*Note: This was published in the magazine and online before news broke about the recent cyberattacks on election systems in Arizona and Illinois.
So far it’s been a quiet year for data breaches. No major state and local cyberattacks have yet been reported in 2016. Of course, that doesn’t mean attackers are taking a break. Evidence suggests they’re merely spending less time developing new approaches and instead refining some old but proven ways to hack, according to Verizon’s recent Data Breach Investigations Report.
The break in action is giving state and local governments some much-needed time to regroup, though. It’s true governments have always faced an uphill battle against cyberattacks. Shrinking budgets and a lack of specialized talent have been chronic problems. But recently agencies nationwide have begun to broaden their use of a few conventional tactics to mitigate the rising tide of attacks: teamwork, employee training and insurance.
Teamwork. Fighting hackers from just about every corner of the globe is a gargantuan task, but doing it by yourself makes it even harder. That’s why a growing number of state governments are creating multiagency groups to tackle cybersecurity. In Arizona, the state has formed the Cyber Threat Response Alliance to analyze real and emerging dangers. The alliance, which includes the FBI, Homeland Security and academic institutions, hopes to better understand what kind of barriers might slow down coordinated responses to cyberattacks.
Similarly, the New Jersey Cybersecurity and Communications Integration Cell is focused on information sharing around cyberthreats. With help from the feds, states and localities are able to access up-to-date information on data breaches, obtain risk assessments, get the latest tips and learn how to practice better cyberhygiene. Other states with multiagency programs include Georgia, New York and Washington.
Employee training. When it comes to security, government CIOs are haunted by the old cliché, “You are only as strong as the weakest link.” If you’ve ever happened to watch the cyberthriller series Mr. Robot, then you know that human error is one of the major sources of breaches and intrusions. To counter this problem in government, states and localities have developed what’s known as security awareness training. The idea is to make government employees more conscious of security overall and to reduce the kind of mistakes that can launch an intrusion, trigger an attack or inadvertently allow certain types of fraud.
The awareness training can range from rudimentary classes to sophisticated online programs that keep careful track of employee progress. While awareness training isn’t cheap, especially for a state government that may have tens or hundreds of thousands of employees, the payoff in better protection is invaluable, according to Michael Roling, Missouri’s chief information security officer.
With 40,000 state employees taking regular courses on a monthly basis on everything from avoiding phishing attacks -- emails disguised to look like official business, but that can trigger an intrusion once opened -- to what constitutes a secure password, Roling says continuous training has resulted in fewer cybersecurity problems. “Awareness training is one of the most important components of our security posture,” he says.
Insurance. When all else fails, states and localities have the fallback option of purchasing cyberinsurance. Available for years in the private sector, the coverage is just beginning to catch on in state and local government. In 2014, hackers broke into the Montana Department of Public Health and Human Services’ server. Fortunately for Montana, the state had insurance, which helped it cover the cost of investigating the attack, notifying individuals impacted by the breach and recovering the theft of government funds.
Not surprisingly, insurance isn’t cheap, costing as much as $20,000 for every $1 million in coverage. On the plus side, though, getting insurance has the added benefit of shoring up your defenses: After all, you wouldn’t be able to get it unless you were doing something right.