The importance of cybersecurity for state and municipal governments has been underscored this year by news reports of Russian hacking attacks on state voter databases. But politics isn’t the only motivation for attacks on municipal databases, networks, and applications. The data they hold on citizens includes social security numbers and financial details that are highly valuable to cyber criminals.

A study by the Ponemon Institute in 2015 found that half of state and local governments had at least 6 breaches in the previous two years. To keep residents safe, it’s critical that these governments invest in protecting their data. It’s also financially prudent to invest in cybersecurity; Ponemon currently estimates the average cost of a data breach in the U.S. at $86 per stolen record in the public sector.

Many Threats to Defend Against

Today’s threats to municipal information systems take many forms:

• phishing emails
• malware and ransomware
• Internet of Things devices
• misconfigured systems
• work from home and “bring your own device”
• insider threats
• cloud computing
• employee error

There’s a lot to defend against! Yet funding for information security is often very limited in government agencies, with less than 5 percent of the IT budget devoted to protecting systems. Many organizations aren’t taking even basic steps, such as applying security patches and upgrades to defend against known vulnerabilities.

Many Ways to Defend Yourself

When municipalities do invest in cybersecurity, much of it is focused on managing infrastructure and defending the network perimeter, but those approaches are not enough. The most effective cyberdefense isn’t limited to those aspects but also includes

• defining metrics and assigning responsibilities to specific personnel
• monitoring systems in real time
• ensuring employees receive adequate information security training
• focusing on mitigating high-risk threats within a short time period
• deploying basic tools such as firewalls, antivirus software, and data loss prevention
• creating and testing backup and recovery procedures
• defining an incident response procedure
• enhancing identity management

Updating legacy applications can also be a necessary part of a cybersecurity program. Older applications may have vulnerabilities and, if they’re built using obsolete technology, may not longer be supported and patched.

Implementing Cybersecurity Requires Professional Support

Even the smallest municipal data center needs a professional level of cybersecurity support. There are many security products on the market, but choosing the most effective products and integrating them to achieve comprehensive data protection is complex and requires a level of skill that many municipalities simply don’t have on their staff.

Rather than trying to develop and implement their information security strategy from scratch, most municipalities should look at existing standards, like the framework from the National Institute of Standards and Technology. Working with an experienced partner like Prescient Solutions lets you add their team’s knowledge and expand the capabilities of your in-house staff. A shared services model means that every municipality can invest in the high level of information security their citizens deserve. 

Additional Municipal Cybersecurity Resources

Municipal Cybersecurity Deserves Making a Federal Case Out of It

Shared Services Let Municipalities Partner With Neighbors to Expand IT Capabilities

Municipal IT Needs a Balance Between Security and Transparency