Securing local government information systems and data is an ongoing—and alarming—concern for local government managers and chief information officers (CIOs), and news stories about cybersecurity vulnerabilities appear almost daily.
That’s why ICMA, in partnership with the University of Maryland Baltimore County (UMBC) surveyed CIOs about cybersecurity practices and related issues. And while the survey responses were being analyzed, yet another news story appeared: A column in Governing, The Cyberthreat to Government That's Lurking in the Shadows (April 2017), highlighted the threat posed by the use of unsanctioned software on workplace computers as technological advances make it increasingly easy to download and install software and access cloud services.
The goal of the Cybersecurity 2016 Survey was to better understand the local government cybersecurity landscape, including what capacities cities and counties possess, what kind of barriers they face, and what type of support they have to implement cybersecurity programs.
Cybersecurity Survey Findings
Perhaps unsurprisingly, a key finding of the ICMA/UMBC survey was that insufficient resources presented the greatest barrier to achieving the highest levels of cybersecurity. Although nearly a third (32 percent) of respondents reported that their local government information systems had experienced more attacks, incidents, and breaches during the past 12 months than in the previous period, 58 percent cited the inability to pay competitive salaries as the greatest barrier; 53 percent cited insufficient number of cybersecurity staff; and 52 percent indicated that it was a general lack of funds.
It’s true that the public sector pays considerably less than the private sector for cybersecurity expertise, which places further pressure on U.S. local governments to find ways to fund compensation in this explosive industry. Currently, this booming field has zero unemployment and one million unfilled jobs, and experts estimate that the shortfall will reach 1.5 million by 2019.
On a more positive note, 77 percent of survey respondents reported that their local government had developed rules governing the creation and changing of passwords, and 62 percent had policies governing the use of personally owned devices.
Furthermore, when responding to questions about the top appointed official, only 3 percent reported that this official was unaware of cybersecurity issues, and only 3 percent reported that the official provided no support for cybersecurity.
When asked to rank the top three things most needed to ensure the highest level of cybersecurity for their local government, respondents cited greater funding as number one, better cybersecurity policies as number two, and greater cybersecurity awareness among local government employees as number three in importance.
Other highlights of the ICMA/UMBC cybersecurity survey results include:
- Only 1 percent of responding local governments have a stand-alone cybersecurity department or unit. Primary responsibility for cybersecurity is most often located within the IT department.
- Despite the fact that nearly 70 percent of responding local governments have not developed a formal, written cybersecurity risk management plan, nearly 41 percent conduct an annual risk assessment and an additional 16 percent take stock of their risk at least every two years.
Cybersecurity Resources from ICMA
ICMA has published articles and blog posts that describe ransomware and other cyberattacks, explain vulnerabilities and risks, and provide advice for securing systems and preventing breaches. Here are some key resources:
- De-Mystifying Cybersecurity. A town administrator from a small community and an enterprise information security official from a large county offer perspectives on the risks, approaches, and challenges of today’s cyber environment.
- Ransomware Attack! Making the Hard Decisions. A first-person account of an attack on a city’s computers.
- Cybersecurity: What’s Your Risk? Six questions managers should ask.
- Technology at the Administrator's Side: Empowerment or Security Risk? An article by Dr. Costis Toregas for the National Association of County Administrators (NACA) addressing the technology tools that make the public administrator's job easier—and cautions about the security risks each one presents.
- Cybersecurity: Developing Threats. Another article from NACA highlighting several ransomware attacks on government websites.
- Local Government Guide to Cybersecurity. Guidance for local appointed and elected officials.
- Cyber Disruption Response Planning Guide. Resources provided by the National Association of State Chief Information Officers (NASCIO), equally useful at the local level.
- How You Can Protect Your Community from Getting Cyber Hacked. See the quick reference checklist for cybersecurity tasks.
- Cyber Disruption Response Planning Checklist. An expanded checklist is drawn from the NASCIO guide.