Another challenge? How organizations think about what resilience means. Eighty-two percent of state, local and federal respondents said their organizations consider resilience to be a matter of “basic compliance and risk management functions,” rather defining it more dynamically as their entities’ abilities to anticipate and prevent, respond to and recover from cyber disruptions.
These findings come from a September 2022 survey of 310 government IT decision-makers conducted by MeriTalk, a government IT-focused public-private partnership, and sponsored by Splunk, a data platform provider.
About 161 respondents were from state and local entities and 149 from federal. While survey takers weren’t asked to list the entities they worked for — which could reveal if some came from the same one — “it can be assumed they come from various government organizations,” a MeriTalk representative told Government Technology.
KEY RISKS
IT decision-makers at state and local governments largely saw room to improve resiliency. Fewer than 40 percent were “very confident” that their organization could “maintain vital services in the face of cyber attacks, insider threats, infrastructure outages, and critical application failures,” according to the report.
Federal government, in contrast, was more likely to worry about internal control systems, with 49 percent deeming these “most vulnerable” compared to just 31 percent of state and local respondents.
Seventy-one percent of state and local IT decision-makers named malware (which included phishing) as one of the greatest threats to their organization’s cyber resilience, while only 57 percent of federal respondents did the same. Similarly, 59 percent of state and local survey takers pointed to ransomware (which the survey treated as a separate category), compared to 42 percent of federal ones.
But state and local governments were less concerned than federal about threats of malicious insiders and denial-of-service (DoS) attacks. Malicious insiders were a top worry for 45 percent of federal respondents but only 24 percent of state and local respondents, while DoS attacks troubled 35 percent of federal respondents and 23 percent of state and local ones.
GAPS AND PLANS
Despite these concerns, governments have been making progress on resilience — and feeling the results. Just under half of state and local survey takers said cyber resilience improvements over the past two years had helped their entities better mitigate risk. State and local respondents were also particularly confident about their abilities to monitor for threats (cited by 71 percent), while shakier on areas like governance activities related to resilience (which only 24 percent were confident about).
Governments have distance to go in their resilience journeys. When asked to select the weakest part of their cyber resilience, 65 percent of both federal and state and local respondent groups named workforce development, with smaller portions of respondents naming security or IT. Some survey takers pointed to struggles retaining employees with the right skills, hiring enough people or familiarizing users with technology.
Report authors recommended entities tackle workforce strains in part by holding regular employee trainings about good cyber practices and taking efforts to foster a culture of risk management. Decision-makers seemed ready to focus here: as they considered where to direct investments for the next two years, state and local respondents homed in on workforce training, as well as on data encryption, and policies and controls to prevent data loss.
Report authors recommended governments take steps like setting organization-wide resilience strategies and goals, increasing communication and collaboration across departments and promoting a broader view of resilience that sees it as more than “check-the-box” compliance and instead as an organization’s ability to avoid, handle and bounce back from cyber incidents.