As we’ve seen over the past several years, government agencies continue to provide appealing targets for phishing and ransomware attacks. Cybercriminals have found they can acquire valuable information, or block government access to that information, by attacking unprepared state and local agencies.
Often, state and local governments haven’t planned ahead to protect their systems. This mistake should be addressed as quickly as possible, and the first step agencies should take is to determine what data and IT assets they have on their hands and the best way to secure them.
Agencies hold information on citizens, including sensitive data such as Social Security numbers, and this may prove attractive to cybercriminals. But a recent survey by the Public Technology Institute finds only 35 percent of local government IT officials say their agencies have a cybersecurity strategic plan.
State and Local Agencies Must Inventory Their IT Assets
“The Cybersecurity Insight Report” by CDW offers some sound advice for state and local governments: “Surprisingly, many organizations fail the most basic step to mitigating risk — identifying the key assets that must be protected in the event of a breach. They view cybersecurity as a one-size-fits-all solution. Instead, think of risk mitigation as a business, not a technology issue.”
The International City/County Management Association agrees, calling for local governments to “understand what data and information you have on your computer systems that needs protection” in its 2017 report, “Cybersecurity: Protecting Local Government Digital Resources.”
ICMA cites a survey that found that 44 percent of local governments face cyberattacks daily or even hourly. At the time, a startling number of government agencies did not know when they suffered attacks (27.6 percent) or faced security breaches (41 percent).
VIDEO: These are the cybersecurity threats that keep state CISOs up at night.
IT Leaders Need to Recognize the Vulnerabilities in Their Environments
With the emergence of mobile and cloud computing, identifying assets is more challenging than ever, complicating awareness of an agency’s security posture. The Center for Internet Security backed this idea in a list of New Year’s resolutions on its CISO blog, noting, “You can’t defend what you don’t know you have.”
“As cloud technologies and mobile devices become workplace staples, it’s essential that CISOs consider all data for which they are responsible. Start by taking an inventory of all hardware and software your organization uses. Next, map out where data lives — whether that’s on a hard drive, in an application or in the cloud,” it adds.
A thorough risk assessment is required to determine the location of the most vulnerable assets for a state or local government agency.
As the U.S. Office of Management and Budget says in its “Federal Cyber-security Risk Determination Report and Action Plan,” “Effective cybersecurity requires any organization ... to identify, prioritize and manage cyber risks across its enterprise.”