A three-step plan for a citizen-first cybersecurity strategy in cities and counties

Cyberattacks against states and municipalities have increased significantly in the last year, with school districts, city halls and police departments among the most vulnerable. Ransomware attacks in particular are on the rise. In 2020, more than 2,000 public sector organizations—including municipalities—were targeted in these attacks.

These incidents highlight how local governments can become an easy target for cybercriminals. Often hampered by tight budgets, aging IT systems and small IT departments, protecting the endless amount of citizen data they’re entrusted with is getting harder and harder.

To achieve and maintain a strong security posture, state and local leaders must change how they think about cybersecurity. Instead of a technology-first approach, these organizations must start with a proactive defense strategy based on a citizen-first mindset.

Here are three considerations state and local government officials should consider in their security planning:

1. Protecting the public
To secure and protect public data, cities and counties must first identify the most critical data and assets in their digital environment. Though most organizations have a plan to maintain and protect servers and critical endpoints, the next step is determining the key components within them, including applications, data stores, systems, and even employees. Why? Because if an employee who has access to sensitive data is targeted with a phishing campaign—where threat actors send emails containing a malicious attachment or direct the recipient to a website containing ransomware—the entire data set could be compromised.

With key assets defined, IT teams can put processes and policies in place to heighten security around these items.

It’s also crucial to regularly review these policies. Though it’s impossible to secure everything, defining and protecting these critical elements should be the top priority for security teams.

2. Practicing good cyber hygiene
One of the reasons ransomware and other attacks succeed is a lack of basic cybersecurity hygiene. In the fight against cybercriminals, it’s easy for inertia or security apathy to sink in. The sense that “we have all the controls in place we need” is commonplace. But this thinking only tips the scales in favor of bad actors.

Indeed, a recent study suggests although public sector IT pros feel their existing cybersecurity policies and procedures are sufficient, they must move to adopt a mentality in which even “medium” risk exposure is unacceptable. And this mindset must be adopted across the organization.

As such, IT teams must examine their current technology and processes and deploy solutions capable of providing complete visibility into all systems so they can identify and mitigate hidden risks. Even small changes like maintaining a regular patching cadence, enforcing multi-factor authentication and reducing the attack surface using network segmentation or virtual machines can improve security postures.

While IT is fighting in the trenches, the C-suite should also discuss security and promote it as a top-down priority. Furthermore, non-tech employees should think of themselves as part of the extended security team and implement basic cyber hygiene practices.

3. Staying up-to-date with regulations
Regulations can feel like a tall task to keep up with, but they present city and county IT teams with new opportunities to stay ahead of the curve. Regulatory guidelines drive security, force buy-in from senior teams, and reduce the potential for data breaches in the future. They also benefit citizens whose data must be protected.

In recent years, the scope of privacy regulations, like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act, has significantly expanded. These and future laws define the measures a municipal organization must take to protect itself and its data, the controls it must deploy, reporting requirements, and how third-party risk is managed.

IT and security teams can work in sync with legal, audit, and compliance teams to implement and maintain these standards of care. They must also stay up-to-date as new regulations emerge, such as the State and Local Cybersecurity Improvement Act—if passed, it will set baseline objectives for cybersecurity efforts.

Executing the steps above can seem like a daunting prospect. But cities and counties can find allies in this fight. Connecting with their peers, joining local organizations, attending meetups and seminars, and staying in touch with the broader security community will help IT pros complete these activities and processes and proactively protect critical systems and citizen data.

Brandon Shopp is the group vice president of product at SolarWinds. Shopp has spent more than 10 years with SolarWinds and has a proven success record in product delivery and revenue growth, with a wide variety of software product, business model, M&A and go-to-market strategies experience.