Risk Assessments for Local Governments

Why Local Governments and Municipal Authorities Must Conduct Cybersecurity Risk Assessments

September 2022 – Suffolk County’s daily operations were interrupted due to a cyberattack. The cause of the attack is still being investigated although it is suspected to be ransomware. From police departments to traffic courts, city systems got shut down to mitigate this attack.

January 2022 – South Florida city Pembroke Pines was the victim of a ransomware attack. This caused some of the city’s systems to go into lockdown for a few hours. It is unknown whether any data or information was stolen.

May 2021 – The Washington D.C. Metropolitan Police Department got hit by a ransomware attack from the Babuk crew. They captured 250GB worth of data containing multitudes of sensitive information – personal data of police personnel and informers, and even a “gang database”.  Threat actors demanded $4 million in ransom.

April 2019 –  Augusta, Maine; Imperial County, California; and Stuart, Florida were all victims of cyberattacks. In Augusta’s incident, no data was taken. However, a computer virus was discovered which froze the city’s network and spread to other devices, making them inaccessible. Imperial County and Stuart were infected with Ryuk ransomware. Both these attacks resulted in significant operational downtime.

These are just a few examples of hundreds of local governments and municipal authorities falling victim to a cyberattack. In this article, we will review current cybersecurity trends in this sector and the role of cybersecurity risk assessment.

Current cybersecurity trends in local governments

Local governments and the critical infrastructure they support have experienced a 50% rise in cybercrime since 2017. There are several reasons for this. For starters, these entities deal with large amounts of sensitive, confidential, and private data. Moreover, most haven’t made cybersecurity their priority yet – they use legacy systems, are often unaware of their cyber risks and vulnerabilities, and have insufficient budget for a qualified IT department, to name a few.

2020 brought the pandemic, and with it, the overnight switch to remote working. Of course, local governments that were already working with limited cybersecurity tools struggled to keep cyberattacks at bay. The incorporation of digitalization tools like IoT further extended the “attack surface” as well. Certain government entities in Florida, North Carolina, Texas, and others have enacted legislation to deal with ransom demands, as well as the mitigation and legal liabilities that come with these cyberattacks. However, local government organizations need to prioritize their defensive capabilities.

How a cybersecurity risk assessment can help local governments reduce costs 

Local governments and their entities will always be alluring targets for cyberattackers due to the sensitive and private nature of the data they are in possession of as well as the crucial role they play in the daily operations of citizens. A cybersecurity risk assessment is about minimizing the chances of cyberattackers’ success. The assessment identifies risks, categorizes them based on their threat level, and breaks down the fallout of a potential attack. It also allows organizations to improve their compliance with relevant regulations and eliminate unwanted or obsolete protocols.

By minimizing the risk of a cyberattack succeeding, local government organizations will save hundreds of thousands – if not millions – of dollars in cyberattack recovery.

What a cybersecurity risk assessment entails

Cybersecurity risk assessments are performed by an outside party – a reliable cybersecurity firm like Gamma Defense. The level of assessment can be customized. Here are the basic steps of the process that you can expect:

  • First off, prepare. Create a list and prioritize the assets that need to be evaluated. Gather asset details like hardware, software, interface, end users, IT framework, security controls, physical security, etc.  Determine each asset’s function, monetary value, and legal standing within the organization. Based on this categorization, you can classify assets as major or minor.
  • Secondly, create a risk framework. Identify possible cybersecurity gaps, loopholes, any errors that could pose a potential threat. Similarly, go over previous cybersecurity incidents, if any. Try to identify any patterns, entry points, or sources that have been used continuously to infect your organization. Moreover, look into the physical security of your organization.
  • Next up is assessment time. All the material you have gathered and compiled will now be thoroughly investigated. The cybersecurity firm will consider different risk categories, including regulatory compliance, third party relationships and risks, and internal threats. Every category will be assessed on the probability and impact of a possible attack, along with a thorough explanation and grading.
  • Now that you know where your organization’s strengths and limitations lie, appropriate solutions and controls can be proposed. Based on the mentioned risks, protocols are made to ensure that these risks are eventually mitigated and diminished in a structured way. This will also allow you to develop an efficient cybersecurity incident response plan. 
  • Once changes are made, you must continuously monitor them. New implementations and controls must be regularly reviewed to see if any modifications are required.
  • Finally, maintain suitable documentation of cybersecurity risk assessments. You can enter all important details about the risk, vulnerabilities, value, and solutions for each asset. This also helps risk assessors quickly run through your organization’s history and evaluate with higher efficiency.