People Want Their State And Local Governments to Pay More Attention to Cybersecurity

SecurityFirst featured on StateScoop:

Few Americans name cybersecurity as one of the top issues their local officials should be focused on, but when they do, they’re extremely concerned, according to a poll published this week by the data protection firm Security First Corp.

Only 12.3 percent of people said information technology modernization — a broad category that includes cybersecurity — ranks among the three most important issues facing their communities, according to the survey. That figure places cybersecurity well behind more analog issues like traffic, affordable housing and education, a political reality that caught the city of Atlanta off-guard when it was crippled by a ransomware attack earlier this year.

But when asked about cybersecurity directly, 71 percent said their state and local governments should spend more on preventative measures, while 74 percent said officials should also take steps to protect their constituents’ personal data.

Security First commissioned YouGov to conduct the survey between June 13-14 and questioned 1,113 adults across the United States.

The majorities that said local government should do more about cybersecurity also appear to have not needed the prodding of high-profile cyberattacks. Only one-quarter of people who answered Security First’s poll said they were familiar with the March ransomware attack that crippled the Atlanta government.

But people are “absolutely becoming more aware” of cyberthreats, said Security First’s chief executive, Jim Varner. Most of the education, however, comes through news of data breaches at large corporations like Equifax and Target.

“What if your state or local government gets hit and you can’t dial 911?” Varner said. “‘Wow,’ they say. ‘I don’t think that’s ever happened.’”

Meanwhile, 60 percent of those questioned said they are at least somewhat concerned about a cyberattack crippling their local government’s ability to provide essential services like police, fire and utilities, and 64 percent said a cyberattack against their town or city could cause a lasting, negative impact on the community beyond any financial penalty.

Only 33 percent of people said they believe that their local leaders are prepared to protect their data — including tax information — from a variety of cyberattacks; 43 percent said they either don’t believe their community is ready or aren’t sure. And 52 percent of respondents said they believe they would be personally affected if hackers successfully attacked their hometowns.

Some government IT officials are taking closer looks at cybersecurity. Thirty-eight states last year signed on to a National Governors Association-led compact pledging more resources. The National Association of State Chief Information Officers also named security and risk management as the number-one item its members should address on its list of top ten policy priorities for 2018.

More governments, Varner said, should also consider hiring dedicated chief data officers, a trend that started in the private sector in the early 2000s but has crossed over to a handful of states and large cities in the last few years. Colorado became the first to hire a statewide chief data officer in 2010, and last week Virginia became the 19th to announce it will create the position.

Learning that those threats exist against government, though, has prompted people to expect their officials to devote more resources toward cybersecurity, Varner said. But states’ responses to that shift has been a “mixed bag at this point,” he said.

Varner pointed to a few states that are moving more quickly, particularly California, which is on the cusp of either adopting comprehensive online-privacy legislation or putting a similar measure on the general-election ballot in November. He also said data-focused cybersecurity approaches are becoming more widespread, and will eventually become mandatory, if not legally required.

But in other parts of the country, Varner said cybersecurity remains a low priority for government.

“Unfortunately it takes things like an Equifax breach to get people to wake up,” he said.

That’s been the experience for Atlanta, which has already spent more than $5 million rebuilding systems affected by the March ransomware attack, and plans to spend at least another $9.5 million to recover from an incident that affected city functions ranging from online water bill payments to police dashboard camera footage. Cybersecurity was not one of Mayor Keisha Lance Bottoms’s priorities because, by her own admission, it never came up while she was running for the office last year.

“Over the course of our campaign, we had had at least 100 forums, and we had talked about every single thing I thought there was to talk about, and cybersecurity was not a topic of conversation,” Bottoms said in May.

And as the Atlanta ransomware incident has receded from daily attention, Varner said he’s not sure other governments are taking steps to make sure they’re not the next high-profile victim.

“I think [Atlanta] did the bare minimum to get back online and I think they’re just as vulnerable now as they were before,” he said. “I’m not sure other states are paying attention.”

But they should start, according to the poll. Fifty-nine percent of respondents said they would be more likely to support candidates who make protecting people’s personal data a priority.

“When we actually asked people those specific questions, they really did get it,” Varner said. “The point is not lost completely, but it’s figuring out how governments can take that next step without having had a breach and how they can be proactive.”