A Ponemon Institute survey conducted in 2019 found that 77 percent of enterprises don’t have a cybersecurity incident response plan. Perhaps even more surprising, a poll taken in late 2021 by Symantec found that nearly 85 percent of business owners have not developed a cyber plan, while most believe they are safe from cyber criminals. Among state and local governments, the numbers are not much better, with surveys suggesting that most public-sector entities do not have updated enterprisewide cyber plans. Why?
No doubt, many governments are struggling to address ransomware attacks, react to daily cyber incidents, and keep track of the growing number of patches and other fixes that need to be applied. Sadly, in numerous cases, new technology that could help reduce enterprise cyber risk is never deployed because of an inability to fill vacancies, or attract and retain cybersecurity and technology professionals. Put simply, there are too many cyber fires to extinguish to even think about building a better firehouse and/or adjusting wider priorities.
Despite these daunting challenges, I’d like to offer three reasons that state and local government organizations need to take a step back and build strategic and tactical cyber plans that offer pragmatic answers that go beyond short-term fixes.
First, our cyber threat situation continues to evolve and get worse. Not all of the cyber incident numbers are in yet from 2021, but one thing is already clear: Cyber attacks are growing by every possible measurement. Not only were the number of incidents much higher in 2021 than ever before, but the business impact of these cyber incidents was also greater. The costs associated with remediation after a major incident are rising fast. These costs are not just measured in dollars and staff time, but also in the political impact and in the delivery of digital services to citizens. Put simply, the digital transformation of governments can be undone by a lack of trust in online security and privacy.
Second, cybersecurity communication and emergency coordination are vital for the continuity of government services. State and local governments have been responding to fires and floods for hundreds of years, but the vital importance of the cyber emergency component is new in the past decade. Your cyber response plans must be consistent with other “all-hazards” approaches to emergency response because many emergency situations now contain a blended cyber component. Your emergency response plans need to include the business and technology leaders from all parts of government to ensure that everyone is on the same page regarding system protections and restoration priorities. Planning must address actions before, during and after cyber incidents.
Third, and some may say the most compelling reason to build a new plan right now, the federal government’s new state and local cybersecurity grant program requires comprehensive cybersecurity plans to get cyber funding grants. The detailed requirements for submitting these plans were not yet available at the time of this writing, but items mentioned in the law contain 16 different elements of cybersecurity. These include how the government will:
- Manage, monitor and track information systems, applications and user accounts owned or operated by the jurisdiction.
- Monitor, audit and track network traffic and activity traveling to or from information systems and applications.
- Enhance the preparation, response and resiliency of information systems, applications and user accounts against security risks and cybersecurity threats.
- Implement a process of continuous cybersecurity vulnerability assessments and threat mitigation practices prioritized by degree of risk.
