Why is IT security so important for municipal governments

By Sandy Reeser
VC3 Chief Executive Officer

Be it at the federal, state or local level, all governments are in possession of valuable data. Their data assets range from citizen data such as social security and credit card numbers, to confidential or classified information. Due to the type of data collected, it’s not surprising that governments are often the target of cyberattacks.

Common cyber threats to municipal governments
Arguably, municipal governments are the government closest to the public, delivering a range of services critical to residents. So not only are municipal governments in control of data that may be the targets of cyberattacks; getting affected by a virus could result in key municipal services shutting down.
The National Association of State Chief Information Officers (NASCIO) lists the following as the leading cyber threats faced by local governments in the United States.

Malware is malicious code designed to cause damage to a computer, electronic device, server or network. Malware can include viruses, ransomware, spyware and adware.
For most kinds of malware to have an impact, they must first be delivered to and installed on the host platform.

Phishing is a common method of delivering malware. It manifests in different ways but ultimately attempts to trick the end-user into unwittingly installing malware onto their devices.
This is often done by delivering fake web pages purporting as a familiar service, such as a financial institution, to the end-user. These fake pages could be delivered through pop-up ads, emails, messages and social media sharing. They can also be delivered through prior malware loaded onto the end-user’s device.

Spear Phishing
In spear phishing, cyber attackers attempt to steal sensitive data from a specific victim. For example, a cyber attacker could craft an email masquerading as a message from a coworker, friend or service provider of the end-user, thus tricking the end-user into giving information they otherwise wouldn’t.
According to NASCIO, municipalities view email and web pages as the most worrisome methods for delivering malware.

Lost or stolen devices
While lost or stolen devices are a problem, the problem is made worse by inadequate security measures and an organization’s overly flexible access control policies.
These problems could be overcome by putting organizational policies in place requiring complex pins for access to devices and restricting access to certain sensitive apps or data on mobile devices. In addition, policies and processes should be in place enabling lost or stolen devices to be wiped remotely of all data or removing access from a lost device to an organization’s apps and data.

Distributed denial of service
Denial-of-service (DoS) attacks aim to make a website or web-based service such as an online payment portal for utility services unavailable to end-users by overloading the website with too much traffic. In other words, DoS attacks aim to crowd-out legitimate traffic.
Distributed DoS (i.e. DDoS) attacks aim for the same goal, but by leveraging multiple web-traffic sources. Not only are DDoS attacks more difficult to trace, but they’re also more difficult to stop because of the multiple attack vectors being used against the target.

How are municipal governments faring against cyber attacks?
According to Accenture, “the majority of government executives are confident” in their existing cybersecurity strategies for protecting client data and privacy, employee data and privacy and confidential organizational information.”
However, the same report, published in 2017, outlines that substantially fewer government executives are confident about their organizations’ ability to “monitor, identify and measure breaches,” with only a third of them being confident. But this isn’t to say that local governments aren’t making an effort.
A study of 411 municipalities published by the International City/County Management Association (ICMA) in 2017 reports that only 7.4 percent of local governments do not conduct regular cyber security scans and penetration tests of their IT systems, while nearly 40 percent are engaged in monthly tests.

Cybersecurity scanning and tests in local government IT systems
(Data Source: ICMA)
Likewise, nearly 60 percent of the surveyed local governments stated that they had increased their technology spending for cybersecurity since 2011, with 23.1 percent stating that their investment has “increased greatly.” Thus, concrete steps are taken.
However, the lack of capacity for monitoring IT systems and, in turn, preventing breaches is a concerning issue. According to Microsoft, it takes organizations as many as 200 days to detect a breach. In that period of uncertainty, cyber attackers could have expanded their illicit access and, potentially, stolen data assets.
Despite the difficulties involved in strengthening municipal cyber security systems, Accenture noted that 40 percent of state and local government respondents made cybersecurity their “top priority” for their respective organizations.
Moreover, an Accenture study of 3,500 U.S. citizens found that 30 percent of respondents had been victims of cyber crime. In other words, the public understands the importance of municipal governmental cyber security efforts.
According to this study, 74 percent of respondents “lack confidence in government’s ability to keep their data private and secure” and that 66 percent of them are “willing to sacrifice convenience for increased data security.” These inconveniences may be having to answer additional questions or the use of biometrics.
Thus, cybersecurity adoption at the municipal level is a matter of time, investment and access to the right technology and expertise to ensure key municipal services continue to be delivered effectively and on time.