CEO and board member at Optiv, a cyber advisory and solutions leader.
The world is changing and our government must change with it. From military readiness across the land, air, sea and space to safeguarding our digital world, nothing should stand in the way of making our government more secure.
The White House has gotten more prescriptive around cybersecurity over the past year at the federal level, releasing the National Cybersecurity Strategy and the SEC’s cybersecurity disclosure rules to name a few, but more needs to be done at the state and local levels.
Case in point: In April, a phishing attack targeting New York City employees forced a city payroll website offline. Unfortunately, cyber incidents such as this one are becoming the norm rather than the exception for state and local governments. For example, since the beginning of the year alone, we’ve seen attacks on local governments in Colorado, Pennsylvania, Missouri, Florida, Texas and Georgia, among others.
The volume of attacks targeting these entities has steadily grown over the past few years. According to a 2023 Sophos study, 69% of state and local government organizations reported that they were hit by ransomware, up from 58% in 2022.
State and local municipalities are a prime target for threat actors of all kinds—from nation-states to small-time organized crime groups. This is because—like some enterprises—they are target-rich environments with under-resourced IT security teams who are struggling to keep pace with the acceleration and sophistication of cyberattacks.
We’re seeing the repercussions of this play out in the real world, not only with consistently high levels of attacks but also with increasing success rates. The same study found that approximately 76% of all state and local municipalities hit by a ransomware attack reported having their data encrypted. In addition, almost half of these victims (48%) reported that their encrypted data was also stolen—the highest rate across all industries.
For those state and local government organizations trying to get the right resources in place to combat rising cyber threats, pushing security budget and infrastructure change through approval cycles can be a time-consuming process, only complicating matters more. Most must wait until the next budget cycle to get what they need now.
In a world where threat actors are evolving their tactics daily, this timeline just doesn’t work. By the time the budget is approved and the new solution is implemented, it will be ineffective because hackers will have moved on to something new—and the vicious cycle starts all over again.
Applying Enterprise Risk Strategies
Despite the grim threat landscape, the good news is that government entities do not need to start from the ground up when developing a security strategy that will be effective against cyber threats. Many of the foundational elements used by public enterprises can also be applied when securing public organizations. Some can even be implemented with minimal to no cost, so action can be taken immediately. Here are a few enterprise risk best practices that all organizations should consider:
• Master the security basics. This includes implementing foundational security tools that defend against the most common attack vectors, including endpoint protection with strong anti-exploit capabilities, as well as protection against compromised credentials. This latter point is especially important with innovations such as generative AI causing phishing and other social engineering attacks to skyrocket.
• Layer on adaptive technologies. These tools can respond automatically to attacks, disrupting threat actors’ movement and buying defenders time to respond.
• Prioritize 24/7 threat detection, investigation and response. It’s no longer a matter of if an attack will happen, but when, and in this reality, being able to detect and respond to a threat quickly is the best-case scenario to limit the damage that cybercriminals can inflict. Detection, investigation and response capabilities can be delivered in-house or in partnership with a specialist, such as a managed detection and response (MDR) service provider. Speed is key.
• Develop and practice an incident response (IR) plan. Organizations must develop a living IR plan, regularly review security tool configurations and be able to quickly and easily adapt each based on evolving threats and changing business needs. It’s also important to practice IR plans regularly, so response is second nature should a real incident occur.
• Implement ongoing awareness, education and training programs. Employees are any organization’s first line of defense against cyberattacks, but they will be ineffective if they aren’t aware of the risks or don’t know how to respond if they suspect a threat. Implementing short, interesting and frequent awareness, education and training programs is the best way to ensure employees understand—and get excited about—their role in security and remain confident in their incident response actions.
Recent high-profile cyberattacks have provided clear examples of the severe consequences a security breach can have on businesses. These incidents can lead to significant financial losses, damage to reputation, operational disruptions and the erosion of customer trust. But the stakes are even higher for government entities.
Whether you’re in the public or private sector, now is the time to build a strong cybersecurity and enterprise-resilient framework that keeps your organization and people safe and the nation’s economy working.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
