5 Security Misconceptions that Persist in Government Today
We service a lot of government clients here at Nomic. Chronically fighting for cash, they come to us with difficult challenges, and we find creative ways to solve them. And in the process, we learn a lot.
From our unique vantage point, we've noticed a few things in particular … What’s that Mark Twain quote? “It ain’t what you don’t know that gets you into trouble. It’s what you know for sure that just ain’t so.” Sounds like our politics today, and the same can be said when it comes to cybersecurity.
Here are a few mistaken beliefs that still persist at the local government level. And what we’ve also noticed is that these same misconceptions, with a few tweaks, can be applied to the SMB subset as well.
#1: “Local governments are not a target.”
OK, so this is an old myth that has pretty much been debunked - most organizations these days know they’re a target, no matter how small they are. And easily accessible tools from AI to ransomware-as-a-service make it easier and easier for even less sophisticated bad actors to find and exploit the easiest low hanging fruit.
Because of this low cost of entry and the fact that everyone knows local governments struggle for the resources, smaller local governments have become an especially attractive target. At this point, most practitioners we come across at this level know it.
So why include it in our list? Because even if local governments “know” their a target, they might not know one of the other important reasons why: Since a lot of government systems communicate with each other and overlap, these smaller targets can serve as a gateway into larger government organizations with even more at stake - think of it like the government version of a supply chain attack.
#2: “Since governments realize how at-risk they are, they’ll definitely be able to get the resources they need.”
Governments are complicated. While IT and cybersecurity may see what’s going on in the threat landscape, they do not hold the purse strings. To get these wheels in motion, they need to talk to the people who do: mayors, county commissioners, and city council members. And convincing them of the problem? Well, that’s a whole other set of skills.
Today’s local government cybersecurity head needs to be almost a renaissance man or woman. They need to have not only the technical acuity to determine the level of cyber risk to the organization but also the relationships in place with the powers that be to be able to sway them to their side. They need to convince leadership to approve cybersecurity spending over other competing (and possibly more visible) interests, and they need to present their case in a way that non-cybersecurity professionals can understand. It’s quite a task.
We’ve seen that IT heads that have built trust top to bottom throughout an organization tend to get the funding they need. Those that can’t build those relationships end up throwing their hands up in the air and saying, “It’s no use. My mayor and I don’t get along.” Unfortunately, it’s that simple—and for many, that complex.
#3: “Big cybersecurity initiatives at the state and federal level will trickle down easily to local governments.”
While large federal and state cybersecurity initiatives are a huge boon – and improving as we speak – they don’t necessarily translate into effective security at the local level. In our experience, every state is a little different, and some are much more effective than others in their support of local entities. Let’s take the SLCGP as an example: Federal grant money for cybersecurity, but each state handles its distribution of these funds differently.
So, what do local governments do in the meantime? What they always do – find a way.
I am a staunch believer in the CIS Controls. They point organizations of any size get started with “basic cyber hygiene,” as the Controls put it. In the absence of stronger or more attainable help at the state and federal level, all local governments (and SMBs) should start here.
While they seem simple – starting with things like asset inventory and access control – these principles give organizations a wide umbrella of protection, as most threat actors go for the low-hanging fruit.
#4: “If we implement XYZ, we’ll be 100% protected.”
A false sense of security often exists in less cyber-sophisticated organizations. And who can blame them? You don’t know what you don’t know. The trouble comes when you come into a situation as a vendor, and the administrator says, “Thumbs up, we’re good. We just bought this huge firewall, and now we’re totally okay.” It happens more often than you might think.
Referencing #2 again, much like IT administrators are challenged with building relationships with their leadership, sometimes we as vendors have the challenge of building enough trust with organizations to be a voice of reason. With that well-earned trust, we can provide valuable guidance to improve an organization’s security posture.
#5: “Our on-prem security strategy has been very effective. We should be fine in the cloud.”
A lot of organizations find out - perhaps too late, sometimes - the hard way that on-premises and cloud environments are two totally different creatures.
Unfortunately, experts in one do not automatically transfer to experts in another. Things just work differently out there. The network architecture is completely different, and therefore the configurations and tools needed to be secure are different, too. Many times, you need cloud-specific tools to do a cloud-specific job.
Most organizations we see today are settling into a hybrid architecture. Many moved quickly to the cloud, then realized it was pricey and complex and scaled it back a bit. Many were slow to adopt, only now moving the most essential items (let’s say Microsoft O365 and backups and data recovery, for example) into the cloud.
Again, a trusted vendor here can make all the difference. Smaller government organizations don’t usually have the in-house expertise for cloud implementations, so they need to be able to lean on their vendors to guide the way.
What Small Governments Can Do
As they say, knowing the problem is half the battle. For the other half, we’ve helped many organizations with our additional layers of security and our boots-on-the-ground experience when it comes to navigating the waters of small government funding, implementation, and – well, politics.
Check us out, and let us share that expertise with you. Debunk “what you know that just ain’t so,” and let us help you find the security solutions we’ve seen work for local governments time and time again.
Ted has worked with network security and web technologies for almost 30 years, beginning his career as a full-stack web engineer and transitioning to network security. He now guides Nomic and its supporting initiatives, including CINS Active Threat Intelligence.