Governments must get in shape to combat increasing cyber attacks

By Daniel Poliquin, Principal, Deloitte

Early this summer, I had the honor to participate in an OhioX GovTech panel on government cybersecurity at our Columbus headquarters, and there were several takeaways as we talked through what this looks like for state and county governments. 

First, consensus is that while governments are making strides in preparing and defending against cyber, phishing, and other cybersecurity breaches, most are only meeting the basic requirements organizations need to protect data, systems, and citizens. For example, in a nearby state, we’ve found that counties are at just over a 1 out of a possible 5 rating in terms of maturity in their cyber solutions. While that’s OK in some respects –– they absolutely need that baseline capability to defend themselves –– in reality, residents need them to be much more advanced to stay ahead of these threats. 

I like to use this analogy: if you’re running on a treadmill and suddenly stop running, you’ll be thrown off the back. However, you’ll also be thrown off if you increase the speed of the treadmill but don’t up your pace! Hackers and other bad actors just keep increasing the pace, so it’s ever more difficult for governments and agencies to keep up. In our view, it’s a start to be compliant with security standards and laws. More importantly, it’s imperative these entities have the flexibility, agility and risk awareness to combat cyber threats.

Next, we discussed one key approach that can or is already helping state, county and local governments stay ahead. That occurs when there is buy-in from top leadership in states and counties to truly commit resources to cybersecurity initiatives. This requires constant education and continued awareness of these changing and advancing threats. 

With ransomware attacks consistently in the headlines, government leaders are certainly aware of risks.  Attacks on municipalities alone, for instance, increased from 12% to 22% of all attacks in the last year, most notably holding entire city systems hostage. From there, leaders must move from education to action in making cybersecurity a priority. Deloitte practitioners regularly work with and educate leaders on this topic, and we continue to see encouraging commitment. There are also so many resources from my colleagues at Deloitte Insights where they can learn more. 

Finally, it was exciting to hear from Kirk Herath, cybersecurity strategic advisor to Ohio Governor Mike DeWine, who discussed some of the initiatives he’s taking on to help state, county and local governments in their defense. He noted that the state has reshaped CyberOhio to become more operationally helpful and serve as an advisor for organizations across the state. The State of Ohio has shown a deep commitment to the effort.

In fact, just a couple weeks after our panel, Governor DeWine announced that thanks to a total $4.9 million in funding, CyberOhio will offer free services to local government entities to boost their cybersecurity preparedness and resilience. Led by Herath, the new program will deliver education, training, exercising, mentoring, and improvement across three cybersecurity preparedness levels to protect governments and citizens from these attacks. 

“We wanted to build something central and offer shared services so that counties and cities can come to us to understand, learn, and improve their cyber defenses,” Herath said on our panel.

This is great news for how the State of Ohio defends itself, and very much in line with how I believe governments can stay ahead of cyber risk: by practicing, getting educated, staying in shape, and running faster on that treadmill.