How State and Local Governments Can Protect Themselves in an Increasingly Complex Cybersecurity Threat Landscape
Clint Dean Vice President of State & Local Government
Dean Johnson Senior Executive Government Advisor, Public Sector, North America
As connected technologies grow in popularity and use increases across the private and public sectors, cybersecurity has been thrust into the spotlight. State governments, in particular, face attacks from resource rich nation states and cybercriminal syndicates on a regular basis. And cybercrime is only expected to get worse in the coming years, with its cost predicted to rise to over $10 trillion annually by 2025.
Against this backdrop, state and local governments need to develop and maintain effective cybersecurity policies, practices and products to protect critical state infrastructure that could potentially be crippled by a well-executed cyber attack. However, there are some critical challenges that government agencies must overcome before their cybersecurity policies can be considered mature. Here are three of the most common cybersecurity challenges government agencies will face in 2022 and beyond.
Challenges state governments face when developing cybersecurity policies
Limited state resources have to be spread across various government obligations –
Ensono works with various government agencies to analyze, implement, and improve cybersecurity policies. The most common challenges states face is that dedicated cybersecurity spending remains relatively low compared to other state expenses. Tax revenue and state resources must cover a wide variety of critical infrastructure. As such, it is crucial that each dollar spent on cybersecurity is spent effectively and efficiently. As things stand, 80% of IT leaders say that modernization projects fail to generate appropriate cost savings due to unnecessary complications in policies and processes.
Resource rich malicious actors are constantly attempting to breach state defenses –
Every organization, regardless of size and domain, has experienced a cyberattack in one form or another. Whether these attacks are as simple as a phishing target or as complicated as large-scale distributed denial-of-service (DDoS) attacks, defenses must be put in place to prevent them from leaving any impact on operations. Cheap and easily deployed ransomware are readily available and the barrier for entry to cybercrime has never been lower.
State and local governments must protect against these threats to keep resource rich nation states from infiltrating their defenses. The malicious actors that target state and local governments tend to have more resources at their disposal than a typical cybercrime syndicate and also have access to more complex and potentially more destructive attack mechanisms. These attacks will only get more complicated over time. Government agencies must be prepared to react to any changes in the threat landscape quickly and decisively.
Excessive red tape can make improving cybersecurity policies a challenging exercise –
The expansion of the threat landscape has placed significant pressure on individual agencies and states to develop and maintain critical cybersecurity infrastructure. However, this pressure is often felt at an individual agency level rather than across a state—particularly in states with immature cybersecurity policies. When the time comes for IT leaders to develop cybersecurity policies for their individual agencies, they tend to take their cue from the priorities set by the state. This means that deficiencies that exist at the state level are likely to have a snowball effect over the rest of the state’s partner agencies. The fact that only 28% of states report that they collaborated extensively with local governments as part of their state’s cybersecurity program further compounds this problem. As a result of extensive red tape and differing budget priorities, states are not nimble enough to adjust their posture to react to an ever-evolving threat landscape.
3 things state governments can do to shore up their cybersecurity program
1. Develop a culture with cybersecurity and personal responsibility at its core
While cybersecurity policies and processes allow individuals within an organization to conduct daily activities governed by a set of rules, IT leaders can sometimes overlook the importance of developing a strong culture with cybersecurity at its center. With both public and private organizations embracing remote work and hybrid work models, personal responsibility has to be encouraged at every level, from management to employees. Laptops and other equipment that is authorized to be used for work can be targeted by cybercriminals to a much larger extent due to the lack of protection on the networks that they are connected to. Additionally, with state and local governments engaging multiple agencies to go about their daily activities, IT leaders must ensure that each individual within each partner agency takes the same approach to cybersecurity.
2. Never be complacent about the state of cybersecurity in any given state
The most important thing for state and local governments to realize as they embark on their cybersecurity journey is that the threat landscape is extremely dynamic. New methods for attacks are consistently being developed by malicious actors and attack surfaces will only continue to grow as more states grow technologically mature. This means that government agencies must regularly evaluate the effectiveness of their cybersecurity policies and adjust them where necessary.
Regardless of the maturity of cybersecurity policies, it is critical that states continually look for and address areas for improvement within existing cybersecurity portfolios. The threat landscape has never been static and states that fail to evolve with new threats risk being left exposed.
3. Improve awareness of cybersecurity policies at every level of government
IT leaders spend significant time and resources establishing policy, practices and products designed to keep each asset safe from attack. However, these approaches must be used in the right way for them to be effective. IT leaders in government agencies must ensure that individuals at every level of the government hierarchy are aware of established cybersecurity architecture and can navigate them effectively. Even before states can begin to conduct cybersecurity training, awareness training has to be conducted to provide the right context for any additional training to be effective.
These tips can help state and local governments remain on the right track when developing and maintaining security protocols and policies. However, the needs of each state and organization are unique. Apart from these universally applicable practices, public agencies must recognize the shortcomings and strengths of their individual cybersecurity portfolios and develop a plan that works in that specific context.
If you would like to find out how you can maximize the return on your state’s cybersecurity investment, contact us for a chat today.
If you enjoyed reading this blog post, please share it on social media.