Connecting state and local government leaders
More counties are embracing voluntary cybersecurity frameworks to evaluate their risk and better protect their assets, a recent report shows.
County governments are reducing their cybersecurity risk levels by embracing voluntary standards, including those developed by the federal government, according to a report released last week.
Research from the National Association of Counties (NACo) and Accenture found that 50% of counties use the controls outlined in the National Institute of Standards and Technology’s (NIST) Security and Privacy Controls for Information Systems and Organizations special publication.
Meanwhile, almost 30% use either a bespoke state or county-specific framework, a cybersecurity maturity model certification program or the 27001 Maturity Model developed by the International Organization for Standardization and the International Electrotechnical Commission. Just over 20% said they do not use a standardized cybersecurity framework, while 18% said they do not know.
NACo Chief Information Officer Rita Reynolds said the findings “surprised” researchers as they “did not think [standards] adoption was quite that wide.” She said that shows progress on cybersecurity at the county level and a greater understanding of how efforts at NIST and international standards bodies can be translated for local governments.
“So long as counties are working towards a standard, that's really what we want to see,” Reynolds said.
Reynolds said she was also “pleasantly surprised” to see that more than 60% of elected officials see cybersecurity as a top priority or at least a priority. While it is not that elected leaders did not care about cybersecurity in the past, she said, the spate of cyberattacks on local governments combined with greater education on the topic has helped make it more tangible.
That support for cybersecurity has revealed itself in numerous ways, according to the report. Researchers found that counties are spending on firewalls and other cyber solutions, engaging cybersecurity experts for assistance and crafting strategies to deal with response and recovery.
But there is still plenty of work ahead for county governments.
An unnamed CIO of a medium-size rural county said “lagging technology pressures” from legacy systems are among the biggest concerns. “We have a lot of aging servers, lagging technology that we’re constantly trying to stay up to date with,” the CIO is quoted as saying in the report.
And while over 40% of respondents said they are moving organizational processes to the cloud and 63% said they use a hybrid mix of public and private clouds, one chief technology officer of a medium-size county warned that the use of cloud in addition to on-prem services has “actually complicated our security landscape because now we have to protect more.” Counties also must ensure data and infrastructure is configured correctly when moved to the cloud, which the CTO said requires different skills to maintain.
NACo and Accenture also found that most counties lack a cybersecurity risk-based framework that is fully integrated into their countywide security and resilience plans. Just 12% said their cyber risk-management framework is fully integrated, while 38% said it is partially integrated, and 11% said it is not integrated at all.
Reynolds said a county’s cybersecurity and resilience depends on strong relationships between county agencies. Holding interagency tabletop activities can solidify those relationships and help agency leaders that traditionally do not think of themselves as technology driven see the importance of cybersecurity, she said.
Fiscal concerns weigh also heavily in counties’ cybersecurity strategies. The report found that while 86% of counties have a cyber insurance policy, just 31% are happy with it. Meanwhile, 70% noted that their premiums have increased, and 69% said the qualifying questionnaires they must fill out have grown longer. One third of county leaders surveyed said their coverage had been reduced.
Reynolds said the insurance industry now has more actuarial data about cyberattacks and so is “correcting very quickly” to better reflect the risks associated with cybersecurity, adding that may take at least until the end of this year for the industry to settle down and phase out premium spikes and coverage reductions. While counties may be tempted to drop their cyber insurance, they should resist that urge, she advised.
“It's like car insurance,” she said. “You're required to have it, hopefully you don't have to use it. But in the event that something does happen, you're at least covered. The difference here with cyber insurance, from the public’s perspective, if something happens and you have to notify individuals, you at least can say you have cyber insurance in place.”
Budgets also remain tight for county governments, although the coming federal cybersecurity grants for state and local governments could help ease that burden. But there is a “long, long way to go” before that funding is sufficient to meet counties’ needs, Reynolds said.
With threats against local governments increasing, Reynolds urged leaders to continue investing in cybersecurity and “move the needle forward” on protecting themselves, as that will lessen the impact of any future attacks. “Sitting and doing nothing isn't a good option anymore,” she said.