Dec 08 2020

The State of Local Government Cybersecurity

A recently released survey shows plans are in place to respond to attacks, but there is weak engagement from local leaders and concerns over a lack of funding.

In recent years, local governments have been targets for ransomware attacks, and the problem seems to be getting worse.

“How bad was the problem last year? Terrible,” Charles Carmakal, CTO at Mandiant, the incident response arm of the cybersecurity firm FireEye, said in a conversation during the Aspen Institute’s Cyber Summit on Dec. 1, according to StateScoop. “How bad was it this year? Somehow, it managed to get worse.”

Indeed, several local governments simultaneously had their web presences disrupted in November after their web hosting provider fell victim to a ransomware attack.

Amid that turmoil, local government IT leaders report that although cybersecurity is a clear concern, it is often not treated as a top concern by local elected officials. That’s according to the 2020 National Survey of Local Government Cybersecurity Programs, conducted by the Public Technology Institute, part of the Computer Technology Industry Association.

And while there is clear use of cybersecurity awareness training, the survey also indicates that more could be done to practice incident response plans.

This survey was conducted over August and September 2020. PTI notes it emailed the survey to a list of local government IT executives it has developed over the past year, and 95 executives participated in the survey.

More Engagement, Funding Needed on Cybersecurity

Although cybersecurity issues are constantly in the headlines, the survey finds that local elected officials could be more engaged on the topic with IT leaders. According to PTI, 23 percent of IT executives say that their elected officials are actively engaged in their government’s cyber efforts, while 54 percent state that their elected officials are somewhat engaged. Another 23 percent of IT executives report their elected officials are not engaged at all.

Local governments are likely going to feel major budget pressure in 2021 as the economic fallout from the coronavirus pandemic continues. At the same time, IT leaders say that they need more funding for IT security efforts.

When it comes to cybersecurity funding, 66 percent of IT executives say they think their cybersecurity budget is not adequate. PTI notes that despite economic headwinds and the impact falling tax revenues will have on state and local government budgets, it is arguing that now is “not the time to cut cyber or tech budgets.” PTI notes that “investments should be made that will provide expanded virtual services and a secure infrastructure as governments face uncertainty in terms of continuing to support a remote workforce.”

Encouragingly, according to the survey, 82 percent of IT executives state their local government does have a cybersecurity plan or strategy. Of the local governments with a plan, 71 percent say their plan has been reviewed within the past year, while 23 percent state that their plan has been reviewed within the past two years.


The percentage of local IT executives who say their local government has a cybersecurity plan or strategy

Source: “2020 National Survey of Local Government Cybersecurity Programs,” Public Technology Institute, Oct. 29, 2020

Of those respondents who have a cybersecurity plan or strategy, 56 percent share their plan does allow for exceptions to the policy and that those exceptions are documented. The survey report says CISOs think this is a major concern and that often the exceptions “tend to be for elected officials, their staffs, and public safety employees, with little oversight or ability to provide corrective action by the IT department.”

In fact, 15 percent of IT executives say their elected officials and their staffs and senior leadership are exempt from organizational awareness training programs.

Overall, 87 percent of local governments do provide cybersecurity awareness training for employees. Of these local governments, 56 percent provide ongoing training throughout the year, while 33 percent provide training once a year. PTI favors training held throughout the year in a variety of formats.

MORE FROM STATETECH: Find out how states can best quantify cybersecurity risks.

Planning Ahead for Cybersecurity Incidents

In terms of cyber incident response and disaster recovery planning, 46 percent of IT executives say they maintain a formal incident response plan and a disaster recovery plan that is tested annually.

However, the survey report notes that many local IT officials treat a response plan and a recovery plan as one in the same, when they are not. Officials also indicate that such plans are “developed, often with great effort and cost, but not tested on a routine basis.”

Notably, 29 percent of organizations say they “have found it necessary to modify either their incident response plan or disaster recovery plan as a result of” the pandemic.

“In the coming months, many IT agencies will be competing with other agencies for resources in an environment of reduced budgets while cyber threats and risks continue to increase,” the PTI report concludes. “And, unfortunately, some in local government will continue to take security for granted — until a breach occurs or data is held for ransom.”

PTI advises local government IT leaders to “be constantly vigilant — to be aware, to have strategies and the proper security tools in place and to communicate with your elected leaders and your employees about the threats your organization is facing and what they can do to help protect your cyber infrastructure.”

 EXPLORE: How can next-generation endpoint security solutions protect remote workers?

traffic_analyzer/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.