.
State and Local Agencies Must Inventory Their IT Assets
“The Cybersecurity Insight Report” by CDW offers some sound advice for state and local governments: “Surprisingly, many organizations fail the most basic step to mitigating risk — identifying the key assets that must be protected in the event of a breach. They view cybersecurity as a one-size-fits-all solution. Instead, think of risk mitigation as a business, not a technology issue.”
The International City/County Management Association agrees, calling for local governments to “understand what data and information you have on your computer systems that needs protection” in its 2017 report, “Cybersecurity: Protecting Local Government Digital Resources.”
ICMA cites a survey that found that 44 percent of local governments face cyberattacks daily or even hourly. At the time, a startling number of government agencies did not know when they suffered attacks (27.6 percent) or faced security breaches (41 percent).
VIDEO: These are the cybersecurity threats that keep state CISOs up at night.
IT Leaders Need to Recognize the Vulnerabilities in Their Environments
With the emergence of mobile and cloud computing, identifying assets is more challenging than ever, complicating awareness of an agency’s security posture. The Center for Internet Security backed this idea in a list of New Year’s resolutions on its CISO blog, noting, “You can’t defend what you don’t know you have.”
“As cloud technologies and mobile devices become workplace staples, it’s essential that CISOs consider all data for which they are responsible. Start by taking an inventory of all hardware and software your organization uses. Next, map out where data lives — whether that’s on a hard drive, in an application or in the cloud,” it adds.
A thorough risk assessment is required to determine the location of the most vulnerable assets for a state or local government agency.
As the U.S. Office of Management and Budget says in its “Federal Cyber-security Risk Determination Report and Action Plan,” “Effective cybersecurity requires any organization ... to identify, prioritize and manage cyber risks across its enterprise.”
The National Association of State Chief Information Officers endorses tools such as the Cybersecurity Framework developed by the U.S. National Institute of Standards and Technology for mitigating risks.
“State governments are utilizing the Framework to properly identify cybersecurity risk and adopt measures to address gaps in their security posture. Now that Framework adoption has matured in state governments, state CISOs are actively focusing on more proactive and prophylactic activities,” wrote NASCIO Executive Director Doug Robinson in a 2017 letter to NIST.
Local officials without cybersecurity plans should take the lead. Start by gathering cybersecurity stakeholders and asking questions. Sources such as NASCIO, the National League of Cities and ISACA can provide valuable information to help you develop a cyber-security plan.
Start those conversations today if they haven’t happened already.