Oct 04 2021

Organizations Offer Best Practices for State and Local Incident Response Plans

Creating a plan goes a long way toward protecting governments from cyberattacks.

No organization is immune from cyber incidents. Although the news is full of reports of massive ransomware attacks on critical infrastructure and top government agencies, smaller organizations, such as state and local governments, face similar risks.

A recent report by the National League of Cities revealed that an astonishing 44 percent of local governments report they experience a cyberattack daily or even hourly. The time and cost to mitigate the effects of an attack and comply with regulatory requirements can be significant. Even worse is the risk of disrupting vital citizen services.

Attackers see state and local ­governments as easy targets because they may have scarce cybersecurity expertise — and cybersecurity may become even less important as budgets are cut due to the pandemic and lower tax revenues. Attacks on state and local governments are unauthorized attempts, whether successful or not, to gain access to, modify, destroy, delete or ­render unavailable any network or ­system resource. They can take many forms, such as phishing, ransomware, denial of service attacks and more.

Ransomware is an especially ­profitable attack method given that smaller government agencies are more likely to pay a ransom than risk having critical data compromised or systems unavailable for long periods of time. Ransomware attacks cost state and local ­governments almost $19 ­billion in ­recovery costs and downtime in 2020.

KEEP READING: Check out these complimentary resources from CDW for guidance on building an incident response plan.

Preparedness Is Key for Cybersecurity Incident Response

The key to successfully warding off or recovering from a ­cybersecurity incident is to be prepared. Cities and states need to plan ahead, and one of the best ways to do so is to create an incident response plan: a written policy that helps the organization manage cybersecurity ­incidents. The process of creating and testing an incident response plan, and then educating ­participants to ­implement the plan, helps prepare an agency to detect, respond to and quickly recover from a cyber i­ncident. An ­effective IR plan ­limits ­disruptions to services and ­citizens, and reduces data loss and ­reputational damage.

It’s a great idea. But unfortunately, nearly 25 percent of state and local governments do not have an IR plan. 

But there’s good news: Building an IR plan can be done in manageable steps, and there are examples and templates available to help governments of all sizes create effective IR plans.

EXPLORE: Diver deeper into incident response tools for state and local agencies.

A Stepwise Approach to Incident Response Plans

One simple way to create an IR plan is to tackle each of the sections as a separate step. The most basic approach includes four sections: organization, protection, detection and recovery.

Organization: Determine who has overall responsibility for the plan, then broaden that thinking to create the extended team — think IT, legal, finance and HR. Specify the roles and ­responsibilities of each member of the incident response team. The plan should include contact information for each team member.

Preparation/Protection: Prioritize all systems that must be kept online or brought back online first, and set up ­policies to protect them. Next, ensure that relevant security tools — such as firewalls, anti-virus, vulnerability scans and patching systems — are in place and kept up to date. Identify gaps in security and create a remediation plan. Ensure backups are stored offline and recovery is tested periodically. Provide security awareness training to employees and elected leaders, and even to citizens if possible. Create a detailed list of ­instructions on handling incidents. Test all of this periodically with the IR team.

Detection and Analysis: When an incident is detected, the ­process tree should be activated so team members can spring into action. This phase includes determining the cause and impact of the incident. If it is severe (if it limits availability or disrupts services) or catastrophic (if there is a total shutdown or ­information is leaked), information is gathered for further analysis and reported to relevant authorities. The plan should include ­information about ­mandatory reporting, as well as protocols for notifying local and state law enforcement, including Homeland Security and the FBI, if needed.

Containment and Recovery: This phase involves taking action to control the attack and limit the damage and impact. It may involve eradicating ­malware, mitigating misconfigurations or identifying other hosts that might be infected, so information on how to respond to each type of incident is included here. This section of the plan also includes steps necessary to restore the affected systems to normal ­operation, which might involve ­restoring from backups, rebuilding from a secure baseline, replacing compromised files with clean versions, patching or changing passwords. Once the incident has been resolved, the plan includes a step for evaluating lessons learned and ­incorporating that information into a revised IR plan.

To make the process even simpler, download a sample incident response plan from the state of Michigan. It lays out the steps, provides a sample IR team table and a process tree, and is an invaluable example of a local government incident response. Find it at statetechmag.com/MichiganIR.

Camille Chisholm/Theispot