Hopefully, your organization just wrapped-up a successful series of activities promoting cybersecurity awareness as part of Cybersecurity Awareness Month in October. The most obvious lesson stemming from the month's events is that the informed will stay informed – and watchful. The challenge, as many of us experienced, was reaching out and educating the ill-informed or misinformed; those individuals for whom cybersecurity is not a constant worry or challenge, those who think everything is ok with their cybersecurity efforts, and those who find comfort in the old saying “if it ain’t broke don’t fix it.”
Since last year, ransomware attacks have nearly doubled in just about every public and private sector category. Public institutions are particularly vulnerable given the fact that so many lack the necessary resources in staff, equipment, and training. And criminals find local governments particularly attractive due to the amount and types of information that local governments collect and manage.
Along with the increase in the number of attacks is the increase in the amount of dollars (or bitcoins) – the ransom - that is being demanded.
This year has certainly been far different than anything we have experienced in recent memory. The COVID-19 pandemic has caused massive shifts in the way local governments deliver and process critical services. Starting in March 2020, in the course of just a few weeks everything we regarded as normal was upended. Within days and weeks governments across the nation pivoted to a dramatic work from anywhere strategy leaving many systems exposed to the realties of ad-hoc work around systems.
To gain a better understanding of the local government issues and priorities regarding cybersecurity, CompTIA’s Public Technology Institute (PTI) recently conducted its annual National Survey of Local Government Cyber Security Programs. What follows are some highlights of the study.
How engaged are your elected officials with regards to your cybersecurity efforts?
This is a question of great importance because without the knowledge and understanding from those who preside over the distribution of critical resources many localities may be at a greater risk. PTI has always advocated and promotes the need for elected officials to be engaged in their government’s cybersecurity strategy.
Twenty-three percent of IT executives state that their elected officials are actively engaged in their government’s cyber efforts. Fifty-four percent state that their elected officials are somewhat engaged. Twenty-three percent of IT executives report that their elected officials are not engaged at all.
Do you feel that your cybersecurity budget is adequate?
Having the right resources is a paramount concern when it comes to developing and maintaining cyber security monitoring and response systems. With regards to cybersecurity funding, 66% of IT executives feel that their cybersecurity budget is not adequate. While many local government budgets (not just IT) will be impacted negatively by the COVID-19 pandemic and resulting loss of revenues, PTI has urged local governments to continue to make tech support and infrastructure a key priority as remote/mobile works provides the best insurance against any type of unanticipated occurrence, let alone a major pandemic.
Do you have a dedicated staff to focus solely on cybersecurity?
Fifty-three percent of IT executives report that they have an individual whose job responsibilities are specific to managing their cyber security efforts (for example, a Chief Information Security Officer, or equivalent). Eighty-two percent note that these CISO-type positions report directly to the organization’s CIO or IT department director, while 13% say the position reports to the city or county manager.
Do you have or have had to modify a Mobile Device Management Policy?
With lessons still being learned regarding local governments dramatic pivot to a mobile workforce, fifty-five percent of IT executives report that they do have a Mobile Device Management Policy for employee or contractor access to government information systems. Thirty-three percent report that their policy addresses only government-issued devices for access, while 67% report that their policy addresses both government-issued and personal devices. When asked if their organization either modified their Mobile Device Management policy or implemented a BYOD policy in response to COVID, 76% of respondents state that their policies are adequate without the need to modify.
Do you provide employee awareness training?
This topic has never been more important since so much has shifted to a mobile and remote work environment requiring the management and maintenance of hundreds of thousands of new endpoints. Endpoints can comprise home computers, tablets, home Wi-Fi networks etc. Thankfully, each year this number continues to rise and this year, eighty-seven percent of local governments do provide employee awareness training. Of these local governments, 56% provide on-going training throughout the year, while 33% provide training once a year. As a leading practice, PTI promotes that training should be held throughout the year and using a variety of formats.
Does your organization maintain a formal incident response plan and disaster recovery plan that is tested annually?
When it comes to addressing cyber incident response and disaster recovery planning, 46% of IT executives share that their organizations do maintain a formal incident response plan and disaster recovery plan that is tested annually. In conversations with a number of officials we often hear that a response plan and a recovery plan are one in the same - they are not - or, that plans are developed, often with great effort and cost, but not tested on a routine basis.
Tying in response and recovery to the COVID-19 pandemic, 29% of organizations have found it necessary to modify either their incident response plan or disaster recovery plan as a result of COVID-19.
Do You maintain and how familiar are you with your cyber insurance policy, requirements and coverage?
Having a cyber insurance policy is recommended as part of any risk management plan. The number of localities that have cyber insurance policies has steadfastly grown year over year with seventy-eight percent of IT executives stating their government does have cyber insurance; 13% state they did not have insurance and 8% of respondents are not sure about their government’s insurance status.
We have found that many IT executives have voiced concern that they are not always in the decision- making loop regarding what the policy requires let alone what it covers. As for completing the government’s cyber insurance application, 32% report that a combination of officials is responsible for completing the application, 28% say that the risk manager is responsible for completing the application, and 20% say it is the responsibility of the IT executive. Regarding familiarity with their cyber insurance policy, requirements and coverage, 34% of executives state they have complete familiarity with their policy; 57% state that they are somewhat familiar and 9% state they are not familiar at all with their cyber insurance policy.
Cyber awareness is not a goal but an on-going process of continuous awareness, assessment and improvement. While organizational activities geared towards promoting awareness during October are important, those on the frontlines of our cyber defenses understand that the nature and threats regarding cybersecurity is not just an October event; it is twenty-four hours a day, seven days a week, three hundred sixty-five days a year.
Cyber awareness is now firmly ingrained in every IT professional and hopefully its import is spreading to all public managers and employees – technical or not. Cybersecurity is about constant vigilance and cannot be left to any one individual regardless of title and responsibility. Cyber awareness must be constant, and just as important, a responsibility shared by all.
Organizations such as PTI/CompTIA, MS-ISAC, state-based networks and the private sector technology community stand ready to assist and serve as a resource for information, networking, as well as provide practical solutions for training, assessments, and certifications.Copies of the full 2020 National Survey of Local Government Cyber Security Programs can be obtained here.