State and local security adjusting to shifting cyber threats, insurance requirements

anyaberkut/Getty

 

Connecting state and local government leaders

COMMENTARY | Ransomware and other threats are making cyber insurance—and the stronger security needed to qualify for it—imperative for government organizations.

State and local governments are under the radar no more. Although security has always been taken seriously, many governments didn’t consider going as far as taking out cybersecurity insurance because they didn’t feel they were lucrative enough targets to attract the persistent attention of cyber threat actors.

But any added sense of security from being perceived as relatively inconsequential targets is quickly eroding. The attacks this summer on the City of Columbus, Ohio, and the New Mexico public defender’s office were notable on their own, but they also continued a trend. Malware attacks and ransomware incidents targeting state and local governments increased by 148% and 51%, respectively, from 2022 to 2023, and show no signs of slowing down.

At the state level, CISOs are facing this increasingly pernicious threat, with nearly 40% of them saying they don’t have the IT budgets or resources to protect systems that are heavy with legacy equipment, according to a report released Sept. 30 by Deloitte and the National Association of State Chief Information Officers (NASCIO).

Suddenly, cyber insurance is on the table for state and local government IT leaders, who have been reaching out for information on what’s involved in acquiring insurance and seeking advice on what they need to do to qualify.

State and Local Governments in the Crosshairs

Cyberattacks on state and local governments have become both more frequent and more profitable for threat actors. The average cost of a ransomware attack on state and local governments so far this year is $2.83 million, more than double the $1.21 million average in 2023, according to Sophos’ State of Ransomware in State and Local Government 2024 report.

The insurance industry has subsequently taken a more hardline stance on cyber insurance. For state and local governments, premiums doubled and, in some cases, tripled in 2022, putting the costs of insurance premiums out of reach for many organizations.

In addition to becoming more expensive, cyber insurance is also harder to get. Insurance providers increasingly demand that organizations meet a minimum set of security standards to qualify for coverage. An organization that doesn’t make use of multi-factor authentication (MFA) or offline backup storage, for example, is considered uninsurable. The larger the organization, the more stringent the requirements are likely to be.

Conversely, the better your organization’s security posture, the more likely you are to qualify for affordable premiums. Government organizations, while working within their budgets, can ensure they can get insurance and hold down premium costs by implementing both basic security and advanced measures.

Essential Controls to Meet Minimum Requirements

Multi-Factor Authentication. Implement MFA for all remote access to the network and for anyone with a privileged account. Using more than one factor (a password plus fingerprint, token or security question) has proven extremely effective in reducing credential compromises, which are a primary means of gaining access for attackers.

Offline or Cloud Backups. A critical feature of any cybersecurity framework these days is resilience: the ability to recover from an attack as quickly as possible. Maintaining backups of critical data and applications either offline or in the cloud—in either case separate from the main network—can not only ensure faster recovery, but give an organization the wherewithal to refuse to make ransom payments. Be sure to make backups regularly and test recovery procedures.

Endpoint Detection and Response. EDR provides continuous monitoring, advanced threat detection and automated response across all endpoints, from desktops, laptops and mobile devices to servers, security systems and Internet of Things devices such as cameras. It can help organizations detect threats early and investigate the threat lifecycle. EDR is especially important with a mobile workforce.

Important Security Controls for Enhanced Protection

Patch and Vulnerability Management. After exploiting compromised credentials, the next most common way ransomware attackers gain entry is via known vulnerabilities that have gone unpatched. Organizations need to implement a robust patch management system, whether through automation or other means, to keep systems and applications updated and to remediate high-risk vulnerabilities as quickly as possible.

Privileged Access Management (PAM). A subset of Identity and Access Management (IAM), PAM focuses on monitoring and controlling highly privileged identities, whose ability to move freely about the network and access sensitive data and systems makes them a prime target for compromise. A PAM solution can enforce zero trust principles, such as least privilege, continuous verification and MFA to prevent the internal spread of an intrusion.

Email Filtering and Web Security. Use security tools to monitor incoming and outgoing email and web traffic. The right tools can block phishing attempts, malware and suspicious links to inappropriate websites.

Additional Measures to Strengthen Cyber Resilience

Logging and Monitoring. Logging network activities and events is essential to understanding how systems are being used and when investigating incidents. Continuous monitoring of logging data, all managed by a security operations center (SOC), can help detect threats, initiate responses and support recovery.

End-of-Life (EOL) Systems Replacement or Protection. EOL systems are full of vulnerabilities and should be replaced whenever possible or bolstered with enhanced security measures.

Cyber Incident Response Planning and Testing. When an incident happens, you need to have faith in your response. Careful planning and implementation, especially when coupled with regular testing, ensures timely and effective incident response.

Network Hardening. Techniques such as proper firewall configurations, encryption, patch management, removing unnecessary software and disabling unused protocols are all important to reducing the attack surface. Particular attention should be paid to Remote Desktop Protocol (RDP), which allows remote users to execute functions on other computers. RDP must be secured or, in some cases, disabled because of its vulnerabilities.

Proactive Cybersecurity for a Secure Future

State and local governments must adopt a proactive approach to cybersecurity, both to mitigate increasingly active threats and to improve their eligibility for cyber insurance coverage. Implementing robust security controls and practices will improve their security postures and resiliency, ensuring the continuity of essential public services.

Paul Underwood is a seasoned security professional with over 30 years of experience working with Fortune 500 clients on solving complex security problems. Paul’s extensive background includes encryption, PKI, penetration testing, security operations and incident response.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.