Mitigating cybersecurity risks: Is your municipality doing enough?
The COVID-19 pandemic blurred the lines between administration and governance for many organizations. As office shutdowns and 'stay at home' orders stretched from days to weeks, and then months, government leaders were pressed to find new ways to stay connected and informed. Many local governments were forced to rapidly adapt to remote work and virtual council proceedings. In the urgency to adapt to a virtual world, local boards and councils discovered efficiencies that enabled them to be better stewards of the communities they serve and to improve their effectiveness overall. Unfortunately, many cities also discovered information security gaps that exposed them to unnecessary risk. These risks have not dissipated, but rather have escalated as hackers have learned of the vulnerabilities.
The Risk of Unsecured Systems
Effective boards and councils recognize the risks associated with unsecured document transmission and communication. Non-compliance and the premature (or illegal) disclosure of sensitive information can lead to discontent, speculation and public mistrust. Despite those concerns, local officials and administrators regularly rely on email to either communicate or prepare and transmit meeting materials, inviting unnecessary levels of risk. Elected board members are possibly not even aware of the risks or their personal liability.
Local governments are invested in maintaining security because of the high level of sensitive information they store and the number of systems they use to share data with state and federal government programs. Often operating on a shoestring budget, local governments rarely have dedicated cybersecurity experts; they rely on their IT team to ensure security. Compounding the issue, IT frequently does not have the investment it requires, so holes in their security leave local governments vulnerable. These attacks can range from viruses to hackers to phishing.
Ransomware Attacks on Municipalities on the Rise
One of the most prevalent risks continues to be ransomware attacks. A ransomware attack can shut down servers, expose data, paralyze 911 centers and interfere with traffic management systems. With their limited resources and aging infrastructures, many cash-strapped municipalities are ripe for attack and the threat of ransomware attacks on cities, towns, and other public entities has significantly. According to Security Week, of 105 known ransomware incidents involving state or municipal governments or agencies in 2022, at least 27 also resulted in a data breach.
A major ransomware incident involving a government organization was in Miller County, AK, where malware spread from a compromised mainframe to systems in 55 different counties. Data was stolen from all of them.
While industry experts discourage paying ransoms for fear of encouraging this type of attack, many cities are left with no option but to pay the ransom to get back up and running. What once was thought to be a big city problem is leaving every local government vulnerable, and it is on the rise.
These attacks often begin with an email with links or attachments that seem benign but give the hacker access to that single system followed by the network. The shift to remote work brought on by the pandemic resulted in more local government officials routinely working from home without access to IT and security patches and updates. Yet local governments are invested in maintaining security due to the high level of sensitive information they store and the number of systems they use to share data with state and federal government programs.
How Can Municipalities Mitigate Cybersecurity Risks?
Cities need to adopt a digital security mindset, with contingency and disaster plans in place. Working closely with other entities, such as utility companies, can help minimize threats. For example, utility grids that are interconnected can quickly cause cascading problems if they are hacked.
Actions local governments can take to protect themselves:
- Municipalities need to develop a plan for cybersecurity. If they already have one, it should be reviewed annually. By now, city administrators are becoming aware that they are a target, but this needs to be discussed with council members.
- Everyone that is involved in agenda creation, delivery or use needs to be updated with training on procedures and protocols that reduce the organization's overall risk.
- When possible, it's best to have dedicated hardware that official business can be conducted from. A tablet or laptop that can be updated and fully patched with all security updates easily is a necessity. Only approved applications should be opened with devices belonging to the city.
- Any device with data or applications should have the functionality to be remotely wiped in case of a threat.
- Use a secure, password-protected portal to prepare and host agenda materials and transmit council documents.
Using governance technology helps boards prevent, mitigate, and respond to cybersecurity threats. Governance technology brings in a sound cybersecurity framework that provides:
- Controls to limit third-party access
- User-based permissions to protect sensitive information
- Robust data encryption to secure board communication
- Features that allow new board members to get up to speed quickly on cybersecurity policies
As one of the most highly targeted groups for hackers and cyberattacks, local governments should have an effective security breach response plan in place that accounts for system dependencies and offers alternate channels of operation. Learning how to properly approach securing local government data storage and ensuring safe meeting accessibility for all citizens is also key to the long-term success of any municipality.
Download our Security Breach Response Kit to ensure your local government can mitigate cyber risks, minimize damages and maintain public trust, all by putting the proper measurements in place beforehand.