Security gaps leave local governments vulnerable to a variety of cyber threats

Cities and counties are beefing up their IT security, and that makes sense, says Augustine Boateng, interim chief information officer (CIO) in Memphis, Tenn. “It’s important to note that local governments have developed a reputation over the years for having lackluster cybersecurity; and not without good reason. As a result, we’re seeing more and more cyberattacks targeting cities, counties, and the like.”

Boateng lists the following IT weaknesses that are sometimes found in local government technology departments:

• Weak authentication. Boateng says implementing appropriate authentication measures is one of the most critical and easily completed security steps a jurisdiction can take. “Weak passwords and failing to use multi-factor authentication (MFA) is like leaving your front door unlocked. It makes it orders of magnitude easier for attackers to gain unauthorized access to networks and data, leading to things like identity theft, loss of important information, financial loss and plenty of negative outcomes.”
• Outdated and unpatched software. Boateng says it is important for an agency to keep its software current by regularly updating and patching it to ensure that it is protected against weaknesses that attackers can exploit. “These vulnerabilities can arise in operating systems, email servers, and other software applications that are used within an organization. Outdated software can leave your system open to a variety of cyber threats, including malware, ransomware and other malicious attacks.”
• Insufficient security training. The human element plays a role in more than 80 percent of all data breaches today, according to Boateng. “At the end of the day, employees are most often your last line of defense against a cyberattack, he says. “And yet, far too many organizations continue to underestimate the significance of security awareness training. Employees who are not adequately trained on cybersecurity best practices may unknowingly engage in activities that expose the agency to cyberattacks, such as opening suspicious emails or clicking on malicious links. This lack of awareness can lead to unintentional security breaches, which may result in the loss of sensitive data, financial losses and reputational damage.”
• Insider threats. Boateng points out that jurisdictions also face considerable risk from their own employees. “Whether it’s a malicious act or an honest mistake, employees often engage in activities that compromise organizational security. This includes everything from intentionally leaking or stealing sensitive data, to accidentally clicking on phishing email or failing to update software.”
• Inadequate incident response planning. If it lacks a high-quality incident response plan, an agency may struggle to effectively respond to and mitigate the impact of attacks. “An incident response plan is a set of procedures and protocols that outlines how an organization will respond to a cybersecurity incident,” Boateng says. “It helps to minimize the damage caused by an attack and get the affected systems and services back up and running as soon as possible. Plans should include clear guidelines on how to detect and report security incidents, steps to contain the attack, ways to analyze the impact, and procedures for recovery and remediation.” He notes that a well-designed incident response plan can help ensure that organizations are prepared and equipped to counter cyber-threats effectively and minimize their impact on operations and citizen services.
• Lack of monitoring and auditing. Boateng says it is critical to ensure that IT systems and email traffic are monitored effectively to detect security incidents in a timely manner. “Failure to do so can result in delayed detection of potential threats, making it difficult to respond to them effectively. Regular audits of IT systems and email traffic are essential to identify and address vulnerabilities, as they can reveal any weaknesses or areas that require additional attention. Audits should include a thorough review of security protocols, as well as an examination of access controls, network settings and other critical elements that could impact the security of the system.” Boateng notes that when agencies conduct periodic audits, they can stay proactive in their approach to cybersecurity, ensuring that their systems are always up-to-date and protected against potential attacks.

Boateng sees the value of cooperative purchasing in local government operations. “Cooperative purchasing agreements for email and IT systems offer several benefits to local governments, including cost savings, efficiency, access to expertise, pre-negotiated terms, broader vendor pool, compliance with regulations, flexibility, reduced administrative burden, risk mitigation and collaboration opportunities,” he says.

He urges city-county officials to take the following step as they consider cooperative opportunities: “Local governments should carefully review and assess cooperative agreements to ensure that the selected vendor and solution align with their specific requirements and security standards.”

OMNIA Partners, who sponsors this page, offers a robust portfolio of cooperative contracts in the public procurement space. The firm lists a number of cooperative contracts under the keyword “cybersecurity.”

Michael Keating is senior editor for American City & County. Contact him at [email protected].