Strengthening Cybersecurity in Local Government

By: Randy Griffith, Senior Security Consultant, Strategy and Risk

How to Protect Networks Amid an Epidemic

Commonalities Among the Attacks 

2023’s cyber attack epidemic has highlighted vulnerabilities in local government cybersecurity infrastructure. In August, Sophos produced its report about the impact of ransomware on state and local governments. The survey found that 38% of the root causes were exploited vulnerabilities and 30% were from compromised credentials. Attackers used email-based campaigns, like phishing and malicious emails, to launch 25% of their attacks. 

These entities, which are responsible for delivering crucial public services, found themselves ill-prepared against the evolving tactics of cyber criminals. Malicious actors exploited vulnerabilities and launched ransomware attacks that involved encrypting sensitive data and demanding payment for its release. These actions paralyzed essential government functions, from public safety to financial operations. 

As we examined the incidents against local government agencies, we recognized certain patterns and weaknesses that cyber criminals exploited.  

1. Outdated Systems and Software 

Many affected local governments used outdated operating systems, software, and hardware. Legacy systems are more susceptible to exploitation and compromise, as they are no longer receiving security updates and patches for identified vulnerabilities. 

2. Lack of Employee Training 

Human error is a significant factor in cybersecurity breaches. Many of the compromised local governments didn’t have a comprehensive employee cybersecurity training program to educate staff about the latest threats, avoiding phishing techniques, the importance of good secure practices, and the necessity of following established controls and cybersecurity-related policies. 

3. Inadequate Backup Protocols 

Insufficient data backup practices left these local governments with limited options when faced with cybersecurity or ransomware attacks. Without well maintained, up-to-date backups that are not accessible to bad actors, recovering compromised systems becomes a complex and often costly — or even impossible — endeavor. 

4. Limited Cybersecurity Budgets 

Some local government agencies operate under tight budgets. Decision-making officials may lack the knowledge or understanding of the importance and criticality of developing a cybersecurity infrastructure, hiring IT personnel experienced in cybersecurity, and providing appropriate security-based training for IT employees as well as other staff entity-wide.  

Preventive Measures 

Local officials should follow a multifaceted approach when fortifying their agency’s cybersecurity posture against attacks while also mitigating future attacks. 

1. Perform Regular System Updates and Patching 

Regular updates and patching help address known vulnerabilities, making it difficult for cyber criminals to exploit weaknesses. Microsoft established “Patch Tuesday” on the second Tuesday of the month at 10 am PT as the day and time it releases patches for Microsoft products.  Adobe and Oracle also participate in Patch Tuesday. 

Organizations and individuals should establish a regular cadence such as checking each Tuesday or at least the second Tuesday of the month for patches for all software on your system(s) to know that you have the most up-to-date versions with all security fixes. 

2. Institute a Comprehensive Employee-Training Program 

Invest in ongoing cybersecurity training for employees that covers phishing awareness, secure password practices, and general cyber hygiene to reduce the likelihood of inadvertent security breaches. The Cybersecurity & Infrastructure Security Agency, also known as CISA, offers free resources, while other popular programs include KnowBe4, Phished, and TitanHQ.  

3. Implement Robust Backup and Recovery Plans 

Establish and regularly test comprehensive backup and recovery plans. Data backups should be stored securely and routinely updated to ensure a quick and effective response in the event of a ransomware attack. 

4. Appropriately Increase Cybersecurity Budgets 

Local government agencies need to allocate appropriate resources to cybersecurity. It is crucial to undergo a risk assessment to identify where deficiencies exist. This can pinpoint where to spend your budget funds. Do you have current, up-to-date equipment? Do you have IT personnel with the appropriate education and experience? Cybersecurity budgets typically range between 7% to 20% of IT. And an IT budget is regularly 4-6% of revenue as a guideline. If your government agency lacks funds, CISA has a state and local cybersecurity grant program that they can apply for.   

5. Implement Collaboration and Information Sharing: 

Establishing collaborative networks for information sharing among local governments is essential to enable the rapid dissemination of threat intelligence and best practices, allowing entities to learn from each other’s experiences and bolster collective defenses. Joining the Multi-State Information Sharing and Analysis Center (MS-ISAC) is an excellent start for local governments with limited budgets. CISA offers tools and resources, such as the Cyber Resource Hub and Cyber Security Evaluation Tool (CSET), that are designed for state, local, tribal, and territorial governments. 

6. Set Up Multi-Factor Authentication (MFA) 

MFA, also called two-step or two-factor authentication, adds an extra layer of security by requiring users to provide multiple forms of identification before accessing systems. MFA can significantly reduce the risk of unauthorized access, a common precursor to ransomware attacks. Local governments should set up MFA security settings on accounts that staff use the most, such as email. Popular MFA methods include text or voice messages or application-based MFA. CISA offers more information about how to set up MFA for local governments unsure where to start. 

7. Review User Access Roles 

Local administrators should review the permissions associated with each role and verify that users have appropriate access and permissions to only access the applications and files each user needs.  Excess permissions can lead to dangerous actions in applications and allow bad actors greater access when compromising a system using a user’s credentials. 

8. Malicious Program Detection and Firewalls 

Local governments should have a well-rated firewall in place with the firewall rules reviewed regularly and unused rules removed.  Malicious program detection (formerly known as Anti-Virus) should be installed on all endpoints and ingress/egress points. This should secure the local government agency against emerging threats. It should be configured to update and scan the system regularly.   

9. Have a Documented Incident Response Plan in Place 

Any entity that is under the threat of a cyber breach, be it ransomware, a hacking event, or other type of attack, should have a properly documented and tested incident response plan that is customized for its environment. It should describe the Incident Response Team’s roles and responsibilities and the procedures for addressing each type of incident the organization anticipates it could be exposed to. 

10. Engage with Cybersecurity Experts 

Though local government budgets are tight, officials can stretch their funds and supplement their resources by partnering with cybersecurity experts to conduct regular risk assessments of their environment and vulnerability scans and/or penetration testing of their infrastructure. These experts can identify risks, vulnerabilities, and threats as well as recommend tailored security solutions to mitigate them effectively. Taking these actions prevents the much more expensive and damaging cyber event that can drain governmental coffers and cause the potential loss of public confidence and trust. 

In March 2022, the FBI published a document with similar information and encouraging entities to not pay the ransom. CISA has published a guide to help entities prevent ransomware that is a free resource for organizations that don’t have much of a budget. 

Moving Forward 

The cybersecurity epidemic that exploited local governments in 2023 shows no signs of slowing in 2024 or in future years. As the digital landscape continues to evolve, so do cyber criminals’ tactics. To avoid falling victim to increasingly sophisticated attacks, local governments must proactively address vulnerabilities through a combination of technological tools, employee education, and collaboration within the cybersecurity community. 

By learning from the commonalities among the 2023 attacks that befell other local government systems of similar size and scope and implementing preventive measures, government officials can better safeguard their systems and protect essential public services.  

The path to resilience involves a commitment to ongoing cybersecurity investment, a culture of awareness, and a collective effort to stay one step ahead of the ever-evolving threat landscape.