State and local governments, state-funded higher education institutions and K-12 school districts are seeing an increase in cyberattacks at their organizations. Mainly, this increase is because cybercriminals see the opportunity to breach organizations that are under less scrutiny in terms of oversight and compliance. Lack of scrutiny has meant security is less of a priority at government entities, so many are behind the curve in terms of their cybersecurity efforts and technology.
According to IBM’s 2020 Cost of a Data Breach Report, it takes an average of 231 days to identify a breach in the public sector and an additional 93 days to contain the breach from there—totaling 324 days. The global average is 280 days.
Additionally, many of these organizations are responsible for protecting highly sensitive personal information and providing important daily services. If their systems are infiltrated, held for ransom and rendered unusable, it puts them in a difficult position to negotiate or refuse.
With attacks on the rise, government entities need to prioritize cybersecurity and get ahead of this activity before it hits their systems.
Ransomware, or a malware attack, is the primary way cybercriminals attack government entities. In a ransomware attack, cybercriminals inject malware into networks and systems, often by tricking individuals into downloading malicious files. They then encrypt important files throughout the system so that the entities cannot access them.
With these organizations, cybercriminals are usually less interested in the actual theft of data and more interested in gaining a ransom payment. They threaten theft because these organizations must protect an incredible amount of sensitive information and maintain daily services for their communities. In the event of a ransomware attack, such organizations are under pressure to both protect their data and continue to provide their services.
According to KnowBe4’s whitepaper, The Economic Impact of Cyber Attacks on Municipalities, municipalities paid an average of $125,697 in ransom from 2017 to 2020.
Another common cybersecurity issue for government entities is unauthorized disclosure, or breaches that result from the disclosure of information that shouldn’t be shared. This often comes down to human error. For instance, an employee might lose an unencrypted device or email information that’s supposed to be protected. However, with the right security precautions, policies and training in place, such risks can be greatly reduced. For instance, all devices should be encrypted, and employees should understand policies around transporting and connecting their devices.
Data breaches, cyberattacks and ransomware attacks happen every day. Learn more about the most recent attacks and scams.
One reason governmental organizations aren’t prioritizing cybersecurity is that they aren’t held to many direct compliance requirements. This compounds on the fact that, typically, it’s difficult for leadership to prioritize and understand their own cybersecurity efforts and the risks they face.
Cybersecurity is Not a Priority for Leadership
Forty-eight percent of elected councilors and/or commissioners report they don’t know the extent of the need for cybersecurity measures in the community.
This isn’t to say that leadership doesn’t care, it’s simply that they’re not entirely educated on the matter. Their expertise is in running schools and government organizations, rather than cybersecurity. However, cybersecurity is a large risk, and risk management is an important part of running any type of operation.
Culture is a Barrier to Change
In the same vein as issues with leadership, culture at government entities can make it difficult to push through any change. New initiatives must pass through a series of discussions and approvals, and it’s hard to create change in a long-standing organization that has been operating one way for a long time. Plus, there are often multiple organizations within the one government entity that would have to adopt the new practice, which makes gaining acceptance and buy-in even more complex.
Employees Don’t Have Adequate Training
Another major reason these organizations have fallen behind and are vulnerable is a lack of training, education and awareness. Such measures can do wonders to secure your infrastructure, as individuals will know what to look for in terms of malware and email phishing, and they’ll better understand how to avoid and prevent unauthorized disclosure.
Funding is Either Unavailable or Allocated Elsewhere
For many government entities, funding is a significant barrier to implementing mature cybersecurity measures. This is particularly true for K-12 school districts, which don’t necessarily have the funding to either prevent or respond to an incident.
For organizations that have the funds and don’t invest them in cybersecurity, it’s often the case that they see their IT department as a cost center that doesn’t get them returns. It’s difficult to see the value in the investment—until you’ve experienced an incident and learn the high cost of responding and recovering.
In fact, about 50% of states do not have a committed cybersecurity line-item budget, and over 30% of states have seen reduction in funding or no change at all.
Resources Are Difficult to Find and Keep
Getting the right people on board to help with cybersecurity is both expensive and difficult to do. It can also be difficult to keep both security talent and IT professionals. Thus, many government entities rely on third-party vendors for a portion of their IT needs, particularly cybersecurity. Third-party vendors don’t always have the right skillset to adequately meet those needs.
Organizations Aren't Prepared to Respond
Though governments tend to have more infrastructure and people than a small business would, they don’t use those resources to create a response plan that would help them in the event of an incident. They should be taking every opportunity to identify their risks and shore up their capabilities to reduce those risks. Even their third-party vendors might not understand the risks they face or know how to prepare them for it. So, when an incident does occur, they’re unprepared.
No matter how prepared you are, there is always a risk of a cybersecurity incident. Be prepared with our comprehensive guide to cybersecurity, common risks, planning for incidents and strategizing to respond.
As you can see, a common thread in the challenges government entities face is that people don’t understand the value of robust cybersecurity. They’re doing the math from the wrong angle. When it comes to risks like a ransomware attack, you must calculate what you’ll save by preventing an incident or by having a cost-reducing response plan in place.
Many government entities, such as K-12 school districts, find themselves in a position where they must pay the ransom demanded. They’re unprepared, they must protect sensitive data and they need their services back up and running. Schools have been seeing an increasing number of incidents and attacks. The K-12 Cybersecurity Resource Center tracks incidents at K-12 schools and shows what type of incident each was, such as ransomware or unauthorized disclosure. According to their 2019 Year in Review, publicly-disclosed incidents nearly tripled from 2018 to 2019.
According to KnowBe4, recovering from a ransomware attack tends to be markedly more expensive than the cost of the ransom itself—by millions of dollars. For example, in a Georgia ransomware attack, the cybercriminals demanded $55,000, and Georgia refused to pay. Recovery was expected to cost up to $17 million.
Denial of Service Costs
In 2019, the State of Texas experienced a ransomware attack that impacted 22 municipalities, locking down their systems and putting them out of service. The cybercriminals demanded 2.5 million dollars. During the attack, services like processing utility payments and providing access to birth and death certificates were unavailable for certain municipalities.
When an organization is breached, it’s difficult to quantify the damage to their reputation and the level of trust they’ve lost in their communities. Citizens often have no choice in offering their personal information to such entities if they want to receive necessary services, and they expect that information will be safe and secure.
For government entities to execute a successful cybersecurity plan, leadership must be invested. They need to see this as more than an IT problem. It’s managing a risk that could be detrimental to their organization. There must be a sense of ownership by city councils, city managers, boards of directors and governing bodies and executives. And they must work together with their IT department and relevant cybersecurity experts to develop a phased approach that will be accepted and executed within their organization.
Similarly, every relevant party must be educated and trained to follow cybersecurity best practices and policies. Awareness is the best defense against a cybersecurity incident. This training should include everyone from board members to interns.
For immediate protection, even as you’re developing policies and training, there are a few key actions you can take to protect your organization:
These actions will get quick results, protecting you while you put strategic processes and procedures in place. At Eide Bailly, when we work with government entities, we typically shore them up with these foundational practices and others to ensure an increased security posture.
Finally, when developing your cybersecurity plan, don’t neglect incident response. Being prepared is vital and will help you reduce risk should an incident occur. However, these are just initial steps. You want a robust cybersecurity plan with strategies for preventing, detecting and responding to the specific risks you face.
At Eide Bailly, we consult with state and local governments on their cybersecurity risks and help them implement strategies that will protect them for the long-haul.