Editor’s Note: October is National Cybersecurity Awareness Month.
Although city governments increasingly rely on software programs to provide services such as 911 calls, service delivery and online bill payment, they may not have the proper cybersecurity policies in place to protect their systems, according to a recent nationwide survey of cities by Augusta University researchers.
“We’re concerned first with the human factor of all issues,” said Dr. William Hatcher, director of Augusta University’s Master of Public Administration program and one of the survey’s authors. “Having trained employees is necessary to stop attacks or even make sure organizations are not tricked through phishing type schemes.”
Almost 30 percent of surveyed cities have no formal cybersecurity policy, which would include rules on password creation, guidelines for employee training on computer security and procedures for reviewing the list of employees with access to sensitive systems, according to the survey.
Of the cities that have a formal policy, the survey found that:
- 17 percent don’t require in-depth background checks when employees are granted access to sensitive systems
- 18 percent don’t teach employees to recognize breaches
- 37 percent don’t provide ongoing training to employees on new computer security procedures
- 47 percent don’t review the list of employees who have security access on a regular basis
- 54 percent don’t work with an outside auditor to review their policies on an annual basis
The survey looked into cities nationwide with more than 10,000 people and received responses from 193 local governments.
Based on the results of the survey, Hatcher says most cities understand the importance of cybersecurity but are not investing in vulnerable areas due to financial constraints.
“Providing effective cybersecurity protection is expensive, and many municipalities have financial issues paying for the service,” Hatcher said.
As the March 22 ransomware attack against Atlanta shows, however, the cost of recovering from cyberattacks can be significant. Following the attack, Atlanta spent $2.7 million in contracts to clean its network, according to the Atlanta Journal-Constitution. That number didn’t include the cost of thousands of city employees not being able to access their work computers for five days.
In the end, investing in security could be cheaper than paying to recover a city’s computer systems following a cyberattack.
“Cities, small and large, house a ton of data on their cities — financial information, tax information, housing information, criminal justice information, etc.,” Hatcher said. “This data needs to be kept secure.”