Cyberattacks on state and local governments are on the rise. In 2020, more than 100 government agencies, including municipalities, were targeted with ransomware – an increasingly popular attack vector. Recently, average down time from cyber attacks on these targets is 7.3 days and results in an average loss of $64,645.
These incidents are costly and disruptive. Most state cybersecurity budgets are a paltry 0% to 3% of their overall IT budget on average. But another one of the real issues is a lack of talent and knowledge. According to CSO, "Resource-constrained municipalities find it hard to compete for cybersecurity talent with the private sector, which also faces a shortage of qualified professionals."
While budget may be tough to solve, there are ways to help close the knowledge gap. We’ve outlined five elements of a municipal cyber security plan. Properly implemented, it can help local governments better allocate security resources, reduce the risk of a breach, and protect constituent services.
The 5 essential elements of a municipal cyber security plan are listed below:
- Analyze the attack surface
- Benchmark municipal security performance against other cities
- Implement continuous monitoring for rapid response
- Scale security monitoring to third parties
- Update policies for employee devices and remote access
1. Analyze the attack surface
As a municipality’s digital ecosystem expands, so does its attack surface and overall threat landscape. Cities must get a handle on risk hidden across digital assets in the cloud, across departments, and the remote workforce. Without visibility, protection is almost impossible.
One way to tackle this problem is to incorporate attack surface monitoring into the municipal cyber security plan.
By continuously analyzing the digital environment, security teams can quickly validate their cities’ digital footprints. With this insight, they can identify each digital asset, its location, and the corresponding cyber risk. For instance, if the city manager’s office uses an application without IT’s knowledge, security teams can quickly discover that asset and understand its potential for risk.
Importantly, with this ecosystem-wide view, administrators can prioritize remediation of assets that are at disproportionate risk or most critical to the municipality, such as those used by emergency services and utility departments. This ensures that budgets and resources can be focused where they’re most needed.
2. Benchmark municipal security performance against other cities
Another strategy that can help municipalities focus their security efforts is to benchmark security performance in the context of their peers. Understanding the standards of care that other cities are maintaining can help security leaders determine security targets that they should strive to achieve, and where their current security programs may fall short. From there they can create improvement plans, prioritize cyber risk-reduction strategies, and, if needed, advocate for increased security resources.
3. Implement continuous monitoring for rapid response
Time to discovery is critical in minimizing the impact of cyberattacks. Security responders can get one step ahead of the bad guys by using a continuous monitoring tool like security ratings.
Security ratings are data-driven measurements of ecosystem-wide security performance. Derived from objective, verifiable information, ratings help assess risk and the likelihood of a data breach based on externally observable risk factors – such as open ports, misconfigured software, compromised systems, exposed credentials, and weak security controls.
Findings are presented as a numerical score – much like a credit score – making it easy for everyone to understand how well the municipality can withstand an attack. Because time is of the essence, these insights are captured in near real-time so that security gaps can be rapidly identified and city leaders can make quick and effective decisions about risk reduction.
Continuous monitoring with security ratings is a beneficial approach for municipalities with decentralized or distributed security programs, which range from city hall to local schools. This method enables the measurement of the overall effectiveness of the security program, rather than a siloed approach to security management and measurement.
4. Scale security monitoring to third parties
As the SolarWinds supply chain attack showed, third parties pose a significant cyber risk to government entities. Although the federal government was the main target of that hack, smaller organizations are just as susceptible to these attacks and must up their game. Simply reviewing a third-party’s cyber security policies and protocols isn’t enough – deeper and continuous cyber security assessment of their security postures is needed.
But with small IT departments and restricted budgets, it’s not always easy for local governments to scale third-party risk management programs across the hundreds of contractors that support municipal services.
Fortunately, security ratings can also be applied to third-party networks.
Before a prospective supplier is selected, municipalities can use security ratings to get an instantaneous snapshot of each potential vendor’s security posture. During onboarding, acceptable risk thresholds can be established and incorporated into contracts, much like an SLA. If the vendor’s rating falls below that score anytime during the relationship, an alert is generated and the appropriate department can engage the vendor to initiate remediation.
The great thing about using security ratings for third-party cyber risk management is that the capability allows cities to flexibly scale their vendor risk assessments with ease, no matter how large their vendor portfolio.
5. Update policies for employee devices and remote access
In today's digital age, many professionals have the flexibility to work from home or while on the go. While this can be convenient, it also poses a security risk. With more personnel working outside the traditional network perimeter, municipalities must also factor updated policies and network security guidelines for remote and home-based access into their cyber security plans.
Actions include tightening firewall and VPN policies and monitoring the network for unusual activity. Users should be encouraged to embrace easy-to-implement security measures, such as always using secure connections, regularly applying patches, and practicing strong password hygiene.
Mitigate risk with a proactive municipal cyber security plan
There are other elements to a layered cyber security strategy that we haven’t mentioned here, such as endpoint security, intrusion detection, access control, and secure backups. Each is important, but as cyberattacks get more sophisticated, defense strategies must also evolve.
In today’s high-risk environment, municipal leaders must find ways to discover hidden security issues, continuously monitor risk, and educate users about how they can protect themselves – and their cities – from cyber threats while working remotely. Threat actors are stealthier and more persistent; municipalities must be prepared.