60% of all small businesses hit by a cyber attack will go out of business within six months. Half of all local governments face cyber attacks daily. If that happens, the people who work there will lose their jobs, and the owners will lose money. The employees can find other jobs, and the owners can regroup and start another business.
However, when we talk about the impact on local governments, it’s quite different. A government cannot just close its doors and start again. Elected leaders may not be re-elected, and county employees may be laid off. However, the citizens of the county cannot find their services elsewhere. They cannot just find another fire department, sheriff’s office, courthouse, or jail. They cannot find a new library, park, emergency management agency, sewer company, health department, road maintenance, or public assistance.
The impact of a cyber attack on a local government affects everyone that government organization serves. An attack on a local government undermines confidence in local leaders, creates inconvenience, and can also put private citizens in danger.
We may wonder why a cyber attacker might want to do something appalling to hurt innocent victims. Without getting into the psychology of the criminal mind, this is exactly why they would attack a government organization. The impact is harmful, and the government will do whatever it takes to return services to its citizens. This is why a cyber attacker may hold your personal computer for ransom. It’s not that they care about your information. It’s that YOU care about your data and being able to continue to work, communicate, etc. Because it is of value to you, you will be willing to pay the ransom.
Added to this is the threat from nation-states such as Russia and China. Their motivation may not be monetary but disruption of society at the local level. We see that Russia is not afraid to attack private citizens!
Government organizations are a prime target for a cyber attack because they cannot simply “go out of business” and because they provide for society.
In addition to government organizations being a prime target, they are also unprepared.
One primary issue – besides organizations’ perception that “it won’t happen to us” – is budgeting. Government is not a ‘for-profit’ entity like a private business. Their funds come from taxpayers; they must use that money to provide services to their communities. Leaders want their constituents to see that their tax dollars are used for roads, emergency management, public safety, and other civil services.
Using public funds for things like cyber security, while it protects the operations and data critical to the community, is not something that can easily be celebrated in the next election cycle. However, a successful cyber attack will be used by an opponent in the next election to demonstrate that the incumbent is not protecting the community.
The combination of the government being a prime target of cyber criminals and leaders being hesitant to spend public funds on cyber security (i.e., are not adequately defending their systems) leads to the perfect storm.
In a University of Maryland study of over 90,000 local government entities, one-third of local governments would not even know if they were under a cyber attack. They don’t have the tools. However, of those with the technology to see if they are under attack, one-third reported being attacked hourly, and half were attacked daily. So what does that say for those who don’t have the technology? Their systems are the wild wild west!
In addition to the technology they lack, most governments either have IT policies and procedures that are not up to industry standards or have no formal procedures.
In addition to technology and policies/procedures, the third leg of the cyber security stool is security awareness and training of employee. This is critical in making all users of the IT system part of the security team since one click on a malicious link can inadvertently invite a bad actor into your network.
If local governments implement basic cyber hygiene and technical tools, update policies and procedures, and train their employees, they can greatly reduce their risk of a successful attack. Studies indicate that organizations implementing a layered cyber security solution can decrease their threat by 90%. That sounds like a pretty good return on your investment.
At Commonwealth Sentinel, we can evaluate your existing IT security and work with your team to improve it. We can also provide a complete array of cyber security services. At Commonwealth Sentinel, we stay focused on cyber security so you can focus on other things. Contact us today or sign up for a free consultation.