If you are concerned about cybersecurity, you are not alone. Local government organizations house troves of sensitive personal information, including driver’s license numbers, credit card numbers, Social Security numbers, and financial and contractual information. Cybercriminals can hold this information for ransom or sell it in the cybercrime economy. Former director of the Maryland Institute for Policy Analysis and Research, Donald F. Norris, has spent the past 27 years studying local government systems.
Barriers to Achieving High Levels of Cybersecurity
The digitization of municipal services has brought with it benefits and challenges, and the threats of cyberattacks continue to evolve. According to preliminary findings, municipal cybersecurity programs are constantly under attack. One of the biggest problems is an end-user error, where users click on phishing emails or engage in malicious activities. In addition, local governments often have limited funding and staffing, and inadequate cybersecurity policies are not enforced.
Lack of resources: Although cybersecurity has long been on the radar of local governments, the current threat environment has brought the issue to the forefront. Many sophisticated cyber threats have shifted their focus to local governments. Nontechnical stakeholders need to know the potential consequences of a cyberattack before they can take action. Local governments can also leverage existing resources and partnerships to enhance cybersecurity. But this can be difficult and expensive, especially when it comes to the cybersecurity budget.
Funding and staffing: Increasing funding for cybersecurity is a key issue for local governments. In the U.S., local governments pay less for cybersecurity experts than other sectors and therefore must find ways to compensate them. Respondents ranked higher funding, more effective cybersecurity policies, and better employee awareness as the biggest barriers to achieving high levels of cybersecurity. However, only one percent of local governments surveyed had a stand-alone cybersecurity department, and their primary responsibility for security is in the IT department.
While the need for cybersecurity is growing in local government, achieving high levels requires more than technological solutions. Training employees in cyber security will help them become a first-line defense against cybercriminals. Employee training is essential, and regular cybersecurity training should be a part of the municipal workforce’s regular education and awareness-building efforts. In addition, cybercrime efforts often target government employees with phishing emails and other forms of malicious software.
Measures to Improve
A good cybersecurity program is essential for every organization, and a local government’s program should be tailored to the community’s needs. The National Institute of Standards and Technology (NIST) has released a framework for local governments to assess their cybersecurity capabilities, identify goals, and measure progress toward achieving those goals. Local governments are especially vulnerable to cyberattacks, so a plan for improving cybersecurity is crucial. Here are five measures to improve your cybersecurity program:
Regular assessment of security weaknesses: Local governments must continually assess their systems to identify any vulnerabilities. Software, network equipment, and wi-fi access points are common weak points. An assessment should identify what information is sensitive and how those vulnerabilities can be exploited. As a rule, new hardware and software should be evaluated for cybersecurity risks before implementation. This prevents hackers from taking advantage of vulnerable systems and compromising valuable data.
Collaboration with state and federal agencies: There are many ways to strengthen your cybersecurity program for the local government without spending any money. While there are no overarching cybersecurity guidelines for local governments, there are several resources available to help them effectively manage their cyber risks. MS-ISAC, a nonprofit organization, provides a centralized information-sharing forum for state and local government officials. Joining MS-ISAC is free, and its members are empowered to share information and best practices.
Establish and implement a security policy for your government’s information systems. It should include a process for regularly backing up information, assessing risks, and responding to incidents. As with any other type of policy, the longer the data remains on the system, the greater the risks. As such, it is imperative that local governments create a data archiving process. Furthermore, they must establish strict rules about access to and destruction of information, including personally identifiable information.
Resources Available
There are many resources available to learn more about increasing cyber security for local government. New threats arise on a regular basis, so keeping abreast of the latest threats is vital to protect your agency’s information. MRSC staff occasionally writes about cybersecurity. You can also assess your agency’s readiness with regular audits of your hardware, software, and internal controls. Below are some resources that can help you maintain the best cybersecurity posture for your agency.
