Here’s a chilling thought: Throughout the U.S., hackers and cyber criminals are hard at work hammering government agencies with denial of service and other cyber attacks. Local, state, or national agencies—none are safe from relentless pounding. If you have any doubts that cyber-attacks are a problem, consider this: In Texas, the state’s IT agency blocks billions of attacks a year, with an average of 3 billion monthly intrusion attempts. Fort Worth experiences about 15,000 attacks every day.
Static or shrinking IT budgets, legacy infrastructure, and out-of-date ideas about the risks of cyberattacks merge to make IT security more complex and challenging than ever. Fortunately, there are ways to rethink IT security and avoid the effects of an inevitable attack.
The wolf is at the door…and picking the lock
It’s time for public sector agencies to act on what they already know. Bad actors and an increasingly complex IT security environment are taking down the IT infrastructures of more and more local and state agencies.
In an ICMA survey, 44 percent of local government agencies reported that they regularly face cyber attacks. About 70 percent of those organizations don’t know how often attacks occur. And about 54 percent of local governments surveyed don’t catalog or even count cyber attacks.
What makes government offices such a juicy target?
Cyber crooks cast longing looks at government IT information resources because:
- States and cities of all sizes store valuable data. Every municipal or state office stores information that bad actors can convert into cash.
- Many local and state agencies are easy pickings. And hackers know it. Local governments especially are more willing to pay attackers to regain access to their files. When these attacks turn a profit, cyber-criminals will try again and again.
- Often, IT security isn’t a well-funded or top-of-mind priority. Local and state governments are typically light on the budget, IT talent and other resources.
Opportunity isn’t the only stimulus to cyber attacks. Sometimes, faulty thinking opens the door, too.
False beliefs and misunderstandings
Assumptions and mistaken ideas about IT security also contribute to government IT vulnerability. Three of the most potentially harmful ideas include:
- Cyber risk is an IT problem. No, it’s an agency-wide threat, which must be solved by the entire agency.
- Advanced security technologies will save the day. Maybe someday, but machine learning and other promising technologies still haven’t lived up to their hype.
- A big IT budget ensures a secure IT infrastructure. If you spend big on tech that the bad guys can overcome, you’ve wasted your money.
When we talk about cyber-attacks, we’re talking about the likelihood of suffering different types of losses. What do we lose in attacks, and why do they matter?
A great way to annoy taxpayers
When hackers strike public agencies, they lose many things. Some are tangible, others are difficult to measure, but all are very valuable. These losses include:
- Vital customer-facing services. Whether it’s ransomware, phishing, DDoS, or an insider attack, when the network goes down, services—the direct line to taxpayers—come to a halt.
- Taxpayer, employee, business, and healthcare records. Malware can destroy stored data, and ransomware attackers don’t always return files as promised.
- Staff productivity. System downtime and lost productivity account for more than half of the total cost of cyber attacks.
- Revenue. When the system is down, many revenue streams dry up. Agencies can’t process payments and collect revenue to fund their operations. No online tax payments, utility bills, traffic tickets—not even overdue library book fines.
- Your agency’s reputation for transparent, efficient services. Taxpayers expect things to work. When things don’t work, they remember.
You can fix broken IT infrastructure, but taxpayer frustration and erosion of trust can be the longest-lasting effect of cyber-attacks on government agencies.
Thinking beyond firewalls and antivirus software
The most effective way to protect government IT security is to start from the top down. That is, start with the ideas first and then proceed to specific actions that support them:
- Redefine IT security economics. It’s been standard practice to view the costs of cyber attacks as the cost of recovery and notification. A new best practice measures value at risk (the expected value of total attack-related costs) as a more accurate way to identify potential losses.
- Make cyber security more than just the IT department’s problem. Preventing and mitigating cyber attacks require employee security awareness and cooperation between agencies.
- Explore modern software, hardware, and best practices. It’s important to get beyond the notion that security equals anti-virus software plus traditional firewalls. There are many other things to consider. For example, malware has evolved to evade detection of AV software. Buy advanced software, which blocks infections regardless of their source and stops them in real time before any damage occurs.
- Work around slender budgets and a lack of specialized talent. By collaborating with other departments or agencies, you can share the latest skills, knowledge, and collective experience. Many state governments are creating alliances, multi agency groups that tackle existing and emerging cyber security threats.
Effective mitigation whatever the challenges
There are many specific tasks you might take to reduce your risk of cyber attacks. Rethinking your approach to IT security, collaborating with other departments or agencies, and becoming familiar with the latest hardware and software can help reduce security risk, no matter what your budget. And, don’t forget your insurance option. Companies are just beginning to offer state and local governments cyber threat coverage.