Cybersecurity in State and Local Government: The Struggle is Real, But So is the Fight

 

March 11, 2024

State and local governments have long been prime targets for cyber crime. That’s more the case now than ever before.

Cyberattacks against state and local governments in the U.S. were especially numerous in 2023. According to a recent report by Sophos, ransomware led the pack with an 11% increase year-over-year— from 58% to 69%. Attacks against the cities of Dallas, TX and Oakland, Calif. were especially prominent in the news.

And they’re all after two things: sensitive information or money—or both.

They’re also growing more sophisticated by the day.

Even so, says Mindsight Cybersecurity Leader and Solutions Architect Mishaal Khan, too many state and local government leaders aren’t making cybersecurity the priority it should be. And if they don’t have in-house IT professionals to guide them through the why and how their cybersecurity investment will pay off, it never gets to the top of a very long list.

No thanks to tight budgets, experts being enticed by private sector salaries, and too-frequent miscommunication between knowledgeable government IT professionals and key decision-makers who control the purse strings, cybersecurity isn’t nearly where it should be.

“The goal becomes how to make cybersecurity a priority, because the lack of it affects the business and all other priorities,” says Khan, who regularly works with state and local government entities in his capacity as a vCISO. “When you get hacked, everything stops and you have to deal with it.”

But there’s cause for optimism, he adds. The challenge around cyber talent and budgets can be addressed with the help of MSPs (managed service providers), “we’re empowering them” to safeguard their networks—and in turn protect their reputations and the citizens who rely on their services. “And once they get empowered and see results, they understand the significance of leading by example.”

Challenges in Security

One of the biggest hurdles for state and local government entities is budget, Khan says. Oftentimes, IT is not partnering with the right leaders in the organization and not articulating value to get investments approved. The conversation instead is about cost. That’s a set-up for failure. Show leadership how cybersecurity investment delivers value – protects a community’s reputation, makes for a safer community, and avoids disruption in services that can cause cashflow issues. City managers, superintendents, boards must understand the value of investing in cyber, which really boils down to protecting citizens they service, their personal data, and the services they receive and rely on.

“Once decision makers are sold on the value,” Khan explains, “the budget will come. That’s why it’s so important to effectively articulate the “why, what, and how.” My job is to be that liaison between solutions and the local government implementing those solutions,” he says of himself and his fellow cyber experts. “To help articulate the value, make sure the right solutions are implemented, business cases are properly positioned, and coinciding budgets developed.”

As relates to costs, there are various grants that provide money for cybersecurity. Companies like Microsoft and Google both offer free cyber services for schools. But you have to be in the know—or work closely with someone who’s in the know—to know what support is available.

Khan also points out that technological “skeletons” often prevent governments from doing what needs to be done. Maybe they’re running archaic software, he says, and don’t want to “open up Pandora’s box” by doing an overhaul—no matter how much it’s needed.

“But we’re all in this together,” he says. “Let’s focus on the bigger picture. Everyone has skeletons, and we’ll deal with them. This is a long-term process that requires strategic insight.” He is seeing improvement.

“I’m currently the vCISO of two different school districts, and things are happening. There are certain individuals in local governments that do believe in technology and change – and are partnering with their superintendents and boards to effectively articulate the value of a cybersecurity strategy and are getting investments approved. Approved with ease! They take every opportunity to advocate for change. So change is happening, maybe not as quickly as these attacks are occurring. That’s why governments continue to be targets. That’s why the struggle is real – but so is the fight!”

Overcoming Challenges

Understand who your buying audience is. Lead with value, not cost, in your discussions. Don’t be afraid of change – in fact, be a champion for change. And ask for help. Cybersecurity experts deal with various scenarios within government entities every day and can provide the guidance you may need to achieve your cybersecurity plan.

Mindsight provides Enterprise Managed IT Services for the Mid-Market. Our expert-only engineers and solution architects work across industries, from government to manufacturing, education to financial services – just to name a few. For 20 years, we’ve partnered with global brands to help reduce costs and risk, provide expertise across technologies, and optimize environments so clients can focus on growing their businesses.

About Mindsight

Mindsight, a Chicagoland IT services provider, is an extension of your team.  Located in Downers Grove, IL we proudly serve customers across the area including Naperville, Oak Brook, Northbrook, and surrounding counties (Cook, Lake, Dupage, Will, Kane, and Grundy). Our culture is built on transparency and trust, and our team is made up of extraordinary people – the kinds of people you would hire. We have one of the largest expert-level engineering teams delivering the full spectrum of IT services and solutions, from cloud to infrastructure, collaboration to contact center. Our highly certified engineers and process-oriented excellence have certainly been key to our success. But what really sets us apart is our straightforward and honest approach to every conversation, whether it is for an emerging business or global enterprise. Our customers rely on our thought leadership, responsiveness, and dedication to solving their toughest technology challenges.

About the Expert

Mishaal Khan is a subject matter expert in cybersecurity, pentesting, privacy, Open-Source Intelligence, and social engineering. He is a frequent speaker on these topics at universities and popular cybersecurity conferences like DEFCON, Wild West Hacking Fest, and multiple BSides events. Mishaal has worked with multinational companies for over 20 years, securing their networks and providing executive-level consultancy to manage risk and avoid breaches. He’s an author, holds a CCIE and CEH, and runs the cybersecurity practice at Mindsight as a vCISO. Visit Mishaal’s LinkedIn page.





Related Articles

View All Blog Posts