Last month, three procurement and cybersecurity experts led a session of NIGP’s Headliner Series to examine the impact of cybercrime on public procurement entities. Presenters noted that cyberattacks against local and state governments continue to rise, as criminals often see them as easy targets willing to pay ransom for stolen data. “In 2021, there were 77 successful attacks on local and state governments, and another 88 on school districts, colleges, and universities,” said Nathan Dawson, director of procurement at Lexington County School District One in South Carolina. Dawson, one of the presenters, added that ransomware remains a favorite of criminals who target procurement entities, as it is “still very successful” in state and local governments, some of which are willing to pay to regain their data.
“Criminals know that your entity’s data is its most important asset,” said Maria Thompson, the state and local government advisor at Cybersecurity Amazon Web Services. Thompson affirmed that a breach that exposes an entity’s data can significantly impact its employees and those they serve, potentially incurring legal action. It is increasingly challenging to ensure that the constant stream of data that today’s government entities produce and rely upon is accessible only to those who need it, said Thompson, particularly since those needs are always evolving.
Dawson suggested that entities continually monitor the location, nature, accessibility, and storage of their data to prevent against unnecessary risks: “Ask yourself: What data do we have? How sensitive is it? Where is it being stored? Is it replicated in multiple locations? Who has access to it? Do you regularly delete old data?”
While cybercrime can take a dizzying number of forms (malware, phishing, password theft, interrupted communications, denial of services), there are proven tools to deal with it, and many are dictated by common sense. Developing applications carefully and securely on the front end and educating users to spot fraudulent attempts to steal data on the back end are essential to protecting an entity’s assets, said presenter Stephanie Akerley, corporate procurement manager at the Maryland-National Capital Park and Planning Commission. Part of this, she said, is demonstrating to potential thieves that you are not an easy mark: “If bad actors have trouble breaking down your defenses initially, they will move on to an easier victim.”
Local government entities can take a number of proactive steps to dissuade cybercriminals, including purchasing cyber insurance, working with a state’s security assets, and joining information-sharing partnerships with other entities. It’s important to remember, though, that no safeguard is a one-and-done solution. “Just using one solution is not enough,” said Thompson. “You have to continually assess for new risks and identify where your gaps are. If you remain static, you create new vulnerabilities. The old adage holds true: Failing to plan is planning to fail.”
Presenters suggested several tools local entities can use to guard against possible cybercrime:
- The Cybersecurity and Infrastructure Security Agency (CISA), part of the US Department of Homeland Security, is responsible for helping strengthen cybersecurity across all levels of government.
- The Multi-State Information Sharing and Analysis Center (MS-ISAC) works to improve the overall cybersecurity posture of state, local, tribal, and territorial government organizations through coordination, collaboration, and communication.
- InfraGard is a partnership between the FBI and members of the private sector for the protection of US critical infrastructure.
- The Cyber Security Evaluation Tool is a desktop application that guides asset owners and operators through a systematic process of evaluating their operational and information technology.