A July 2024 Center for Digital Government* (CDG) survey of 141 local government leaders underscores the security challenges of local agencies. Nearly two-thirds of respondents cited rapidly evolving threats as their top security issue. The survey’s results also point to a critical three-pronged strategy for strengthening security in local governments: identify your greatest challenges, set investment priorities and join forces with statewide cyber defense efforts.
1. IDENTIFY YOUR TOP CYBERSECURITY CHALLENGES
Cyber criminals do not spare smaller cities, counties or other local jurisdictions. Attacks on water systems in Texas¹ and Kansas² in 2024, for instance, forced officials to put operations in manual mode while security leaders investigated. Hackers linked to Russia were among the suspected culprits. The water kept flowing, but the implication was clear: No jurisdiction is safe, so cyber preparation is essential for all.
“You can’t afford to not do anything,” says Maria Thompson, executive government adviser with Amazon Web Services (AWS).³ Your agency should do the following to prepare:
- Face the risks. The volume of cyber attacks increases every year. Breakout speed, which tracks how long intruders take to infiltrate a system after a breach, is rapidly accelerating. Half a decade ago, average breakout speed was just under 10 hours, according to Matt Singleton, executive strategist with CrowdStrike, a leading provider of intrusion detection and response solutions. By 2023, that had shortened to 62 minutes.⁴ “The fastest time we’ve seen is 127 seconds,” Singleton says.
- Automate. Use automation and AI-driven technologies to streamline your security operations to detect and respond to threats faster.
- Ready your tools. Assess your risk landscape and inventory your cyber defense software arsenal. This can help agencies identify effective cybersecurity software tools they aren’t using. Moreover, tools can often be consolidated.
- Expect more ransomware. Cyber extortion threats aren’t going away. Most successful breaches result from credentials harvested by phishing and other tactics. Make sure you have tools to address identity protection, disaster recovery, device monitoring and detection/response.
- Rapidly evolving threats – 62 percent
- Limited budget/resources – 53 percent
- Outdated technology/systems – 45 percent
- Insufficient cybersecurity staff/training – 38 percent
- Vendor/cloud security concerns – 24 percent
2. SET INVESTMENT PRIORITIES
Every government must assess its knowledge, skills and tools to achieve system-specific security goals. The following tips will help you make the right investments:
- Strengthen culture. While people often pose the most common vulnerabilities, they can also be the strongest defenders — if your agency supports a security culture. “Let’s build cybersecurity into the mindset of every person in the organization,” Singleton says. If you’re short-staffed, take advantage of managed security services.
- Train your people. Make sure all employees have a grounding in cyber fundamentals. Online courses can help staff learn at their convenience. Emphasize training when you acquire new security tools — they’re not much use if your staff doesn’t know how to leverage them.
- Strike a balance. IT leaders must address human, technical and process issues to avoid overemphasizing one area and creating problems somewhere else. Take time, for instance, to ensure every new tool is properly implemented. “If it’s not configured correctly, it’s just another risk to your environment,” Thompson says.
- Get funding. Apply for cyber grants while they’re still available. Thompson notes that millions of dollars are in the federal cybersecurity grants pipeline for state and local governments.
- Employee training and awareness – 60 percent
- Advanced threat detection and prevention – 53 percent
- Network security – 45 percent
- Identity protection and access management – 43 percent
- Incident response and recovery – 41 percent
3. EMBRACE WHOLE-OF-STATE SECURITY
Whole-of-state security is a strategy that connects cities, towns and counties with the security resources of their respective state governments.⁵ This “all hands on deck” approach pools resources and enables smaller jurisdictions’ teams to explore options like partnering with cyber defense experts in their state’s National Guard. The CDG survey found that 22 percent of respondents didn’t know whether they were in a whole-of-state program. If you’re unsure of your whole-of-state status, contact your state’s chief information security officer and find out how to participate.
Action Items:
- Collaborate. Find partners in the private and public sectors that can help address cyber threats. Agencies seeking cybersecurity grants stand a better chance of landing recurring funding if they can demonstrate they’re collaborating at an ecosystem level to reduce security risks.
- Do your homework. Track down statewide cyber defense initiatives and explore how you can participate.
- Start right away. There’s no time to lose in this environment. To get moving on whole-of-state protection, smaller jurisdictions may have to overcome their anxieties about state agencies having access to their network environment, Thompson says.
- Conducting internal assessments and evaluations – 46 percent
- Engaging in discussions with state cybersecurity authorities – 39 percent
- Participating in state-level cybersecurity training and awareness – 38 percent
- Integrating state cybersecurity policies and standards – 30 percent
- Applying for state funding or resources for cybersecurity initiatives – 29 percent
REFERENCES AND SOURCES
- Texas Cyber Attack Incident (April 2024)
- Kansas Water Plant Cyber Event (2024)
- AWS Government Resilience Webinar
- CrowdStrike Threat Hunting Report
- Whole-of-State Cybersecurity Initiatives
*The Center for Digital Government is part of e.Republic, Government Technology's parent company.
