As a company that works with a lot of small businesses we bring up how vulnerable they are to cybersecurity attacks. But there’s another sector that warrants discussion. State and local governments are just as attractive a target to cybercriminals as small businesses. The biggest problem associated with this is that many smaller government entities don’t have the necessary resources or understand that cybersecurity is an increasingly large issue. Government IT departments shouldn’t be the first place to look when it comes to budget cuts, even though this is often the case.
What data is vulnerable within state and local governments?
Government entities maintain a lot of data, databases, and services needed for everyday life. In terms of data many local and state governments have individual social security numbers, driver's license information, health information, tax documents and much more in their database. Government networks also have access to larger databases and systems. For example emergency services databases, election systems, transportation, banking, and all city/state run utilities like water, electric, natural gas and more.
With all of this data being held within one entity it shouldn’t come as a shock that hackers would want to find a way into their networks. But in reality many of the individuals who should be thinking about this and trying to beef up security don’t want to deal with the situation.
What happens when cybersecurity is ignored?
In August of 2011 we got a real look at what happens when Cybercrime Hits Small Towns. A group going by the name “Anonymous” found it’s way into 70 law enforcement computer systems. “Anonymous” then proceeded to “deface websites” and expose a large amount of data that put not only personal data into the world, but police officers and citizens into physical danger as well. In this instance the hackers went after small offices and entities that cannot generally afford the type of cybersecurity measures needed when dealing with that level of sensitive information. So what would have happened if the hackers decided to go after a larger government entity? In August of 2016 and February of this year we got that answer.
In August of 2016 the Illinois election system was hacked resulting in the information of 200,000 voters being compromised. The hack is believed to have started in June and continued for about a month after. The hackers may have gained access to “driver's license numbers and the last four digits of social security numbers for voters who registered to vote online.”
In another more recent case ransomware completely shut down the offices of Licking County, Ohio, including the network for the entire police force. Licking County has a population of 166,000 people leaving a lot of individuals’ data vulnerable and citizens without emergency help. In this case it took days to get everything back up and running. Just another instance of the dangers of being without proper IT Security and a well thought out backup plan.
What does the data say?
There have been a lot of studies done on IT spending in all sectors and industries and throughout them all it’s pretty common to see that government entities budget the least for proper information technology and security.
According to the SANS Institute InfoSec Reading Room’s report on IT Security Spending Trends from 2014 - 2015 the median IT Security budget allocation for government entities was 4-6% of the budget. This rose only slightly in 2016 to 7-9%. Worldwide IT spending also fell in the government sector from around $445 million in 2014 to around $420 million in 2015. As a country that is increasingly more concerned and affected by data breaches and hackers the drop in spending to protect data is alarming.
The 2016 U.S. Government Cybersecurity Report released by SecurityScorecard also brought forward a couple key, and troubling, findings from the last year.
- From April 2015 to April 2016 there were 35 major and notable data breaches in the government sector.
- Across all industries “government organizations received the lowest security scores.” Some of the lowest scoring entities included NASA, the US Department of State, and IT systems for the states of Connecticut, Pennsylvania, and Washington.
Even with all of this data, and the increased number of discussions on the importance of data protection, it’s reported that “75% of government executives [have] little or no interest in addressing information security risks.”
Looking to the future.
While IT spending is still not where we believe it should be, given its importance, we have to acknowledge that some progress is being made. Although it still has not passed pre-recession levels Government Technology reports that IT Spending at the state level is forecasted to increase for 2017 as a whole. As the age of government officials decreases and the focus on innovation and “Smart Cities” increases people are beginning to see the need for properly managed information technology departments and systems. At the county level things are really looking forward as “counties in the U.S. are expected to spend $22 billion on IT in 2017”, with many counties’ IT budgets exceeding pre-recession levels. This said, they still depend on federal dollars as well, which are not quite where they should be.
What can we do?
As always it’s important to protect yourself online. Create strong passwords, be careful what sites you’re visiting, beware public wifi and stay vigilant to what information you’re putting online.
If this is something you’re worried about, and most of us are, we urge you to get involved and talk to your local officials! Non-exciting things are the first to fall by the wayside in organizations and government entities that are juggling a lot. It’s important to remember though that while IT security might not be the most exciting it is vitally important as we continue to move away from paper files and toward managing our lives online.