Government data security today is dangerously underprioritized. Local leaders often lack the resources, budget, and tech knowledge for effective cybersecurity. This is especially troubling because local governments are the most common target for hackers, making up nearly half of all ransomware attacks, according to security researchers.
To make matters worse, sharing passwords and credentials is commonplace among employees, which puts any organization’s systems at higher risk.
As a leader in a municipal government, how do you tell how vulnerable your systems are, let alone where to start building defenses and contingencies?
It seems counterintuitive that anyone would target a relatively small local government, when there are much larger targets. Unfortunately, the very fact that cyberattacks aren’t expected puts you at greater risk. According to a cybersecurity report from Deloitte, most states only spend 1-2% of their IT budgets on cybersecurity. Meanwhile, private sector businesses (and even federal agencies) are spending 5-20%.
Hackers realize this, which makes you more of a target, regardless of your current security or resources. Stanford CIS warns that local governments are an attractive target for hacks, and are ill-prepared.
There is no single silver bullet that will keep your data safe from hackers, but there are a number of steps you can take to make it more difficult for them to get their hands on your information.
This guide should serve as a primer to get started with basic security practices. However, bear in mind that these basic changes are just the minimum: you should partner with a cybersecurity firm or consultancy for a more comprehensive security update. 3Di does not endorse any specific firm for this, but we do encourage you to take cybersecurity very seriously.
Use strong password practices and two-factor authentication (2FA)
While it’s often common practice to have employees change their passwords regularly, people generally hate having to remember new passwords all the time, and often just reuse old passwords with slight variations — or worse, write their password down in an unsecured location.
Instead, you should implement the following whenever possible:
- Strong password requirements: these days, a strong password should have at least 12 characters, and include a mix of uppercase letters, lowercase letters, numbers, and special characters.
- Different passwords for each account: if a hacker learns a password to a single account, this could mean they immediately have access to all accounts, unless you’re using different passwords.
- Two-factor authentication (2FA): this has become a standard security practice in many industries. 2FA adds an extra layer of security by requiring users to enter a code from their mobile phone in addition to their password when logging into an account. This makes it much harder for hackers to gain access to your accounts even if they have a password.
All three of these tips can be addressed by having a strong password management system (LastPass or 1Password are common ones). A password manager can generate and store secure passwords, and many even offer 2FA services. Some are free for individual use, though team accounts will generally require a small fee.
Keep your software up to date
This should be low-hanging fruit, but many people neglect it: ensuring that all software on your devices is kept up to date.
Hackers often take advantage of known vulnerabilities in your software to gain access to systems, so it’s important to install security updates as soon as they are released. Many systems and applications can be set up to install updates automatically, which can help reduce the risk of employees forgetting.
If you’re using cloud-based software, security updates are regularly applied without having to do anything on your computer. Cloud-based government software platforms like 3Di Engage, for instance, are constantly updated, and run securely on Amazon Web Services (AWS).
If you’re still relying on an old piece of software, however, it may no longer be supported, meaning the developers are no longer releasing security patches. In this case, it may be time to update to a modern software platform.
Use software providers with SOC II Type 2 certification
Not all software vendors are as secure as they would like you to believe. To help companies ensure they’re working with software and IT services providers they can trust, organizations have created certification programs that require those providers to meet a rigorous set of requirements, evaluated by a third-party auditor.
One of the most comprehensive certifications is the SOC 2 Type II certification from the American Institute of Certified Public Accountants (AICPA). It requires and independent audit of the principles of security, availability, confidentiality, and privacy. Organizations that have earned SOC 2 Type II certification have demonstrated their commitment to these principals and have proven that they’re going the extra mile to mitigate cybersecurity risks.
Make sure your software is set up to only store the data it needs
Regardless of how tech-savvy you are, you’re probably aware that data privacy, and excessive data collection in particular, is a huge issue these days. Many software applications and platforms collect far more data from you (and citizens) than they need. This has led to stricter regulation like GDPR in Europe, but the US doesn’t have these federal protections. A few states have introduced their own, including California and Colorado, but responsibility for data privacy still falls largely on users.
With that in mind, you will want to check your software’s privacy policy and research it. Responsible organizations will limit their data collection to the minimum amount of relevant data to accomplish their purpose. While we keep our data use as minimal as possible at 3Di, we find many government agencies don’t realize they should be checking the data collection practices for any software vendor they buy from.
Employee training on security practices
Having the best security and sophisticated systems to protect your data is great, but the weakest security point in any system is generally the humans using it. That’s why training is so important.
You should ensure all employees who handle data are properly trained in your data security best practices, such as not sending sensitive information via email.
On this note, employees should also be trained on how to spot a phishing scam, as these are incredibly common. Be sure to provide them with information on how to distinguish a scam from a typical external email, and teach them best practices when unsure, such as not clicking or replying to emails from unfamiliar email addresses.
Security audits and tests
Regular audits and “penetration tests” of your data security practices can help identify potential weaknesses in the system. This usually involves a cybersecurity firm or someone internally testing your systems (and the people working within the organization) to see where you stand.
Consider having your tech team send out internal campaigns disguised as phishing emails. You can track employees who have opened and clicked on scam links included in your email. If most of your employees engaged with the email, chances are you probably need more security training. If people report it as phishing, you’re probably doing well.
Compliance audits should check against government standards like the cybersecurity framework from the National Institute of Standards and Technology (NIST).
Doing all of this internally, however, is a minimum. While partnering with a cybersecurity team might seem beyond your budget, it’s becoming increasingly necessary for municipalities who want to meet basic security standards.
Use encryption for sensitive data storage
Be sure to keep all hard drives containing sensitive data encrypted. Encryption is a process of transforming readable data into an unreadable format. This makes it much more difficult for hackers to access your information if they were to obtain it, as they would need the key to decrypt the data.
There are different types of encryption — one popular method known as “end-to-end” encryption, which means that only the sender and receiver of the information can read it. This type of encryption is often used in messaging apps like WhatsApp and Signal.
Another form of encryption, which is used more on an organizational level, is “disk” or “database” encryption. This encrypts all data stored on a system or in a database, making it unreadable without the decryption key.
If you think of each layer of defense as its own barrier, an encrypted hard drive is the last line of defense. Neglecting this is like locking your gate and setting up your security cameras, but failing to lock your front door.
Implement data recovery processes and tools
In the event a breach does happen, and your data is corrupted, stolen, or has access blocked, you need a way to recover it. In other words, you need a failsafe.
Data recovery plans ensure that critical data is not lost in the event of a cyberattack or other disaster. This also helps your agency recover from such an event more quickly and effectively, minimizing the impact of a cyberattack on citizens and other stakeholders.
- Establish a clear plan for what data needs to be recovered in the event of a breach or attack. This plan should be designed with input from all relevant stakeholders, including IT staff, security personnel, and leadership.
- Select the right data recovery tools for your needs. There are many different types of data recovery tools available, so it is important to select ones that are well suited for your particular environment and requirements.
- Make sure that all employees who may need to use the data recovery tools are properly trained on how to do so. This training should cover both technical aspects of using the tool as well as any policies or procedures that need to be followed during a data recovery situation.
- Test the data recovery process regularly to ensure that it works correctly and that all employees know how to use it correctly. Regular testing will help reduce disruptions in service if an actual incident does occur.
Get started immediately
Even if your agency implements cybersecurity policies, simply having policies doesn’t translate to security. Despite tight budgets in state and local governments, there is an increasingly urgent need to prioritize cybersecurity, as government hacks are already common. The longer you wait to act, the more expensive a breach will be.
