Cyber resilience for state and local governments: Where to start
Thicha Satapitanon via Getty Images
COMMENTARY | Governments already have the tools, while zero trust and hardware security strategies turn existing resources into stronger defenses.
State and local governments face relentless cyber threats that continue to evolve in scale and complexity, with ransomware, phishing, and data breaches now routine challenges. Yet the biggest hurdles often come from within: tight budgets, limited cybersecurity staff, and a patchwork of legacy systems that are tough to secure.
The good news? Agencies don't need sky-high budgets to build serious cyber resilience. Two proven strategies — zero trust architecture and hardware-based security — offer scalable protection that works within the real-world constraints facing state and local governments.
Zero trust focuses on constantly verifying who or what is trying to connect to agency systems, granting the smallest amount of access needed, and breaking networks into smaller, secure sections. And it's effective: organizations with zero trust strategies shave about $1 million off the average cost of a data breach, according to a recent IBM and Ponemon Institute report.
Meanwhile, hardware security works at the deepest layer of the system, preventing attackers from bypassing the foundational controls built into the device. Together, these approaches help make security more manageable for small teams and limit the damage from data breaches.
Why Segmentation Is Your Security Starting Point
State and local governments are in a particularly tough spot when it comes to attracting and retaining cybersecurity talent. According to an annual survey by the Center for Internet Security, 80% of more than 4,000 state, local, tribal, and territorial organizations reported having fewer than five dedicated security employees. Many rely on vendors or managed service providers, but smaller municipalities often struggle to get priority support when it matters most.
For small teams juggling complex environments, implementing zero trust often feels overwhelming. But as with any big task, the key is to break it down into smaller, focused steps. Tackling one piece at a time allows agencies to build stronger defenses steadily and sustainably.
Start with segmentation: divide networks into smaller, secure zones like education, public works and payroll. This approach limits the damage if attackers get in and helps agencies prioritize protection where it's needed most. High-risk systems, such as public-facing services, can be locked down with tighter controls, while lower-risk areas remain streamlined and easier to manage.
Once strong segments are in place, agencies can add another critical layer: role-based access controls. This level of control ensures that even within a segmented network, users can access only what they need to do their jobs — and nothing more. For example, a public works employee might have access to route and maintenance data but not to payroll or sensitive citizen records. By combining segmentation with granular, role-based policies, agencies build a more robust defense that limits external and internal risks.
Hardware Security: Built-In Protection That's Often Overlooked
While zero trust focuses on who gets in, hardware-based security strengthens what they're getting into. Hardware security tools — such as secure boot, firmware protections, remote manageability and memory encryption — establish a root of trust below the operating system, making it much harder for attackers to gain a foothold at the deepest levels of a system. The catch? Many agencies don't realize these tools exist or assume they're enabled by default. In many cases, they're not.
Turning on these protections can dramatically reduce the risk of advanced attacks like firmware- based malware and rootkits, which are often invisible to traditional software-based defenses.
Hardware-based security also plays a vital role in system recovery. For example, when a major security vendor experienced a widespread issue that rendered devices temporarily unusable, organizations that had enabled hardware-based remote management and recovery tools could quickly restore their systems—even when the operating system wasn't responsive.
Existing hardware often has these features built-in, and activating them takes just a few configuration steps. That means agencies can strengthen security quickly and at no extra cost. When it is time for a hardware refresh, it's also a chance to upgrade protections further by choosing devices with the latest security features and ensuring they're enabled from day one. This boosts security and helps justify new investments by tying them directly to risk reduction.
Making It Work
Building a resilient security posture doesn't happen overnight, but with the right approach, progress is well within reach.
First, agencies should gather the right stakeholders, such as IT teams and department heads who understand the systems and workflows that need protection. Their insights are essential to crafting policies that are both effective and practical.
Next, it's critical to audit the current environment. Are networks segmented? Are hardware security features enabled and configured? These basics often make the most significant difference and are too often overlooked.
Finally, vendors should be more than box-checkers. Agencies should push for clear answers about how tools support zero trust and hardware security goals, and demand guidance tailored to their unique environment.
Cybersecurity may always be a moving target, but layered defenses — built from smart segmentation, strict access controls and hardened hardware — can keep state and local governments prepared, protected and a lot harder to crack.
Steve Orrin is chief technology officer of Intel Government Technologies.