State and local security adjusting to shifting cyber threats, insurance requirements

State and local governments are under the radar no more. Although security has always been taken seriously, many governments didn’t consider going as far as taking out cybersecurity insurance because they didn’t feel they were lucrative enough targets to attract the persistent attention of cyber threat actors.

But any added sense of security from being perceived as relatively inconsequential targets is quickly eroding. The attacks this summer on the City of Columbus, Ohio, and the New Mexico public defender’s office were notable on their own, but they also continued a trend. Malware attacks and ransomware incidents targeting state and local governments increased by 148% and 51%, respectively, from 2022 to 2023, and show no signs of slowing down.

At the state level, CISOs are facing this increasingly pernicious threat, with nearly 40% of them saying they don’t have the IT budgets or resources to protect systems that are heavy with legacy equipment, according to a report released Sept. 30 by Deloitte and the National Association of State Chief Information Officers (NASCIO).

Suddenly, cyber insurance is on the table for state and local government IT leaders, who have been reaching out for information on what’s involved in acquiring insurance and seeking advice on what they need to do to qualify.

State and Local Governments in the Crosshairs

Cyberattacks on state and local governments have become both more frequent and more profitable for threat actors. The average cost of a ransomware attack on state and local governments so far this year is $2.83 million, more than double the $1.21 million average in 2023, according to Sophos’ State of Ransomware in State and Local Government 2024 report.

The insurance industry has subsequently taken a more hardline stance on cyber insurance. For state and local governments, premiums doubled and, in some cases, tripled in 2022, putting the costs of insurance premiums out of reach for many organizations.

In addition to becoming more expensive, cyber insurance is also harder to get. Insurance providers increasingly demand that organizations meet a minimum set of security standards to qualify for coverage. An organization that doesn’t make use of multi-factor authentication (MFA) or offline backup storage, for example, is considered uninsurable. The larger the organization, the more stringent the requirements are likely to be.

Conversely, the better your organization’s security posture, the more likely you are to qualify for affordable premiums. Government organizations, while working within their budgets, can ensure they can get insurance and hold down premium costs by implementing both basic security and advanced measures.

Essential Controls to Meet Minimum Requirements

Multi-Factor Authentication. Implement MFA for all remote access to the network and for anyone with a privileged account. Using more than one factor (a password plus fingerprint, token or security question) has proven extremely effective in reducing credential compromises, which are a primary means of gaining access for attackers.

Offline or Cloud Backups. A critical feature of any cybersecurity framework these days is resilience: the ability to recover from an attack as quickly as possible. Maintaining backups of critical data and applications either offline or in the cloud—in either case separate from the main network—can not only ensure faster recovery, but give an organization the wherewithal to refuse to make ransom payments. Be sure to make backups regularly and test recovery procedures.

Endpoint Detection and Response. EDR provides continuous monitoring, advanced threat detection and automated response across all endpoints, from desktops, laptops and mobile devices to servers, security systems and Internet of Things devices such as cameras. It can help organizations detect threats early and investigate the threat lifecycle. EDR is especially important with a mobile workforce.

Important Security Controls for Enhanced Protection

Patch and Vulnerability Management. After exploiting compromised credentials, the next most common way ransomware attackers gain entry is via known vulnerabilities that have gone unpatched. Organizations need to implement a robust patch management system, whether through automation or other means, to keep systems and applications updated and to remediate high-risk vulnerabilities as quickly as possible.

Privileged Access Management (PAM). A subset of Identity and Access Management (IAM), PAM focuses on monitoring and controlling highly privileged identities, whose ability to move freely about the network and access sensitive data and systems makes them a prime target for compromise. A PAM solution can enforce zero trust principles, such as least privilege, continuous verification and MFA to prevent the internal spread of an intrusion.

Email Filtering and Web Security. Use security tools to monitor incoming and outgoing email and web traffic. The right tools can block phishing attempts, malware and suspicious links to inappropriate websites.

Additional Measures to Strengthen Cyber Resilience

Logging and Monitoring. Logging network activities and events is essential to understanding how systems are being used and when investigating incidents. Continuous monitoring of logging data, all managed by a security operations center (SOC), can help detect threats, initiate responses and support recovery.

End-of-Life (EOL) Systems Replacement or Protection. EOL systems are full of vulnerabilities and should be replaced whenever possible or bolstered with enhanced security measures.

Cyber Incident Response Planning and Testing. When an incident happens, you need to have faith in your response. Careful planning and implementation, especially when coupled with regular testing, ensures timely and effective incident response.

Network Hardening. Techniques such as proper firewall configurations, encryption, patch management, removing unnecessary software and disabling unused protocols are all important to reducing the attack surface. Particular attention should be paid to Remote Desktop Protocol (RDP), which allows remote users to execute functions on other computers. RDP must be secured or, in some cases, disabled because of its vulnerabilities.

Proactive Cybersecurity for a Secure Future

State and local governments must adopt a proactive approach to cybersecurity, both to mitigate increasingly active threats and to improve their eligibility for cyber insurance coverage. Implementing robust security controls and practices will improve their security postures and resiliency, ensuring the continuity of essential public services.

Paul Underwood is a seasoned security professional with over 30 years of experience working with Fortune 500 clients on solving complex security problems. Paul’s extensive background includes encryption, PKI, penetration testing, security operations and incident response.