As state and local agencies considered their IT security priorities, many said they looked at investing in access management, but also said their cybersecurity goals ran up against issues like budget limits.
The 7th annual Public Sector Cybersecurity Survey Report, released Jan. 11, surveyed 100 respondents from state and local governments with at least 500,000 residents, as well as 200 respondents from federal government agencies and 100 from K-12 and higher education institutions. Market Connections conducted the survey in October 2021, without disclosing to recipients that the effort was sponsored by SolarWinds.
WHAT’S THREATENING STATE, LOCAL GOV’T?
The survey asked state and local government members to identify the kinds of actors who present “the greatest sources of IT security threats” to their organizations and found most of these respondents pointing to the “general hacking community.” Sixty-three percent identified this group as a top concern, which marked a sharp jump over 2019, when only 40 percent of respondents said the same.
The survey did not detail what sort of perpetrator respondents should envision when considering the general hacking community. But a spokesperson told Government Technology that SolarWinds views the category as referring to an individual who is motivated by curiosity and reputation-seeking, rather than by political ideology or profit-seeking. Hacktivists and for-profit criminals were listed as separate survey options.
State and local government respondents (who were able to select multiple answers) also said they were particularly threatened by careless or insufficiently trained insiders (an option chosen by 51 percent of these survey-takers), and foreign government actors (46 percent). Smaller portions of respondents highlighted malicious insiders, for-profit crime, industrial spies and terrorists.
Hacktivism also drew heightened attention in 2021, with 43 percent of respondents highlighting the threat compared to only 26 percent doing the same in 2019.
The survey also probed specific threat methods, and federal, state, local and education respondents collectively said they were more concerned about ransomware in 2021 than they had been in 2020 (an opinion voiced by 66 percent of the overall survey pool). Similarly, 65 percent were more concerned about malware in general, of which ransomware is just one type, and 63 percent cited phishing.
VARYING APPROACHES TO THE SAME PROBLEM
Public agencies are considering the strategies and tools that can help them against threats, and many appear to be turning their attention to further restricting access.
Sixty-three percent of state and local government respondents said access management would be a high priority when they decide where to invest people and/or funds during the next 12 months (October 2021-October 2022).
Similarly, these governments appeared fairly attuned to the concept of the principle of least privilege (POLP), which holds that organizations should restrict the amount of access users and systems have to only what they absolutely need to do their work. Seventy-six percent of state and local government survey-takers said they were familiar with this concept.
State and local respondents showed somewhat different views about what adopting POLP could do for an organization. The majority of local government respondents — 88 percent — said one of the top three benefits of POLP was for stopping malware, an opinion shared by 63 percent of state government respondents. Fifty-three percent of state survey-takers said adopting POLP “demonstrates compliance,” while only 27 percent of local governments said the same.
But agencies also face challenges to achieving some of their IT security goals. States were especially likely to identify “budget constraints” as a major impediment standing in the way of keeping up or advancing their security efforts. Fifty percent of state respondents highlighted this financial hurdle, as did 25 percent of local government respondents.
