According to a report by the Brookings Institute, most government agencies lack IT security policies.
A lack of a good government security policy can open agencies to many different risks. As demonstrated by the story of Bingham County, a security breach can shut down government servers and costs thousands of dollars to repair.
In other cases, a cyber attack can result in the theft of sensitive data including Social Security numbers, credit card information, and medical records. At the very least, a security breach can damage a government’s reputation and public trust.
When it comes to effective information security in government, municipalities face several challenges:
Constantly changing and adapting security threats
Technology changes rapidly, and so does cybercrime. Cyber attacks are becoming increasingly complex and intense.
A report by the FBI found that in 2016, there were 4,000 ransomware attacks every day. That was a 300% increase from 2015, and the report concluded that new variants of ransomware are constantly emerging.
This makes government IT security challenging. Old firewalls or malware software may have gaps. And an outdated government security policy can leave employees unaware of potential security issues.
Local governments handle a lot of responsibilities. Different government departments have to comply with various federal and state regulations for information security. These may include regulations from HIPAA, the IRS, FBI, FSSA, and more.
Along with federal regulations and standards, municipal governments also must comply with state laws governing data security.
All the regulations and standards can be a lot for IT team to keep up with. The flood of suggested frameworks, tips, and best practices are not always helpful or clear and can create more problems than they solve.
In a 2016 survey by NASCIO and Deloitte, 80% of state governments said that funding was their top challenge in government information security.
Another study found that, in most state and local governments, cybersecurity makes up less than 5% of the IT budget. Private enterprises usually spend more than 10% of IT budgets on cybersecurity.
This is problematic. With cyber threats growing in number and complexity and more sensitive information going digital, information security is increasingly important.
Government IT departments need more money to do everything they need to do to protect critical information and systems. If the efforts aren’t properly funded, it’s difficult to stay on top of all of the security regulations and best practices.
Municipal governments often have a small IT team, and may not have an IT security expert on staff. IT personnel may not be familiar with all the information security regulations. And with no one person overseeing cybersecurity measures, important aspects of cybersecurity in government call fall through the cracks.
But often, the IT team is not the problem. The vast majority of government data breaches come from internal mistakes by employees.
Well-intentioned, but technologically unaware employees will always be the biggest security threat to any organization, including local government agencies. They may use weak passwords, click on phishing scams, or access an unsecured website.