Cyber training is key to help underserved communities, report finds

Small local governments, K-12 public school systems and other underserved and under-resourced communities are among the most vulnerable to a cyberattack and are targeted the most frequently.

They may have limited staff and money to spend on cybersecurity, but often have scads of personal information that can be exploited by bad actors. That then can create a headache for their state governments, who must then come in after an attack and get the impacted systems back to normal. And the average cost of a data breach reached $4.8 million this year, which is a figure that cash-strapped communities can ill afford.

A new report from the National Association of State Chief Information Officers is urging state officials to do more to help their underserved communities. NASCIO said examples of those communities include low-income families, rural communities, communities of color, military veterans, people with disabilities, tribal communities and immigrant populations, who are especially vulnerable to cyber threats as they often lack the resources and support needed to defend against cyberattacks effectively.

The report urges those leaders, including CIOs and chief information security officers, to practice what it calls “inclusive security,” which the report says “prioritizes making critical security technologies available to everyone despite their resources, ability and/or demographics.”

One way of doing that, NASCIO says, is for states to intentionally develop and train cybersecurity officials in those underserved communities. That could mean designing training tailored to each agency and can vary depending on that agency’s needs and its employees’ roles. States could also consider developing specialized training, NASCIO said, for those in underserved communities.

“While these officials are typically aware of the unique challenges within their communities, they may be unsure how to address them,” the report says. “Providing targeted solutions and guidance through specialized training can boost local officials’ confidence in their expertise, improving cybersecurity in underserved communities and fostering more trust between state and local officials.”

The NASCIO report also encouraged partnerships with nonprofits and other organizations that serve a state’s underserved communities. Those groups, they said, could help states conduct cybersecurity needs assessments and tailor assistance to those needs; increase the reach of cyber training; and hold town halls and other events to increase cybersecurity awareness, among other ideas.

States could also partner with technology staff and faculty in their K-12 schools, NASCIO said, to build a pipeline of cybersecurity workers and raise awareness of its importance to young people. Several states already have similar initiatives in place, and work with their higher education institutions on cyber ranges to train the next generation of employees. Getting school-aged children invested in cybersecurity can help prevent them from becoming victims of a cyberattack and provide a potential career path, NASCIO said.

Finally, NASCIO’s report urged states to ensure that their digital government services have “user-friendly, inclusive security features,” in a bid to make them more accessible to all. That could include making multifactor authentication more user-friendly for elderly users, and including human-centered design in their cybersecurity strategies so user-facing efforts are easy to use and understand.

Several states are ahead of the curve, NASCIO said. For example, New Hampshire provides cybersecurity training via grants to its municipalities and residents through its Municipal Cyber Defense Program. That effort also provides tailored training to first responders, public-sector IT employees, educators, students, school boards, municipal leaders and elected officials. NASCIO said the state has “fostered stronger relationships with local agencies and maximized the power of received funding to benefit all communities, including those underserved.”

Meanwhile, Idaho has bolstered cybersecurity in its rural areas through Operation Cyber Idaho, which looks to increase cybersecurity education and state and local collaboration by staffing those rural communities with skilled cyber professionals. They come from the same communities they serve, work in state apprenticeships and internships to gain skills, then return home to work full-time. NASCIO said that means developing homegrown talent that is “familiar with Idaho’s specific needs through their personal experience.”

NASCIO praised Indiana, too, for its campaign to have state tech leaders visit localities to build rapport and relationships with local governments, then leverage those relationships to expand cyber safety in the state’s rural communities. Localities can then share their successes and best practices with others. NASCIO said this initiative is especially useful where state leaders have influence, but not statutory authority, over their local governments.

As states work to implement whole-of-state cybersecurity strategies, which rely on cooperation and information sharing between the various levels of government, making sure that underserved communities are a part of the discussion is key, NASCIO said.

“Adopting inclusive security practices can benefit underserved communities and entire populations, ensuring that all technology users are protected online,” the report says. “Understanding demographic trends in cyberattacks and fostering collaboration among cybersecurity professionals and underserved communities is the next step on the cybersecurity frontier.”