It seems like not a day goes by where we don't hear about a local government cyberattack. Indeed, from 911 call centers to public schools, cyberattacks on local governments are as common as they are devastating.
Just how often do threat actors attack local governments? A survey of 14 mainly larger US local governments found that just over half of respondents said they suffer attacks constantly, more than a quarter said hourly, and 14.3% said daily.
Local governments continue to be a common cyberattack target for two big reasons. The first is that they handle troves of sensitive data, especially personally identifiable information (PII), and the second is that they operate on shoestring budgets with little to no cybersecurity staff or leadership buy-in.
Now, factor in these two reasons with the sheer number of local governments out there in the United States–90,075 units–and you have a huge, vulnerable, and valuable target. Sounds like easy pickings for attackers, but it doesn't have to be.
With a few best practices, local governments can improve their cybersecurity posture and make it less likely that threat actors attack their systems. We'll break down five best practices for local government cybersecurity in this post.
Cybersecurity consultants and the professional literature agree: You should adopt cybersecurity policies such as the NIST Framework to help prevent and respond to attacks. And a key part of building out any cybersecurity policy for your local government is to develop an organizational understanding of risk to systems, people, data, and so on.
There are tons of free cybersecurity assessments for Federal, State, Local, Tribal and Territorial (SLTT) governments that you can take to get started. After performing the assessments, you can compare your results to the criteria of NIST to identify gaps, as well as deficiencies to be improved.
The unfortunate reality is that an inability to pay competitive salaries, insufficient number of staff, and lack of funds are big barriers to local government cybersecurity. However, there's still plenty of important cybersecurity fundamentals that local governments should try to adopt to the fullest extent possible.
Take cyber insurance, for example. Cyber insurance can prevent local governments from having to pay huge out of pocket costs in the event that they're hit with a cyberattack. Baltimore learned this the hard way.
(An important caveat here is that cyber insurance is becoming increasingly expensive: check out our article on 4 ways to save money on cyber insurance).
Cybersecurity best practices don't just help you stay safe–they can also make you eligible for grant funding. In particular, local governments looking to be eligible for the State and Local Cybersecurity Grant Program must include these best practices in their cybersecurity plan:
In addition, only 23% of local governments have adopted the .gov domain, meaning a majority of local governments are missing out on one of the simplest ways to strengthen their cybersecurity posture. Sponsored by CISA, the Cybersecurity and Infrastructure Security Agency, the .gov domain comes with several key security benefits:
To obtain a .gov domain or to learn more, check out some of the resources below.
Local governments may be resource-constrained, but the good news is that they don't have to face cybersecurity alone. State governments, together with Federal, university, and even nonprofit partners, can be strong allies to local government cybersecurity.
Federal partners: Local governments are encouraged to report cyber incidents to a federal entity so they can receive relevant asset response, threat response, and threat intelligence services. Partnering with your local fusion center is a good idea as well.
State partners: The level of state-local cybersecurity support will vary by state, but can include assessments, exercises, and consulting services. In Michigan's Cyber Partners Program, for example, local communities receive services from a CISO-level consultant.
University partners: Partnering with universities can help local governments get access to talent, technological insights, even real-time network security monitoring.
Nonprofit partners: Local governments involved with the Multi-State Information Sharing & Analysis Center (MS-ISAC) get free resources for cyber threat prevention, protection, response, and recovery.
For local governments especially, a ransomware attack is a matter of 'when' and not 'if'. However, they might not have the budget or staff to implement and use anti-ransomware solutions such as Endpoint Detection and Response (EDR).
Fortunately, you don't need any fancy technology to start building a solid ransomware response and recovery plan. NIST recommends that organizations follow these steps to accelerate their recovery, among others:
Develop an incident recovery plan: Establish a plan that has a Cyber Incident Response Team (CIRT) with clearly identified roles, responsibilities, and contacts ahead of time, then regularly exercise that plan.
Data backup and restoration strategy: Backups are a prime target for attackers, so keep multiple copies of your data, and make sure at least one of them is online.
Know who you're going to contact: Maintain an up-to-date list of internal and external stakeholders to contact in the event of an attack, which may include senior management, PR, your legal team, insurance providers, vendors, and law enforcement.
In our Ransomware Emergency Kit, you’ll find more resources your local government needs to understand threats, prevent attacks, and defend against cybercriminals.
Though CISOs might be wary about having their data handled by an outside organization, many local governments rely on vendors and managed service providers (MSPs) to provide some or all of their cybersecurity operations.
A 2020 survey of 165 municipalities found 50.9% outsourced some of their cybersecurity functions, with almost 60% citing "Lack of local skilled professionals" as a reason for outsourcing. Some of functions commonly outsourced are:
All cybersecurity needs
24/7 monitoring of Intrusion Prevention System (IPS)
Network monitoring
"By working with a trusted partner or service provider, local governments can fast track to get their security stack up to par," said David Pier, Team Lead, Corporate Solutions Engineering at Malwarebytes. "Many frameworks and security plans can take upwards of multiple years to successfully implement and audit for certification. If they can pass this work along to their partners, it circumvents the need for them to commit to a lengthy process in addition to the complexity of implementation."
Read "Risk Considerations for Managed Service Provider Customers" from CISA for more information for local governments choosing an MSP.
A lack of funding and staff makes local government cybersecurity tough, period.
However, if every local government implemented these five best cybersecurity practices today, they could dramatically lessen the likelihood and fallout of an attack–and increase eligibility for the State and Local Cybersecurity Grant Program while they’re at it.
Malwarebytes has ample experience providing local governments and public schools with effective, intuitive, and inclusive cyberprotection. Read the case studies below to learn more:
Check out our government case studies and education pages for more information.