Study provides insight into cybersecurity priorities among city and county leaders

What do SolarWinds, Colonial Pipeline and Kaseya have in common? Once obscure from the public eye, each of these companies were at one point or another in the last year thrust into the national spotlight following a cybersecurity breach. 

About $350 million in ransom was paid to malicious cyber actors in 2020, representing a more than 300 percent increase over the previous year, according to data from the Department of Homeland Security. Besides the notable cyberattacks that have made headlines this year, the federal department says there’ve been many other attacks on small business that have gone unnoticed—making up around 75 of all ransomware cases.

With every attack that’s reported, it becomes clearer that city administrators must take cyberthreats seriously. A new study commissioned by IBM of local, state and federal information technology decision makers provides insight into the state of America’s IT infrastructure in the government sector. 

Of the more than 500 participants in the study, Government Index for IT Modernization, which was released Thursday, nearly 70 percent said they viewed security risks “as the top barrier when migrating to modern cloud platforms.” Further, in planning for the next fiscal year, IT managers anticipate spending the most on cybersecurity.

“While a majority of government IT decision makers think their agency’s technology is very or somewhat prepared for each security threat, a quarter think their agency is not very or not at all prepared for insider threats (25 percent), SIM swapping, or Post Quantum security threats (24 percent),” says the report, which was put together by Morning Consult.

The findings aren’t unique to IBM’s report. Elsewhere, in the Public Technology Institute’s 2021 State of City and County IT National Survey, 88 percent of those surveyed reported increasing cybersecurity measures as a top priority for the next two years.

And earlier this year, security concerns prompted President Joe Biden to issue an executive order that, among other things, requires federal government entities to implement stronger cybersecurity measures and encrypt all data. It also establishes baseline security standards for software that’s sold to the government from the private sector.

“The U.S. federal market is facing a massive transformation to its cybersecurity strategy, which requires a great deal of technological modernization,” said Howard Boville, head of IBM’s cloud platform. “Enterprise technology providers are stewards of massive volumes of personal data, and we need to do our utmost to protect this data.” 

As threats increase, governmental entities are pivoting to meeting the challenge. On Wednesday, for example, the U.S. Department of Homeland Security and the U.S. Department of Justice, with other federal partners, launched a new website to combat the threat of ransomware called StopRansomware.gov. It’s intended to be a one-stop space for information on ransomeware to help private and public organizations mitigate their ransomware risk.

“As ransomware attacks continue to rise around the world, businesses and other organizations must prioritize their cybersecurity,” said Deputy Secretary of Homeland Security Alejandro Mayorkas. “Cyber criminals have targeted critical infrastructure, small businesses, hospitals, police departments, schools and more. These attacks directly impact Americans’ daily lives and the security of our nation. I urge every organization across our country to use this new resource to learn how to protect themselves from ransomware and reduce their cybersecurity risk.”

To pay for the increased security measures and new initiatives, IT budgets are also expanding. Since 2017, federal spending on cybersecurity has increased fairly steadily from $13.1 billion to this year’s allotment of about $18.7 billion, according to Statista.

IT spending is up at the local level, too: “Responding government IT decision makers for all levels of government anticipate agencies will spend the most on cybersecurity in planning for FY22,” IBM’s report says. “More than 75 percent of respondents in the study cited migrating and managing data from legacy systems to the cloud as a challenge for their current or former agency, with security cited as the top barrier but also as a main driver (in budgetary increases).”

Likewise, the city and county executives who responded to the Public Technology Institute’s study said they expected their IT spending to rebound this year, with 49 percent reporting anticipating that their IT budgets will increase 1 to 4 percent over pre-pandemic numbers. The study notes that this monetary “relief should lift significant pressure from operational expenditures such as IT and reduce COVID-related drag on progress toward capabilities targets in key domains such as cybersecurity, cloud enablement, and other components of the managed services infrastructure.”

Working within budgets, the Public Technology Institute’s study found that administrators list the following as their highest cybersecurity priorities: Training for general staff; modernizing defenses; creating a security mindset; adoption national cybersecurity frameworks; training IT staff; and developing incident response plans, among other priorities.

In coming months and years, as city and county officials engage more with cybersecurity, increased security measures will allow them to “shift some emphasis toward looking ahead to see where employing ‘next-gen’ solutions such as artificial intelligence, machine learning and blockchain will prove most useful in the enterprise. Also, the communications transition to 5G will raise a new wave of security concerns.”