It seems like not a day goes by where we don’t hear about a local government cyberattack. Indeed, from 911 call centers to public schools, cyberattacks on local governments are as common as they are devastating.
Just how often do threat actors attack local governments? A survey of 14 mainly larger US local governments found that just over half of respondents said they suffer attacks constantly, more than a quarter said hourly, and 14.3% said daily.
Local governments continue to be a common cyberattack target for two big reasons. The first is that they handle troves of sensitive data, especially personally identifiable information (PII), and the second is that they operate on shoestring budgets with little to no cybersecurity staff or leadership buy-in.
Now, factor in these two reasons with the sheer number of local governments out there in the United States—90,075 units—and you have a huge, vulnerable, and valuable target. Sounds like easy pickings for attackers, but it doesn’t have to be.
With a few best practices, local governments can improve their cybersecurity posture and make it less likely that threat actors attack their systems. We’ll break down five best practices for local government cybersecurity in this post.
Table of Contents
1. Take cybersecurity assessments to find and address weaknesses
Cybersecurity consultants and the professional literature agree: You should adopt cybersecurity policies such as the NIST Framework to help prevent and respond to attacks. And a key part of building out any cybersecurity policy for your local government is to develop an organizational understanding of risk to systems, people, data, and so on.
There are tons of free cybersecurity assessments for Federal, State, Local, Tribal and Territorial (SLTT) governments that you can take to get started. After performing the assessments, you can compare your results to the criteria of NIST to identify gaps, as well as deficiencies to be improved.
- Cyber Infrastructure Survey (CIS): A free assessment of essential cybersecurity practices in-place for critical services. Also conducted by the DHS.
- Cyber Resilience Review (CRR): The CRR assessment evaluates your organization’s operational resilience and cybersecurity practices. Conducted free of charge by the US Department of Homeland Security (DHS)
- Phishing Campaign Assessment (PCA): Evaluates an organization’s susceptibility and reaction to phishing emails. Conducted free of charge by the National Cybersecurity Assessments and Technical Services (NCATS) team.
- Cybersecurity Evaluation Tool (CSET®): A stand-alone desktop application that guides asset owners evaluate their cybersecurity posture against recognized standards. Also delivered free of charge by the NCATS team.
- Risk and Vulnerability Assessment (RVA) One-on-one engagement to give organizations an actionable risk analysis report containing remediation recommendations prioritized by severity and risk.
2. Adopt the fundamentals
The unfortunate reality is that an inability to pay competitive salaries, insufficient number of staff, and lack of funds are big barriers to local government cybersecurity. However, there’s still plenty of important cybersecurity fundamentals that local governments should try to adopt to the fullest extent possible.
Take cyber insurance, for example. Cyber insurance can prevent local governments from having to pay huge out of pocket costs in the event that they’re hit with a cyberattack. Baltimore learned this the hard way.
(An important caveat here is that cyber insurance is becoming increasingly expensive: check out our article on 4 ways to save money on cyber insurance).
Cybersecurity best practices don’t just help you stay safe—they can also make you eligible for grant funding. In particular, local governments looking to be eligible for the State and Local Cybersecurity Grant Program must include these best practices in their cybersecurity plan:
- Multi-factor authentication (MFA)
- Enhanced logging
- Data encryption for data at rest and in transit
- End use of unsupported/end of life software and hardware that are accessible from the Internet
- Prohibit use of known/fixed/default passwords and credentials
In addition, only 23% of local governments have adopted the .gov domain, meaning a majority of local governments are missing out on one of the simplest ways to strengthen their cybersecurity posture. Sponsored by CISA, the Cybersecurity and Infrastructure Security Agency, the .gov domain comes with several key security benefits:
- MFA is enforced on all accounts in the .gov registrar, and user accounts cannot use passwords that have been found in known data breaches.
- It ‘preloads’ all new domains, which lets web browsers know to always use HTTPS to connect with any website on that domain.
- CISA, GSA, and the National Institute of Standards and Technology (NIST) help monitor for issues in the namespace
To obtain a .gov domain or to learn more, check out some of the resources below.
3. Partner up!
Local governments may be resource-constrained, but the good news is that they don’t have to face cybersecurity alone. State governments, together with Federal, university, and even nonprofit partners, can be strong allies to local government cybersecurity.
Federal partners: Local governments are encouraged to report cyber incidents to a federal entity so they can receive relevant asset response, threat response, and threat intelligence services. Partnering with your local fusion center is a good idea as well.
State partners: The level of state-local cybersecurity support will vary by state, but can include assessments, exercises, and consulting services. In Michigan’s Cyber Partners Program, for example, local communities receive services from a CISO-level consultant.
University partners: Partnering with universities can help local governments get access to talent, technological insights, even real-time network security monitoring.
Nonprofit partners: Local governments involved with the Multi-State Information Sharing & Analysis Center (MS-ISAC) get free resources for cyber threat prevention, protection, response, and recovery.
4. Build a playbook for ransomware response and recovery
For local governments especially, a ransomware attack is a matter of ‘when’ and not ‘if’. However, they might not have the budget or staff to implement and use anti-ransomware solutions such as Endpoint Detection and Response (EDR).
Fortunately, you don’t need any fancy technology to start building a solid ransomware response and recovery plan. NIST recommends that organizations follow these steps to accelerate their recovery, among others:
Develop an incident recovery plan: Establish a plan that has a Cyber Incident Response Team (CIRT) with clearly identified roles, responsibilities, and contacts ahead of time, then regularly exercise that plan.
Data backup and restoration strategy: Backups are a prime target for attackers, so keep multiple copies of your data, and make sure at least one of them is online.
Know who you’re going to contact: Maintain an up-to-date list of internal and external stakeholders to contact in the event of an attack, which may include senior management, PR, your legal team, insurance providers, vendors, and law enforcement.
In our Ransomware Emergency Kit, you’ll find more resources your local government needs to understand threats, prevent attacks, and defend against cybercriminals.
5. Consider outsourcing
Though CISOs might be wary about having their data handled by an outside organization, many local governments rely on vendors and managed service providers (MSPs) to provide some or all of their cybersecurity operations.
A 2020 survey of 165 municipalities found 50.9% outsourced some of their cybersecurity functions, with almost 60% citing “Lack of local skilled professionals” as a reason for outsourcing. Some of functions commonly outsourced are:
All cybersecurity needs
24/7 monitoring of Intrusion Prevention System (IPS)
“By working with a trusted partner or service provider, local governments can fast track to get their security stack up to par,” said David Pier, Team Lead, Corporate Solutions Engineering at Malwarebytes. “Many frameworks and security plans can take upwards of multiple years to successfully implement and audit for certification. If they can pass this work along to their partners, it circumvents the need for them to commit to a lengthy process in addition to the complexity of implementation.”
Read “Risk Considerations for Managed Service Provider Customers” from CISA for more information for local governments choosing an MSP.
Enhancing local government cybersecurity
A lack of funding and staff makes local government cybersecurity tough, period.
However, if every local government implemented these five best cybersecurity practices today, they could dramatically lessen the likelihood and fallout of an attack—and increase eligibility for the State and Local Cybersecurity Grant Program while they’re at it.
Malwarebytes EDR prevents, detects, and responds to ransomware, malware, trojans, rootkits, backdoors, viruses, brute force attacks, and “zero-day” unknown threats so you can avoid local government disruption and financial loss.