Government Cyber Security Policy Implications on Smaller Agencies

Posted on 24th December 2021

---

The large-scale cyber breaches of the past few years have brought to light the vulnerabilities of government networks. While federal agencies are working hard to address these threats, smaller agencies are often not as well equipped to deal with threats.

With the recent threat of cyber security breaches, it is imperative that the government provides adequate protection to its smaller agencies. The Department of Homeland Security has taken steps to protect all agencies with a federal network only. This is not enough, however, as smaller agencies are not adequately equipped to meet these challenges with limited budgets and resources.

This blog post will explore how small agencies can better protect themselves against cyber threats by taking advantage of free resources that are available to them.

How cyber threats affect smaller government agencies

Cyber security threats are present in all sectors and to any organization regardless of size, complexity, or function. In recent statistics from the National League of Cities, there are approximately 39,000 small government entities across the U.S., including municipal, county, and township entities.

State, local, and Tribal governments (SLTGs) are a common and lucrative target of cybercriminals, particularly in the use of ransomware. A cybersecurity report from BlueVoyant showed that SLTGs saw a 50% increase in ransomware and other cyber-attacks between 2017 to 2021.

Small government entities are under attack daily, including employees. They have a significantly lower cyber-risk profile than their large counterparts and so their security needs are limited. With some of the same risks of infiltration as larger organizations, small government entities often lag behind on the response when an attack occurs.

SLTGs may be hit by malicious phishing emails, user-generated content with malicious backdoors, ransomware, botnets, or more. A common form of attack is spear phishing, where an employee receives an email from a legitimate contact (that they know), and clicks on a link or attachment in the email. This malware will be attached to the email and can then install backdoors in the organization’s networks.

Each agency is vulnerable to cyber threats and cyber attacks, as there are often gaps in data protection and government network security protocols that can be exploited.

How do smaller agencies overcome protection challenges?

Unlike larger organizations, smaller agencies often have fewer resources. They don’t have the budget to hire security professionals and maintain effective data protection protocols.

These agencies may not have the required infrastructure to manage such cybersecurity measures. This problem is compounded by the fact that many small agencies are trying to catch up with increased competition.

Since most small agencies don’t have the budget to hire a dedicated cyber security team, cyber security responsibilities are often delegated to an IT department that does not always have adequate resources to protect an agency.

Smaller agencies can effectively mitigate threats by embracing greater collaboration and sharing cyber threat information across the agency.

How smaller agencies can better protect themselves against cyber threats

When small agencies employ effective cyber security practices, they can protect their assets and systems from cyber threats.

From a security perspective, small agencies can do a few things to improve their ability to protect their data:

– Establish appropriate access control protocols to track who is accessing an agency’s network. This allows for an organization to identify the individuals who may be at risk if their systems are compromised.
– Create a policy that enforces strong passwords and utilizes multi-factor authentication (MFA). This is a very effective tool for guarding against phishing attacks, where attackers pose as a contact that a person trusts. This can often be detected when a hacker uses a password that isn’t part of their first name, or hasn’t been used previously.
– Provide comprehensive training on how to use MFA. This ensures that everyone understands how to use the technology to log in to agency systems.
– Develop and implement an incident response plan, and ensure that it is regularly updated. This plan will help a small agency quickly identify and handle any potential threats to its data and systems. While any security process can be improved, some companies are more secure than others.

Additional Resources

The National Institute of Standards and Technology (NIST), and the Cybersecurity and Infrastructure Security Agency (CISA) both have valuable resources and frameworks available which discuss cybersecurity strategies from both a national and small entity perspective:
– https://www.nist.gov/cyberframework
– https://www.nist.gov/cyberframework/state-local-tribal-and-territorial-perspectives
– https://www.cisa.gov/sites/default/files/publications/_PDM19041_CRMToolkit-1pgrv1_25NOV2019.pdf