Security

Local Officials Are Sometimes Exempted from Cybersecurity Awareness Training

But more local government agencies are embracing cyber liability insurance and employing mobile device management than in 2020, according to a recent report.

Phil Goldstein

Twitter

Phil Goldstein is a former web editor of the CDW family of tech magazines and a veteran technology journalist. He lives in Washington, D.C., with his wife and their animals: a dog named Brenna and two cats, Grady and Princess.

While cybersecurity is consistently rated as the top concern by state and local government agencies, nearly a quarter of local government officials and their staff are being allowed to opt out of cybersecurity awareness training, according to a recent survey.

CompTIA Public Technology Institute’s 2021 National Survey of Local Government Cybersecurity and Cloud Initiatives found that 92 percent of respondents said their jurisdiction offers employees cybersecurity awareness training, with 59 percent saying the training is provided on an ongoing basis throughout the year and 34 percent say the training is provided once a year.

However, when asked if elected officials, their staff and senior leadership are exempted from cyber awareness training, 24 percent said yes, which, the report points out, is problematic for several reasons.

“It is important to remember that email addresses and contact information for elected leaders and management are easily available, meaning these officials are prime targets for phishing attempts and probing of government IT systems,” the report notes. “Allowing for exemptions may also set a bad and demoralizing example to others in the organization who are required to follow strict protocols.”

Alan Shark, CEO and executive director of CompTIA’s Public Technology Institute, tells Route Fifty that there is no excuse for senior officials to be exempted from cyber training. “These cut arounds are because they don’t want to be part of it,” he says, noting one example in which a county’s CIO was chastised for sending a phishing test to elected officials. “When you have these exceptions, word gets out and that’s not good for morale.”

Click the banner below to get access to a customized content experience and exclusive articles.

What Is the State of Local Government Cybersecurity?

The survey was conducted in August and September 2021, with more than 75 local government IT executives participating.

According to the report, 81 percent of IT executives said their local government has a governmentwide cybersecurity policy that sets rules for employee behavior and operational safeguards and procedures, and 73 percent of respondents stated that their policy has been reviewed over the past 12 months. “PTI reminds leaders that policies and procedures are only as effective as their review and, where appropriate, testing,” the report notes.

In terms of network security and auditing, 33 percent of respondents said their municipality had “conducted a network or security audit of all IT systems and policies” within the past 12 months, according to the report.

While 54 percent reported that they had tested or audited some systems and policies, an “alarming” 13 percent had not conducted any system test or audit in the past year, according to the report.

More local government agencies are employing mobile device management policies, with 65 percent of respondents saying they had a policy in place for employee or contractor access to government information systems. That figure was up 10 percent from PTI’s 2020 survey

Fully 90 percent of respondents said their organization has cyber liability insurance, up from 78 percent in 2020. However, cyber insurance policies are increasing in complexity, according to the report.

“This could be why only 23% of IT executives share that they are completely familiar with their insurance policy requirements and procedures to immediately follow in the event of a breach or incident; 65% share that they are somewhat familiar with their policy requirements and 12% share that they are not at all familiar with their policy requirements,” the report states.

EXPLORE: How can your agency more effectively combat ransomware?

How Are Localities Working with States on Cybersecurity?

Experts have long pointed out the need for greater collaboration between state and local governments on cybersecurity.

When asked to rate the relationship between local and state governments on cybersecurity — specifically related to information sharing, resource sharing, education and training provided by the state to local governments — 31 percent rated the relationship as excellent.

Another 44 percent of respondents rated the relationship as just fair, and 25 percent describe the relationship as poor.

“Clearly, more work needs to be done to foster collaboration,” the report notes. “Organizations like CompTIA-PTI and the National Association of State Chief Information Officers (NASCIO) continue the push to educate state and local officials as to the need to build effective and trusted partnerships. Despite these worthwhile goals and initiatives, many tech leaders have often lamented that they have almost zero relationship with state IT agencies — let alone the state CIO.”

“Collaboration is a two-way street,” Shark says in the report. “Don’t wait for your state colleagues to approach you. Reach out to your state CIO and begin the dialogue around resources, key contacts, and information-sharing that will strengthen your cyber efforts.”

Nes/Getty Images