While big-name incidents fill the headlines, local governments and agencies face cyber crime at an alarming rate. In a very direct way, this impacts everyone’s life. The pandemic has forced state and local groups to deploy defenses at a distance over their networks and apps. But local security is often not encrypted and insecure, with no improvements made to defenses at all.

Studies have shown that only 38% of state and local government employees have been trained on ransomware prevention. What kind of damage occurs due to this lack of training? Last April, the Washington D.C. police force suffered an attack by a group allegedly posting department data. The data dump included more than three dozen of the police chief’s daily intelligence briefing papers.

Meanwhile, ransomware attacks against Baltimore County Public Schools and Fairfax County Public Schools caused online classes to grind to a halt.

For threat actors, no government agency is too big or too small. The Hampton Roads Sanitation District, Bristol Police Department, Baltimore’s largest drug treatment clinic, an Iowa school district and the Alaska Department of Health and Human Services have all been victims of cyber crime. This middle zone of society — where everyday things like schooling, wastewater treatment, health care and law enforcement occur — is at risk for attack.

Cyber Crime: A Well-Known Risk

The attack on the Baltimore county schools occurred one day after a state audit found “significant risks” within the system’s computer network. The school district hadn’t secured the network enough or properly safeguarded sensitive personal information, according to the Office of Legislative Audits.

The audit found that “intrusion detection prevention system coverage for untrusted traffic did not exist.” Students were allowed “unnecessary network-level access to administrative servers” within the school system’s data center and individual schools. Also, 26 servers open to the public were located within the district’s internal network rather than isolated in a separate protected network zone to reduce risks.

The problem is schools don’t put cybersecurity first. But maybe they should. In some cases, auditors have been warning local governments for years about the risk of cyber crime.

A Bonanza of Targets for Cyber Crime

There are over 90,000 local government organizations in the U.S. alone. These offices house troves of data, such as personally identifiable information (PII), names, addresses, driver’s license numbers, credit card numbers, Social Security numbers and personal medical information. And each office has contractual, billing and financial information of the governments themselves. All of this data can be held for ransom and/or sold later if it gets into the cyber crime economy.

Donald F. Norris served for 27 years as director of the Maryland Institute for Policy Analysis and Research. He was also the founding editor-in-chief of the International Journal of Electronic Government Research. His research shows conclusively that, on average, local government systems are not well defended.

In 2021, $118.7 billion in technology spending was projected for state and local governments. However, this budget doesn’t even come close to covering all the technical and security needs facing government organizations.

Norris points out that the top three barriers to effectively defending against cyber crime are the inability to pay competitive salaries to cybersecurity employees (58.6%), insufficient number of cybersecurity staff (53.1%) and lack of funds (52.8%). All three involve constrained budgets.

Finally, for local governments, the rapid spread of Internet of Things devices (cameras, sensors, traffic management, meter reading, etc.) greatly increases an attack surface. Devices tend to be numerous and heterogeneous, with different manufacturers, capabilities and interfaces which makes security management all the more difficult.

Massive Cybersecurity Gap

Many government offices are woefully lacking in tools and strategies to prevent cyber crime. For example, in the city of Baltimore, a simple Microsoft patch could have prevented an $18 million incident caused by Robbinhood ransomware.

In that 2019 incident, threat actors took over nearly all of Baltimore’s IT infrastructure and demanded a ransom of 13 bitcoin (about $76,000) to release the city’s systems and data. The city refused to pay and ransomware recovery lasted months before systems came back online. During that period services for water billing, property taxes, property sales, parking tickets, email and voicemail were all disrupted. Today, these ransomware examples have become all too common.

Funding, Funding, Funding

While money doesn’t fix everything, in the case of local government security risk, lack of funding is a major problem. Whether they are aware of the risk or not, school districts, public health care facilities and police departments don’t have cash lying around to cover the cost of security.

In a large sense, it begins with awareness. Even though it may be embarrassing, cases like Baltimore should be shared with other local government leaders. If they don’t implement budgetary measures, nothing will change when it comes to crafting and deploying adequate security policies.

Every government has spending priorities. However, with so much depending on IT infrastructure these days, can any fail to have a solid security plan?

Cyber Insurance

Local government leaders may suggest cyber insurance, at least as a starting point. The reason for this is that most insurance providers will perform an audit. From there, critical issues that could open the client up to cyber crime can be found and resolved. Also, insurers can provide guidance on incident response steps.

There’s a good chance the public and private sectors may need to team up to address the gaps in local government. The U.S. government itself has already laid out guidance with the NIST Cybersecurity Framework.

Seven Important Cybersecurity Policies for Local Governments

Norris outlines the following as the backbone of defending against cyber crime for local government agencies:

  • Formal cybersecurity policy
  • Password management policy
  • Policy regarding applying software patches
  • A cyber risk management plan
  • Incident response/disaster recovery/business continuity plan
  • Policy on the use of external devices (e.g., cell phones/flash drives)
  • Policy for vendors, contractors and cloud services.

Cyber security needs to be improved in many sectors, but the public square is one place we cannot afford to neglect. Local governments, agencies and schools need all the funding and support they can get.

More from Data Protection

Data security tools make data loss prevention more efficient

3 min read - As businesses navigate the complexities of modern-day cybersecurity initiatives, data loss prevention (DLP) software is the frontline defense against potential data breaches and exfiltration. DLP solutions allow organizations to detect, react to and prevent data leakage or misuse of sensitive information that can lead to catastrophic consequences. However, while DLP solutions play a critical role in cybersecurity, their effectiveness significantly improves when integrated with the right tools and infrastructure. Key limitations of DLP solutions (and how to overcome them) DLP…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

Cost of a data breach: The evolving role of law enforcement

4 min read - If someone broke into your company’s office to steal your valuable assets, your first step would be to contact law enforcement. But would your reaction be the same if someone broke into your company’s network and accessed your most valuable assets through a data breach? A decade ago, when smartphones were still relatively new and most people were still coming to understand the value of data both corporate-wide and personally, there was little incentive to report cyber crime. It was…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today