A Big Problem in State and Local Government Security
According to Sophos, state and local governments overwhelmingly report an increase in the volume of cyberattacks over the past year, both in terms of complexity (59 percent) and impact (56 percent). (Ransomware attacks seem especially problematic: Sophos reported that ransomware attacks against state and local governments rose 70 percent in 2021.) A cyberattack could allow hackers network access, shut down servers, interrupt emergency response systems, expose sensitive information and more.
An effective incident response program can help limit damage and speed up recovery from a security incident. Cross-functional IR teams can work quickly and effectively to detect, contain and recover from cyberattacks, communicate with affected stakeholders, and restore needed services. Fortunately, about half of state and local governments report they have an IR plan in place and test it regularly, according to a 2022 survey by the Center for Digital Government. Unfortunately, that means the other half either do not have a plan in place or have one that may not prove effective when needed. The worst time to find this out is during a cyberattack.
Here are five ways to make sure your incident response is timely, effective and thorough.
UP NEXT: Visibility and why it is vital for government IT network security.
Develop a Comprehensive Incident Response Plan
Whether it’s called an IR strategy, playbook or plan, the approach is the same. Incident response starts well before an actual incident, relying on a robust IT infrastructure; continuous monitoring to detect security threats; and a strong, ongoing employee security training program. The IR team should be interdisciplinary, including management, legal, HR, public relations, customer service and other personnel.
The plan should encompass:
- The cybersecurity strategy and how it supports objectives
- Roles and responsibilities of team members
- Procedures and testing scenarios for each phase of an incident: detection, analysis, containment, eradication and recovery
- Procedures for communicating with all stakeholders and regulatory compliance agencies
- Post-incident activity, lessons learned and information sharing
Test the Plan to Assess Weaknesses
The incident response plan must be tested thoroughly to determine whether it covers all relevant activities and to ensure team members are familiar with it before an incident happens. Testing is often conducted via tabletop exercises, in which team members walk through the plan and ensure they are comfortable with the roles they will play. Consider unplanned security drills that can quickly uncover gaps in the plan.