60% of all small businesses that are hit by a cyber attack will go out of business within six months. If that happens, the people that work there will lose their jobs, and the owners will lose money. The employees can find other jobs, and the owners can regroup and start another business.
However, when we talk about the impact on local governments, it’s quite different. A government cannot just close its doors and start again. Elected leaders may not be re-elected, and county employees may be laid off. But the citizens of the county cannot just find their services elsewhere. They cannot just find another fire department, sheriff’s office, courthouse, or jail. They cannot find a new library, park, emergency management agency, sewer company, health department, road maintenance, or public assistance.
The impact of a cyber attack on a local government affects everyone whom that government organization serves. An attack on a local government undermines confidence in local leaders and creates inconvenience, and it can also put private citizens in danger.
We may wonder why a cyber attacker might want to do something appalling to hurt innocent victims. Without getting into the psychology of the criminal mind, this is exactly why they would attack a government organization. The impact is harmful, and the government will do whatever it takes to return services to its citizens. This is why a cyber attacker may hold your personal computer for ransom. It’s not that they care about your information. It’s that YOU care about your information and being able to continue to work, communicate, etc. Because it is of value to you, you will be willing to pay the ransom.
Added to this is the threat from nation-states such as Russia and China. Their motivation may not be monetary but disruption of society at the local level. We clearly see that Russia is not afraid to attack private citizens!
Because they cannot simply “go out of business,” and because they provide for society, government organizations are a prime target for a cyber attack.
In addition to government organizations being a prime target, they are also not prepared.
One primary issue – in addition to organizations’ perception that “it won’t happen to us” – is budgeting. Government is not a ‘for-profit’ entity like a private business. Their funds come from taxpayers, and they must use that money to provide services to their communities. Leaders want their constituents to see that their tax dollars are used for roads, emergency management, public safety, and other civil services.
Using public funds for things like cyber security, while it protects the operations and data critical to the community, is not something that can easily be celebrated in the next election cycle. However, a successful cyber attack will be used by an opponent in the next election to demonstrate that the incumbent is not protecting the community.
The combination of the government being a prime target of cyber criminals and leaders being hesitant to spend public funds on cyber security (i.e., are not adequately defending their systems) leads to the perfect storm.
In a University of Maryland study of more than 90,000 local government entities, one-third of local governments would not even know if they were under a cyber attack. They don’t have the tools. However, of those who do have the technology to know if they are under attack, one-third of those reported being attacked hourly, and half are attacked daily. So what does that say for those who don’t have the technology? Their systems are the wild wild west!
In addition to the technology they lack, most governments either have IT policies and procedures that are not up to industry standards or have no formal procedures.
In addition to technology and policies/procedures, the third leg of the cyber security stool is security awareness and training of employees. This is critical in making all users of the IT system part of the security team since one click on a malicious link can inadvertently invite a bad actor into your network.
If local governments implement basic cyber hygiene and technical tools, update policies and procedures, and train their employees, they can greatly reduce their risk of a successful attack. Studies indicate that organizations implementing a layered cyber security solution can decrease their threat by 90%. That sounds like a pretty good return on your investment.