Develop and document policies for your entire organization. Local governments should periodically assess their security vulnerabilities, including network equipment, software, and wi-fi access points. This assessment should identify sensitive data, and identify risks to data and information. Consider new hardware and software before implementing them. The best way to ensure that your entire IT infrastructure is secure is to implement a documented policy. Make sure your personnel understands the implications of their actions.
Protecting the public’s data is vital to the health and safety of your community. The amount of data that local governments handle is increasing exponentially, making them prime targets for cybercriminals. To mitigate the risks from a cyberattack, local governments must develop offensive and defensive strategies. While there is no single, universal approach to protecting your data and systems, there are many cost-effective strategies for managing cyber risks. If you are a municipal employee, consider hiring a security professional who specializes in cyber security to improve your organization’s preparedness.
Understanding new security risks and the threats that they present is an important first step to securing your network. A basic understanding of vulnerabilities is also crucial. Local governments should also look at cybersecurity as a top-down responsibility, rather than an IT issue. Ultimately, cybersecurity must be a top-down approach that incorporates all areas of your organization. You can also utilize an online resource to learn more about cyber threat trends and cyber risks.
Importance of Vendor Management
While a vendor’s role in ensuring cyber security is essential to the success of a local government’s cybersecurity program is often overlooked, it is still essential to properly secure these contracts. Local officials have a number of responsibilities when it comes to securing sensitive personal and government data. By using passwords and encryption, they can protect their data and prevent unauthorized access. These measures will help prevent unauthorized access to data, files, and messages stored on municipal computers and devices.
In order to protect against cyber attacks, local governments should assess their existing hardware and software. Common weak points are network equipment and wi-fi access points. A thorough assessment can identify which areas need improvement and direct resources toward bolstering security. Additionally, cybersecurity initiatives must be incorporated throughout an organization, not just in the IT department. For example, if the city is planning to purchase new hardware or software, the council should consider the cybersecurity implications before committing to a purchase.
A vendor risk management program enables the government to monitor third-party vendors and service providers and minimizes cyber risks. By protecting intellectual property and sensitive data, vendors can ensure business continuity. The lack of robust vendor management is one of the largest gaps in an organization’s information security program. Without a vendor management program, an organization will not be able to develop a sound business continuity plan, incident response strategy, or visibility into vendor compliance.
A comprehensive third-party vendor management program can satisfy regulators while forming a solid foundation for addressing third-party cyber risk. It should assign specific roles and responsibilities to key personnel, including those responsible for the onboarding and classification of vendors. It should also include important areas for terminating vendor relationships and managing transitions. Once these measures are in place, vendors will no longer pose a security risk to local government.
Developing a Culture of Cybersecurity Awareness
Developing a culture of cybersecurity awareness in local government can be challenging but rewarding. Most local governments have adopted some kind of training program, including mandatory cybersecurity awareness training, but this training has been lacking. In order to address this issue, local governments should reassess their training program and focus on the importance of appropriate cyber hygiene and behavior. Developing a culture of cybersecurity awareness in local government requires a shift from focusing on the role of technologists to embracing their cybersecurity role. They should provide adequate funding and promote cybersecurity throughout their organization.
The top officials of local governments should insist on a culture of cybersecurity accountability and must act accordingly. Only when the top leadership team buys in will employees respect cybersecurity and practice proper cyber hygiene. This will improve the overall outcomes for cybersecurity in local government. Small local governments are often lacking budget resources for cybersecurity training and education, so they must rely on the expertise of their staff. Developing a culture of cybersecurity awareness for local government is the best way to get your team on board and begin implementing a cybersecurity awareness program.
It is essential for local government managers to understand the primary types of cyberattacks. Basic knowledge of the terms used to describe cyberattacks will be valuable in managing the risks. Developing a culture of cybersecurity awareness in local government can begin with educating employees about cybersecurity risks and the importance of cybersecurity awareness. In addition to training staff, local governments should also create cybersecurity training for employees and implement measures to combat cybercrime.
