With SolarWinds and nation state attacks grabbing the headlines, as well as several large US federal cyber initiatives including the White House cybersecurity executive order, DoD’s CMMC program and the FBI’s CJIS security policy, you’d think the cyber threat was largely federal. Yet, a cyberattack at the state or local level is likely to be much more disruptive to citizens potentially impacting emergency 911 services, police dispatch and sewage treatment along with everyday services like driver licensing and title searches.
The importance of security at the state level is highlighted in this quote from Richard Kidd, Program Manager with the Maryland Department of State Police, “Securing sensitive data is essential to our ability to serve the community.” However, many state and local agencies don’t even have dedicated IT resources, let alone a well-funded cybersecurity program. In fact, much of their IT infrastructure is outdated and can’t be effectively secured against current cyber threats.
While cybercriminals have known that state and local governments are vulnerable, the value of breached data was typically limited and so they focused their efforts on more lucrative targets. Unfortunately, ransomware brought a new dynamic making state and local governments the perfect target. Indeed, cyberattacks on state and local governments have risen 50% since 2017 with average ransomware demands nearing a half million dollars. And while the National Association of State Chief Information Officers (NASCIO) has deemed cybersecurity and risk management the number one priority for 2021, the challenge of adequate funding remains.
Well, that may be about to change with the US Senate passing last week’s mammoth bipartisan infrastructure deal that earmarked $1B in cybersecurity funds for state and local governments. If passed to law, this is a real game changer. To help state and local governments prepare, here’s a roadmap to up their cybersecurity game with modern multi-factor authentication (MFA):
- Embrace Zero Trust – Simplistically, “never trust, always verify”. Adopt a least privileged access strategy and issue high assurance credentials to provide secure access to resources with controls at all levels.
- Be contextual – Stay vigilant with adaptive risk-based authentication that applies a step-up challenge to users when conditions warrant like logging in for the first time on a new device or from a new geolocation.
- Keep employee friction low – Think “invisible security” with background device reputation checks, intelligent authenticators like biometrics and mobile push, and seamless login with passwordless and single sign-on (SSO).
- Go cloud first – Most CIOs would agree that the last 18 months would have gone a lot smoother with more cloud-based workflows. In an uncertain and rapidly changing world, a cloud-based IAM solution offers unprecedented speed, scalability and security.
- Simplify IT administration – Stop the hybrid / multi-cloud insanity that adds cost, risk and complexity with multiple distributed directories and manual user provisioning. Adopt unified identity management with workflow orchestration.
- Make the most of your available resource pool – Streamline user provisioning with identity orchestration and leverage user self-service tools like password reset. If a shortage of critical IT skills is a challenge, consider using a managed service provider.
Interested in learning more about modern MFA? Watch our webinar, Identity as a Service: Born in the Cloud, Offered as a Service.