The Impact of a Cybersecurity Incident or Breach on Governments

November 2, 2021
Remote work concept.

Want to know more about government cyber attacks? State and local governments, state-funded higher education institutions and K-12 school districts are seeing an increase in government cyber attacks at their organizations. Mainly, this increase is because cybercriminals see the opportunity to breach organizations that are under less scrutiny in terms of oversight and compliance. Lack of scrutiny has meant security is less of a priority at government entities, so many are behind the curve in terms of their cybersecurity efforts and technology.

According to IBM’s 2022 Cost of a Data Breach Report, it takes an average of 207 days to identify a breach in the public sector and an additional 70 days to contain the breach from there—totaling 277 days. There’s been a 2.6% increase in average total cost of a breach from 2021-2022, rising from $4.24 million to $4.35 million. Costs were significantly lower for some organizations with a mature security posture and higher for organizations that lagged in the various cybersecurity methods.

The longer it took to identify and contain, the more costly the breach. Data breaches that took longer than 200 days to identify and contain cost on average $4.86 million, compared to $3.74 million for breaches that took less than 200 days. The average time to identify and contain varied widely depending on the type of data breach, attack vector, factors such as the use of security AI and automation, and cloud modernization stage.

- | Cost of a Data Breach Report 2022

Additionally, many of these organizations are responsible for protecting highly sensitive personal information and providing important daily services. If their systems are infiltrated, held for ransom and rendered unusable, it puts them in a difficult position to negotiate or refuse.

With government cyber attacks on the rise, it's important to prioritize cybersecurity solutions for government organizations and get ahead of this activity before it hits critical systems, holding your data for ransom.

Common Cybersecurity Issues for Government Entities

Ransomware, or a malware attack, is the primary way criminals perform cyber attacks on federal government entities. In a ransomware attack, cybercriminals inject malware into networks and systems, often by tricking individuals into downloading malicious files. They then encrypt important files throughout the system so that the entities cannot access them.

With these organizations, cybercriminals are usually less interested in the actual theft of data and more interested in gaining a ransom payment. They threaten theft because these organizations must protect an incredible amount of sensitive information and maintain daily services for their communities. In the event of a ransomware attack, such organizations are under pressure to both protect their data and continue to provide their services.

According to KnowBe4’s whitepaper, The Economic Impact of Cyber Attacks on Municipalities, municipalities paid an average of $125,697 in ransom from 2017 to 2020.

Another common cybersecurity issue for government entities is unauthorized disclosure, or breaches that result from the disclosure of information that shouldn’t be shared. This often comes down to human error. For instance, an employee might lose an unencrypted device or email information that’s supposed to be protected. However, with the right security precautions, policies and training in place, such risks can be greatly reduced. For instance, all devices should be encrypted, and employees should understand policies around transporting and connecting their devices.

No matter how prepared you are, there is always a risk of a cybersecurity incident. Be prepared with our comprehensive guide to cybersecurity, common risks, planning for incidents and strategizing to respond.


Challenges Governments Face in Building Strong Cybersecurity

One reason governmental organizations aren’t prioritizing government cybersecurity issues and challenges is that they aren’t held to many direct federal or national compliance requirements. This compounds on the fact that, typically, it’s difficult for leadership to prioritize and understand their own private cybersecurity efforts and the hacking risks they face.

Cybersecurity is Not a Priority for Leadership

Forty-eight percent of top elected councilors and/or commissioners share that they don’t know the extent of the need for cybersecurity measures in the community.

This isn’t to say that leadership doesn’t care, it’s simply that they’re not entirely educated on the matter. Their expertise is in running schools and government agencies, rather than cybersecurity. However, cybersecurity is a large risk, and targeted risk management is an important part of running any type of operation.

Culture is a Barrier to Change

In the same vein as issues with leadership, culture at government entities can make it difficult to push through any change. New initiatives must pass through a series of discussions and approvals, and it’s hard to create social change in a long-standing organization that has been operating one way for a long time. Plus, there are often multiple organizations within the one government entity that would have to adopt the new practice, which makes gaining acceptance and buy-in even more complex.

Employees Don’t Have Adequate Training

Another major reason these organizations have fallen behind and are vulnerable is a lack of training, education and awareness. Such working measures can do wonders to secure your infrastructure, as individuals will know what to look for in terms of malware and email phishing, and they’ll better understand how to avoid and prevent unauthorized disclosure.

Funding is Either Unavailable or Allocated Elsewhere

For many government entities, funding is a significant barrier to implementing mature cybersecurity measures. This is particularly true for K-12 school districts, which don’t necessarily have the funding to either prevent or respond to an incident.

