Cyber threats are increasing and, unfortunately, local and state government entities have become top targets.
In 2023, the FBI reported that government entities were the third most-targeted sector by ransomware, and Arctic Wolf’s own research saw the average ransom for government organizations top $1 million USD. And that’s just one kind of cyber attack. Business email compromise (BEC), a consistently popular attack type for cybercriminals, affected 70% of organizations in the last 12 months, according to Arctic Wolf’s annual trends report.
While these statistics paint an alarming picture, it doesn’t mean that local and state government entities should resign themselves to an inevitable attack. While these organizations certainly face challenges, including limited budgets, strained resources, and out-of-date technology, they have opportunities to shore up their defenses and go from being a leader in attempted hacks to being a leader in cybersecurity best practices. But first, it’s important for these organizations to understand the threats they face and the specific security gaps they need to close.
Why Are Government Entities Cyber Attack Targets?
Cybercriminals tend to follow the path of least resistance, and that path has, time and time again, led them toward state and local governments. The main reasons are not unique to these organizations but are seen across industries. They have access to and store vast amounts of private data – from financial data to social security numbers and other personally identifying information (PII) which sells for a high price on the dark web, and they have little tolerance for downtime due to the vital role they play in communities. Those two factors make them a strong initial target for ransomware groups and individual hackers, and once a little research is done by the cybercriminals, key weaknesses can expose themselves, motivating the threat actors to launch sophisticated attacks.
1. State and local government organizations often lack funding and skilled resources
Local governments are not flush with cash, so investing in new technologies, processes, and people needed to meet modern cybersecurity standards can be difficult. An attack will be much more costly than appropriate cybersecurity investments—but for cash-strapped local governments, it can seem like the only available option is to spend nothing and hope for the best.
In addition, the cybersecurity expertise gap has hit the government hard, where wages may not be as high as in the private sector and opportunities may not be as lucrative. IT teams are finding themselves overwhelmed and undertrained when it comes to meeting new threats and improving the security environment of their organization. Like many organizations, government entities are learning to do more with less, only 16% of respondents in this year’s The State of Cybersecurity: 2024 Trends Report, stated that the hiring and recruiting of security staff is one of their primary areas of concern. That’s down significantly from 64% in 2023. However, many private organizations are closing that gap with new, pricy technology, an option not readily available to these smaller, budget-constraint entities.
2. The vast number of organizations offers plenty of targets for cybercriminals
There are over 90,000 different local governments in the U.S. and that doesn’t include state governments, tribal governments, or government-related entities like police departments and county offices. This allows cybercriminals to take a broad attack approach, such as bombarding an entire entity with phishing emails, or refine tactics during one attack and transfer them to another attack. Additionally, many government organizations may use the same software for business operations. If there’s a known vulnerability that hackers can exploit at one local government entity, there’s no reason they won’t try it on another.
3. Government entities are more connected than ever, allowing for supply chain attacks
Digitization breeds risk, and as governments connect to the internet, embrace the cloud, and utilize private software, they create new risks for their organizations and users and rapidly increase their attack surface. One statistic tells a full story here: 99% of organizations (across industries) utilize the cloud, but only 40% feel they are actively securing their cloud resources effectively.
Recent Government Hacks
The numbers mentioned above are not hypothetical. Looking at recent government hacks can highlight just how these challenges lead to cybercrime.
Kansas City, a major city in the Midwest, took hits from cybercriminals in the spring of 2024, as the Jackson County Assessment, Collection and Recorder of Deeds suffered a ransomware attack originating from a phishing email, and the Kansas City Area Transit Authority and the Kansas state court system were also attacked in the same time period.
A suburb of Atlanta, Macon-Bibb county, had their network taken offline by cybercriminals in May 2024, in an attack that mirrored one in Wichita, Kansas, which had occurred just the week before.
Explore other top state and local government cyber attacks.
How State and Local Government Entities Can Increase Their Cybersecurity
While these organizations face both internal challenges and external threats, there are a number of steps they can take to improve their security posture and harden their cybersecurity defenses.
1. Employ 24×7 monitoring, detection, and response
With limited employees and budget, having staff on hand to watch your environment 24 hours a day is impossible. But third parties, like Arctic Wolf, can provide both the technology and the human power to keep eyes on glass around the clock. Threat actors don’t stop when the clock hits 5 p.m. and your employees go home, so having full-time coverage can help stop sophisticated threats early while helping your organization gain visibility to make proactive changes.
2. Implement identity and access management (IAM) with robust access controls
As the ransomware attack in Missouri highlights, users are a major part of the attack surface, and this is especially true for state and local governments, who employ hundreds and rely on user-to-user communication like email. But this threat can be mitigated with technology, particularly the implementation of multi-factor authentication (MFA). While MFA is a simple access control, it can have a vast impact, stopping BEC attacks and successful phishing attacks from moving forward. If a threat actor gains initial access, strong IAM measures, like MFA, will prevent lateral movement and give organizations more time to identify and neutralize the threat.
3. Follow a strong security awareness training program
The other defense against human risk is effective security awareness training. While organizations across industries have gotten better at implementing training – 88% of organizations currently use some form of internal security awareness program – but that doesn’t mean every training program is built the same. State and local governments should employ a program that has a regular training cadence, utilizes micro-learning for better information retention, and addresses industry-specific threats such as phishing.
Learn more about Arctic Wolf® Managed Security Awareness®.
4. Plan for potential threats and incidents with incident response (IR) planning
A mature organization is one that both continually takes proactive steps while ensuring their organization is ready if a threat actor strikes. Not only does this mean having detection and response software in place that can shut down a threat during initial access, but having systems, processes, and people in place in case an incident escalates. This can take the form of a retainer – Arctic Wolf® Incident Response Jumpstart Retainer offers pre-paid hours, 1-hour response time, and IR planning and review – or an internal planning and review committee, or even just a proper cyber insurance policy to transfer risk.
Watch our webinar on IR for state and local governments.
5. Secure cybersecurity funding through grants
In 2022, the Department of Homeland Security announced a cybersecurity-focused grant program for state and local governments. While the amounts that will be allocated for 2024 have yet to be announced, the program handed out $18.2 million USD in 2023. Organizations should be on the lookout for more information about this program, and how they can qualify to secure funding and enhance their security posture. Additionally, the requirements for this funding represent a series of controls that all local and state governments should work to implement, so even if funding is not available for your entity, the guidelines can serve as a solid framework for making cybersecurity improvements.
Explore how Arctic Wolf keeps this local government office safe from cyber threats.
Get started on your security journey with our state and local government cybersecurity checklist.
