Sunday, 10 January 2016

State and Local Governments Need to Think of Cybersecurity like a Natural Disaster

States prepare for disasters. All together, they spend almost $800 million each year in hurricane preparation. Oregon alone is considering spending $100 million every year for the next several decades in anticipation of a "megaquake," a combination earthquake and tsunami that has a 30 percent chance of occurring.

But when it comes to protecting against dangers that are a matter of "when" not "if," states fall short. For years, state and local governments across America have let cybersecurity linger, thinking of it as little more than an "information technology" issue. That needs to change.

Cyber attacks can inflict billions of dollars' worth of damage. The average U.S. organization spends $15 million each year on cyber attacks. Globally, cybercrime costs the economy $445 billion annually.[4] By comparison, Hurricane Katrina, the most damaging natural disaster in U.S. history, cost a total of $125 billion[5] -- about three and a half times less than the annual cost of cybercrime.
Governments typically hold extremely sensitive information, like Social Security numbers and healthcare information. So they're tempting targets for hackers.

Yet state and local governments often have limited funding and resources to ward them off. Nearly half of all states spend only one to two percent of their IT budget on cybersecurity, according to a Deloitte-NASCIO Cybersecurity Study.[6] The private sector spends roughly five times that amount.
Additionally, state and local government personnel often lack the "technical, implementation, and privacy" skills needed to create a secure system.
That combination -- high-value data with relatively low barriers to access -- is a big problem.

Every record breached costs an organization approximately $222 to handle. With millions of records at stake, that's many millions of dollars in potential damages.

Consider South Carolina. Two and a half years ago, a cyber attack on the state's Revenue Department affected nearly 6 million taxpayers and their dependents, impacted roughly 700,000 businesses, and cost over $20 million to clean up. 
Successful cyber attacks like this have even claimed the jobs of some public officials. Following the South Carolina hack, state Department of Revenue Director Jim Etter resigned. [10] Gov. Nikki Haley narrowly won her next election. 
Similarly, in Utah, after hackers swiped hundreds of thousands of Medicaid records and Social Security numbers from the Utah Department of Health, the state's seven-year CIO Steve Fletcher resigned. 
Hacks don't just claim political scalps. They can actually threaten people's lives. In mid-November, U.K. finance minister George Osborne announced that the United Kingdom would double cybersecurity funding to protect the country against attacks from ISIS.

"The stakes could hardly be higher," he warned. "If our electricity supply, or our air traffic control, or our hospitals were successfully attacked online [by ISIS], the impact could be measured not just in terms of economic damage but of lives lost." 
State and local governments in the United States similarly process and house valuable information about critical infrastructure. Unfortunately, they have a mixed record of keeping it secure. Indeed, if states and local governments maintain evacuation protocols and contingency plans for natural disasters, why don't they do the same for cyber disasters -- especially when the consequences can be just as impactful to their residents?

Breaches are inevitable. But governments need to be mindful of the risks. They can no longer afford to put cybersecurity on the back burner. Instead, they must think about cybercrime just as they would a natural disaster -- one that has the potential to cost not just dollars but disrupt lives.