Image: welcomia, iStock

State and local governments have made a concerted effort to digitize their systems over the past several years. Many customer-facing services, such as voter registration, payment options, and license and permit applications, are now accessible online.

But that move toward digitization has also created more of an open target for cybercriminals, especially in cases where data isn’t fully secured or protected. The “State and Local Government Security Report” released Thursday by security firm BlueVoyant shows how governments are vulnerable to ransomware and other forms of cyberattack and how agencies can better protect themselves and their sensitive data.

SEE: Ransomware: What IT pros need to know (free PDF)

Hit by ransomware and other attacks, state and local governments are obviously aware of the need for strong cybersecurity. And they have taken certain measures to beef up security.

Many local governments have hired top cybersecurity people and created more effective teams. The recent Congressional Solarium Commission on Cybersecurity stressed the need for better security coordination among local governments, the federal government, and the private sector. The State and Local Government Cybersecurity Act of 2019 legislation passed last year is designed to foster a greater collaboration among the different parties.

But government agencies are not all alike, especially on a local vs. state level. Differences exist in funding and preparedness. Security policies can vary from one agency to another. Plus, the effort to digitize systems and services at such a rapid pace means that security sometimes gets left behind.

Looking at open-source data on 108 cyberattacks on state and local municipalities from 2017 to late 2019, BlueVoyant found that the number rose by almost 50%. Over the same time, ransomware demands surged from a low of $30,000 a month to as high as almost $500,000 in July 2019, according to the report.

Image: BlueVoyant

User credentials and other information found in government databases also are a hot commodity on the Dark Web. A recent study into cyberthreats targeting Wisconsin state and county governments discovered thousands of government employee credentials for sale in underground forums. Much of this data came from a range of different breaches rather than just a few.

Attackers who deal in ransomware may decrypt the infected data in exchange for payment. But there are no guarantees. And even having backups of the encrypted data doesn’t fully resolve the issue as many such cybercriminals now threaten to release the information publicly if the ransom isn’t paid. Some underground public auction sites will even sell victim data to the highest bidder.

Screenshot in Russian of a threat actor offering network access to a local government.
Image: BlueVoyant

To help government agencies better protect themselves against ransomware and other cyberattacks, BlueVoyant urges the following steps:

  1. Conduct cybersecurity risk assessments. Local government entities can benefit from cybersecurity risk assessments that provide technical and detailed insights into how to improve their cybersecurity posture. Keep in mind that security vulnerabilities are often multiplied during periods of rapid change, such as the quick rollout of digital services occurring in many states and counties.
  2. Consider a managed security service. Dedicated managed risk services can provide enormous cost savings and security against attacks and compromises. These fully-integrated services monitor, mitigate, and alert clients to vulnerabilities as well as to possible attacks and compromises in real time, severely reducing the chance of costly cyber incidents.
  3. Look into cyberinsurance. Cyberinsurance is an integral part of risk management and can offer cost savings. The completion of an underwriting application is a good first step toward understanding vulnerabilities and identifying areas for improvement. Once a policy is bound, funding is provided to respond to an event, and cyber experts are typically available at reduced rates. Having cyberinsurance also shows preparedness and is a useful tool in the defense strategy for any emerging litigation or regulatory proceeding.
  4. Investigate professional services such as incident response, remediation, and mitigation. Municipal governments are unfortunately all too familiar with incident response and remediation processes. Experienced investigators, when called in immediately (and when coupled with appropriate disclosure protocols), are the best way to avoid mistakes and implement the proper response and remediation steps.
  5. Prepare for resiliency. Above all, any third-party cybersecurity service or internal review will be insufficient unless resiliency is built into systems. Not only do local governments need to build defense in depth, they also need to prepare for resiliency and recovery in the event of an attack. This means backing up data, having plans in place should systems or datasets be offline, and preparing for recovery scenarios.