The article below was, in part, excerpted from the “Is Your Municipality Practicing Modern Governance?” checklist. Download the checklist.
The COVID-19 pandemic has blurred the lines between administration and governance for many organizations. As office shutdowns and “stay at home” orders stretched from days to weeks, and then months, government leaders have been pressed to find new ways to stay connected and informed. Many local governments have been forced to rapidly adapt to remote work and virtual council proceedings.
In the urgency to adapt to a virtual world, local boards and councils are discovering efficiencies that enable them to be better stewards of the communities they serve—and to improve their effectiveness overall. At the same time, some are also identifying information security gaps that expose them to unnecessary risk.
The Risk of Unsecured Systems
Effective boards and councils recognize the risks associated with unsecured document transmission and communication. Non-compliance and the premature (or illegal) disclosure of sensitive information lead to discontent, speculation and public mistrust. Despite those concerns, local officials and administrators regularly rely on email to either communicate or prepare and transmit meeting materials, inviting unnecessary levels of risk. Elected board members are possibly not even aware of the risks or their personal liability.
Local governments are invested in maintaining security because of the high level of sensitive information they store and the number of systems they use to share data with state and federal government programs. Often operating on a shoestring budget, local governments rarely have dedicated cybersecurity experts; they rely on their IT team to ensure security. Compounding the issue, IT frequently does not have the investment it requires, so holes in their security leave local governments vulnerable. These attacks can range from viruses to hackers to phishing.
Ransomware Attacks on Municipalities on the Rise
One of the most prevalent risks currently is ransomware attacks. A ransomware attack can shut down servers, expose data, paralyze 911 centers and interfere with traffic management systems. With their limited resources and aging infrastructures, many cash-strapped municipalities are ripe for attack–and the threat of ransomware attacks on cities, towns, and other public entities increased by more than 65% last year alone. While industry experts discourage paying ransoms for fear of encouraging this type of attack, many cities are left with no option but to pay the ransom to get back up and running. What once was thought to be a big city problem is leaving every local government vulnerable, and it is on the rise.
These attacks often begin with an email—with links or attachments that seem benign but give the hacker access to that single system followed by the network. The recent shift to remote work brought on by the pandemic has more local government officials routinely working from home without access to IT and security patches and updates. Yet local governments are invested in maintaining security due to the high level of sensitive information they store and the number of systems they use to share data with state and federal government programs.
How Can Municipalities Mitigate Cybersecurity Risks?
Cities need to adopt a digital security mindset, with contingency and disaster plans in place. Working closely with other entities, such as utility companies, can help minimize threats. For example, utility grids that are interconnected can quickly cause cascading problems if they are hacked.
Actions local governments can take to protect themselves:
- Municipalities need to develop a plan for cybersecurity. If they already have one, it should be reviewed annually. By now, city administrators are becoming aware that they are a target, but this needs to be discussed with council members.
- Everyone that is involved in agenda creation, delivery or use needs to be updated with training on procedures and protocols that reduce the organization’s overall risk.
- When possible, it’s best to have dedicated hardware that official business can be conducted from. A tablet or laptop that can be updated and fully patched with all security updates easily is a necessity. Only approved applications should be opened with devices belonging to the city.
- Any device with data or applications should have the functionality to be remotely wiped in case of a threat.
- Use a secure, password-protected portal to prepare and host agenda materials and transmit council documents.
The COVID-19 pandemic has presented unprecedented obstacles for local officials. Discover the modern governance framework that provides a path forward for today’s local government councils and administrations. Download the checklist.