May 10 2022

Palo Alto Networks Report: State and Local Agencies Lack Incident Response Plans

The findings come even as ransomware attacks have grown in number and become more costly in recent years.

The vast majority of state and local government leaders believe ransomware attacks aren’t going away anytime soon. Still, fewer than half say their agencies have planned out what to do if an incident occurs, a recent report shows.

Palo Alto Networks conducted the research with the Center for Digital Government, surveying 200 state and local government leaders. When asked if their organization had an incident response plan, 31 percent said yes, and 17 percent said it was part of a larger cybersecurity response plan. Another 10 percent said they were actively working to create one.

EXPLORE: How thoughtful cybersecurity training yields benefits for government workers.

The National Institute of Standards and Technology defines an incident response plan as “a predetermined set of instructions or procedures to detect, respond to and limit consequences of a malicious cyberattacks against an organization’s information system.” Of those respondents with an incident response plan, 32 percent said they were “very confident” in their organization’s ability to respond to and minimize the effects of a ransomware attack. Only 5 percent of those without an incident response plan said the same.

Meanwhile, 79 percent do not believe that the threat of ransomware attacks will subside significantly in the next 12 to 18 months.

The findings come as ransomware attacks have grown in number and become more costly for victims in recent years. The average paid ransom increased from $115,123 to $312,493, or by 171 percent, between 2019 and 2020, according to the report. “When hit by a ransomware attack, state and local governments face a difficult choice: pay up or risk the interruption of vital operations and services that their communities rely on,” the report notes.

DISCOVER incident response solutions for cybersecurity in a Palo Alto Networks showcase.

Reporting Is Lacking, Especially Among Small Governments

Dr. Alan Shark, vice president for public sector and executive director of CompTIA’s Public Technology Institute, says he isn’t surprised by the findings, which generally align with his own organization’s research in the field.

“There are some really small operators out there — small, local governments — and I’m very worried in terms of, not their dedication, but their capacity to respond in a meaningful way and in a timely manner,” he says.

Incident response plans cover everything from who will be communicating on behalf of a company to how to shut down systems to prevent further compromise, as well as priorities for the recovery phase and more.

LEARN MORE: Ransomware prevention best practices for state and local governments.

Aside from helping to streamline an organization’s response and help curb losses from an attack, one often overlooked reason for having an incident response plan is that cybersecurity insurance companies — enlisted by 60 to 75 percent of state and local government agencies, according to Shark — often require that they be the first contact in the event of an attack. Without an incident response plan in place, that reporting requirement could be missed, and agencies would be in violation of their agreement.

Shark says government agencies should not only have a plan but practice it often. When ransomware attacks happen, threat actors typically give a tight deadline, such as 72 hours, for victims to act.

“Imagine a firefighter going to a fire and, on the way, deciding how they’re going to tackle it,” Shark says. “You need to know what buttons to press, what levers to pull at the right time when something happens, because time is not on your side.”

Brought to you by:


Marco VDM/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.