For organizations that have the funds and don’t invest them in cybersecurity, it’s often the case that they see their IT department as a cost center that doesn’t get them returns. It’s difficult to see the value in the investment—until you’ve experienced an incident and learn the high cost of responding and recovering.

In fact, about 50% of states do not have a committed cybersecurity line-item budget, and over 30% of states have seen reduction in funding or no change at all.

Resources Are Difficult to Find and Keep

Getting the right people on board to help with government and cybersecurity is both expensive and difficult to do. It can also be difficult to keep both security talent and IT professionals. Thus, many government entities rely on third-party vendors for a portion of their IT needs, particularly cybersecurity. Third-party vendors don’t always have the right skillset to adequately meet those needs.

Organizations Aren't Prepared to Respond

Though governments tend to have more infrastructure and people than a small business would, they don’t use those resources to create a response plan that would help them in the event of an incident. They should be taking every opportunity to identify their risks and shore up their capabilities to reduce those risks. Even their third-party vendors might not understand the risks they face or know how to prepare them for it. So, when an incident does occur, they’re unprepared.

Impact of Cybersecurity Incidents and Breaches Today

As you can see, a common thread in the challenges government entities face is that people don’t understand the value of robust cybersecurity. They’re doing the math from the wrong angle. When it comes to risks like a ransomware attack, you must calculate what you’ll save by preventing an incident or by having a cost-reducing response plan in place.

Ransom Costs

Many government entities, such as K-12 school districts, find themselves in a position where they must pay the ransom demanded. They’re unprepared, they must protect sensitive data and they need their services back up and running. Schools have been seeing an increasing number of incidents and attacks.

The K-12 Cybersecurity Resource Center tracks incidents at K-12 schools and shows what type of incident each was, such as ransomware or unauthorized disclosure. According to their 2019 Year in Review, publicly-disclosed incidents nearly tripled from 2018 to 2019.

Recovery Costs

According to KnowBe4, recovering from a ransomware attack tends to be markedly more expensive than the cost of the ransom itself—by millions of dollars. For example, in a Georgia ransomware attack, the cybercriminals demanded $55,000, and Georgia refused to pay. Recovery was expected to cost up to $17 million.

Denial of Service Costs

In 2019, the State of Texas experienced a ransomware attack that impacted 22 municipalities, locking down their systems and putting them out of service. The cybercriminals demanded 2.5 million dollars. During the attack, services like processing utility payments and providing access to birth and death certificates were unavailable for certain municipalities.

Reputational Costs

When an organization is breached, it’s difficult to quantify the damage to their reputation and the level of trust they’ve lost in their communities. Citizens often have no choice in offering their personal information to such entities if they want to receive necessary services, and they expect that information will be safe and secure.

Next Steps for Government Entities

For government entities to execute a successful cybersecurity plan, leadership must be invested. They need to see this as more than an IT problem. It’s managing a risk that could be detrimental to their organization. There must be a sense of ownership by city councils, city managers, boards of directors and governing bodies and executives. And they must work together with their IT department and relevant cybersecurity experts to develop a phased approach that will be accepted and executed within their organization.

Similarly, every relevant party must be educated and trained to follow cybersecurity best practices and policies. Awareness is the best defense against a cybersecurity incident. This training should include everyone from board members to interns.

For immediate protection, even as you’re developing policies and training, there are a few key actions you can take to protect your organization:

  • Lock down or limit administrative access.
  • Implement multi-factor authentication.
  • Ensure your backups are in place and are recoverable.
  • Implement an endpoint protection solution.

These actions will get quick results, protecting you while you put strategic processes and procedures in place. At Eide Bailly, when we work with government entities, we typically shore them up with these foundational practices and others to ensure an increased security posture.

Finally, when developing your cybersecurity plan, don’t neglect incident response. Being prepared is vital and will help you reduce risk should an incident occur. However, these are just initial steps. You want a robust cybersecurity plan with strategies for preventing, detecting and responding to the specific risks you face.

Measuring Your Risk

Our team of IT professionals has identified 12 questions to help gauge your current security risk areas and assess your overall IT health. Most importantly, the results will provide tips to help you make actionable improvements now.

From data backups to your administrative protocols and password protection processes, this IT quiz will give you some quick wins to take back to your organization. Know how your security stacks up while learning best practices for optimum network stability, disaster recovery, and IT health.

Expand Full Article

We're Here to Help

We are here to help
From business growth to compliance and digital optimization, Eide Bailly is here to help you thrive and embrace opportunity.
Speak to our specialists