IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Report: State and Local Government See Resilience Hurdles, Goals

Global tensions are prompting state and local governments to deepen focus on their abilities to prevent, withstand and recover from cyber incidents, and many are particularly concerned about risks to sensitive data, according to a new report.

Cybersecurity abstract.
Rising international tensions are driving state and local governments to take a harder look at their cyber resilience, according to a new survey. But improvement efforts face hurdles, with state and local respondents citing struggles around workforce, funding and ever-more complicated technology environments.

Another challenge? How organizations think about what resilience means. Eighty-two percent of state, local and federal respondents said their organizations consider resilience to be a matter of “basic compliance and risk management functions,” rather defining it more dynamically as their entities’ abilities to anticipate and prevent, respond to and recover from cyber disruptions.

These findings come from a September 2022 survey of 310 government IT decision-makers conducted by MeriTalk, a government IT-focused public-private partnership, and sponsored by Splunk, a data platform provider.

About 161 respondents were from state and local entities and 149 from federal. While survey takers weren’t asked to list the entities they worked for — which could reveal if some came from the same one — “it can be assumed they come from various government organizations,” a MeriTalk representative told Government Technology.


IT decision-makers at state and local governments largely saw room to improve resiliency. Fewer than 40 percent were “very confident” that their organization could “maintain vital services in the face of cyber attacks, insider threats, infrastructure outages, and critical application failures,” according to the report.

State and local survey takers were particularly concerned about threats to sensitive data. Seventy-seven percent listed sensitive data among their software and information “most vulnerable to cyber risk exposures.” That outstripped the 65 percent of federal respondents who said the same.

Federal government, in contrast, was more likely to worry about internal control systems, with 49 percent deeming these “most vulnerable” compared to just 31 percent of state and local respondents.
When considering specific threats, ransomware and other malware loomed large for state and local governments, more so than for federal counterparts.

Seventy-one percent of state and local IT decision-makers named malware (which included phishing) as one of the greatest threats to their organization’s cyber resilience, while only 57 percent of federal respondents did the same. Similarly, 59 percent of state and local survey takers pointed to ransomware (which the survey treated as a separate category), compared to 42 percent of federal ones.

But state and local governments were less concerned than federal about threats of malicious insiders and denial-of-service (DoS) attacks. Malicious insiders were a top worry for 45 percent of federal respondents but only 24 percent of state and local respondents, while DoS attacks troubled 35 percent of federal respondents and 23 percent of state and local ones.


Despite these concerns, governments have been making progress on resilience — and feeling the results. Just under half of state and local survey takers said cyber resilience improvements over the past two years had helped their entities better mitigate risk. State and local respondents were also particularly confident about their abilities to monitor for threats (cited by 71 percent), while shakier on areas like governance activities related to resilience (which only 24 percent were confident about).

Governments have distance to go in their resilience journeys. When asked to select the weakest part of their cyber resilience, 65 percent of both federal and state and local respondent groups named workforce development, with smaller portions of respondents naming security or IT. Some survey takers pointed to struggles retaining employees with the right skills, hiring enough people or familiarizing users with technology.

Report authors recommended entities tackle workforce strains in part by holding regular employee trainings about good cyber practices and taking efforts to foster a culture of risk management. Decision-makers seemed ready to focus here: as they considered where to direct investments for the next two years, state and local respondents homed in on workforce training, as well as on data encryption, and policies and controls to prevent data loss.
When considering obstacles to improving, state and local respondents most often pointed to insufficient funding (selected by 41 percent) and the rising complexity of technology environments (chosen by 35 percent). State and local entities were notably less likely than federal ones to say that they struggled with “lack of consistent resilience strategies,” but 46 percent of state and local respondents still said that one of the top five ways to bolster resilience would be to have greater internal collaboration.

Report authors recommended governments take steps like setting organization-wide resilience strategies and goals, increasing communication and collaboration across departments and promoting a broader view of resilience that sees it as more than “check-the-box” compliance and instead as an organization’s ability to avoid, handle and bounce back from cyber incidents.
Jule Pattison-Gordon is a senior staff writer for Government Technology. She previously wrote for PYMNTS and The Bay State Banner, and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.