State and Local Governments Misperceive the Risk of Cyber Attacks

When the flu strikes, the symptoms are immediate, obvious, and -- thankfully -- fleeting. But other diseases like cancer can lurk in the body for years. By the time doctors catch a tumor, it could be too late.

Unfortunately, today's cyber-attacks are less like the flu -- think blue screens and system error messages -- and more like fatal tumors -- malicious code that exfiltrates data for months or years without detection. Worryingly, many state and local governments think their current cyber security efforts have immunized them from attack. In reality, they need to do away with the flu shots and fire up the CAT scanner -- by assuming the worst and verifying their systems' health.

Currently, almost 90 percent of state officials are confident that they're protected against cyber threats. That confidence is no guarantee that their systems are actually secure -- or even that they're not already breached. In 2014, it took an average of 205 days for organizations to discover they were breached. And of those organizations breached, nearly 70 percent learned of the attack from a third-party source, such as the FBI.

To cut response times from months to minutes, state and local governments must change their approach to cybersecurity.

That starts with assuming that they've already been hacked. This mindset forces decision makers to identify their worst-case scenario -- whether that's a data breach involving the theft of millions of medical records or a control system breach that leads to the loss of transportation, energy or other critical public infrastructure services. Operating in crisis-mode and focusing on the biggest threats enables decision makers to prioritize resources to defend their most critical assets.

As they batten down the hatches, decision makers can take several measures to verify whether a breach actually has occurred. Compromise and incident response readiness assessments help establish a baseline of a system's health and resiliency.

A compromise assessment checks the strengths of a system's defenses. For example, it might use "red teaming" to see if a group of trained experts can hack an organization's most valuable assets. If successful, the team can then pinpoint exactly where vulnerabilities exist in a system. From there, they can reverse engineer tools to prevent such attacks.

An incident response readiness assessment not only determines the effectiveness of security event monitoring systems, but also determines whether staff understand what to do in the case of a breach. The assessment can then recommend best practices..

In an age of increasingly subtle and stealthy cyber attacks, state and local governments must prepare for the worst. That requires prioritizing the defense of critical data and testing a system's defenses to find weak spots. Only by adopting this new approach to security can state and local government organizations stop breaches from metastasizing.