SecurityFirst featured on CPOMagazine: https://www.cpomagazine.com/2018/07/11/u-s-local-governments-should-increase-cybersecurity-spending-before-its-too-late/
Given the recent wave of ransomware and other cyberattacks across the United States, it’s perhaps not surprising that a growing number of Americans now feel that state and local governments should be doing more to protect data and invest in comprehensive new cybersecurity measures. That’s the big takeaway from a new SecurityFirst/YouGov survey, which polled over 1,000 Americans to get insights into how they feel about cybersecurity spending at the local government level.
When asked directly about cybersecurity spending, a staggering 71% of Americans said that state and local governments should spend more money before the next big attack occurs. Moreover, a clear majority (74%) also said that politicians need to take protection of personal data more seriously. For state and local governments, the message should be clear: they need to be doing more to protect communities from the very real risk of a cyberattack. In most cases, that means boosting their cybersecurity spending.
Findings of a new nationwide poll from SecurityFirst on cybersecurity
The poll, which was carried out by YouGov in mid-June, also found that Americans are finally starting to wake up to the potential negative, long-term impact of such an attack. While people are well aware of the potential financial costs of such an attack, what’s particularly striking now is that people are finally starting to consider the actual day-to-day reality of what such an attack might look like if hackers really did decide to go after a municipal government.
For example, 64% of those surveyed said that such a ransomware or cyber attack could have a long-term, negative impact on the community. A majority (60%) of respondents were particularly concerned about the impact on critical services provided by local governments, include those related to first responders, municipal utilities, local courts and public schools. What happens, for example, if you try to dial 911 in the case of an emergency, and nobody answers the phone because hackers have taken down the system? What happens if years of public records (such as tax records) are suddenly erased forever? And what happens if someone takes down the electrical grid?
Just a year ago, this data security scenario might have been just the plotline of a science fiction movie. But today, it is a reality. SecurityFirst points to the example of the city of Atlanta, which suffered a massive cyberattack in March 2018. The cost of the attack is now conservatively estimated to be close to $10 million. Moreover, the cyberattack erased years of sensitive data and knocked out critical services for hours. And Atlanta is not alone in terms of local governments that have been impacted by malicious attacks. The city of Baltimore recently had its 911 and 311 emergency service lines thrown offline for 17 hours.
Steps to make cybersecurity spending a priority with local governments
The good news is that some state and local governments have begun to take steps to take cybersecurity spending and data privacy more seriously. In 2010, Colorado became the first state in the nation to appoint a statewide Chief Data Officer. And, since that time, 18 other states have followed the lead of Colorado, appointing their own Chief Data Officer. At the very least, it means that top-level officials are taking the “public cloud” more seriously.
In addition, 38 of 50 states have signed a pledge from the National Governors Association to allocate more resources to cybersecurity. And the National Association of State CIOs made security and risk management its No. 1 issue for 2018. So, clearly, there has been some serious thinking at the state level about how to protect digital assets, including sensitive data. In nearly all cases, it will require more cybersecurity spending to protect critical IT assets.
Taking a macro-level view, it’s also important to consider the impact of the General Data Protection Regulation (GDPR) in Europe, which is already causing companies and government agencies to reassess security budgets, as well as the security products and services they are using. The GDPR has already resulted in a surge in worldwide spending as companies look to reduce the incidence of data breaches.
Data loss prevention is a big new buzzword in tech circles, and data security is one of the fastest growing sectors within the IT world. The amount spent on IT security is expected to grow in 2018, and new security strategies based around automated security tools are starting to make a splash with cash-strapped corporations and agencies. Security outsourcing, too, promises a way around the cybersecurity spending issue.
Making cybersecurity part of the political zeitgeist
So why hasn’t the cybersecurity spending issue generated a sense of urgency with local governments? One big reason, suggests SecurityFirst, is that people are not always aware of the risk and threat level posed by a lack of cybersecurity spending. For example, only 25% of Americans polled in the YouGov survey said they were aware of the Atlanta ransomware attack. Most Americans assume that hackers and data thieves are going after big corporations – like Equifax or Target – and not after smaller, municipal and local governments.
Moreover, you have to look at things from the perspective of politicians now in office. If their constituents are not making a big deal about cybersecurity spending, why should they make it a centerpiece of their political agenda? After all, just over 12% of Americans said that “IT modernization” (which includes beefed up cyber defenses) should be a major priority of local governments. Instead, they expect local governments to focus on issues like affordable housing, good public education and improved roads and less traffic congestion.
Jim Varner, CEO of SecurityFirst, commented on the need for cybersecurity to become a more central topic of debate in local communities: “Cybersecurity has certainly not been top of mind. But when confronted with specifics on cyberattacks such as ransomware impacting emergency services, utilities, schools or privacy, 71% of the responders said spending on cybersecurity is a good use of public funds and a majority felt the need to invest in data protection, especially knowing it could reduce spending in other areas or include the likelihood of a tax increase. The survey shows that data protection investments matter when related to community services, even reaching as far as the voting booth.”
For political leaders willing to embrace cybersecurity, there is now evidence to suggest that the American people will support them. Nearly half (46%) of those surveyed said that they would be OK with local governments allocating more resources to cybersecurity spending. And 59% suggested that they would support a politician who makes data privacy and data protection a key campaign issue.
Certainly, something needs to change fast before there is another Atlanta-style cyberattack. Right now, just one-third of Americans have faith that local leaders and local governments are up to the task of protecting critical IT resources and sensitive data. That suggests that there is very much more that needs to be done to protect local governments from cyber attacks in the future.