State and local governments under siege from cyber threats

With both security budgets and talent pools negatively affected by the ongoing pandemic, state and local governments are struggling to cope with the constant wave of cyber threats more than ever before, a Deloitte study reveals.

The study is based on responses from 51 U.S. state and territory enterprise-level CISOs.

Key themes

• COVID-19 has challenged continuity and amplified gaps in budget, talent and threats, and the need for partnerships.
• Collaboration with local governments and public higher education is critical to managing increasingly complex cyber risk within state borders.
• CISOs need a centralized structure to position cyber in a way that improves agility, effectiveness and efficiencies.

The report also details focus areas for states during the COVID-19 pandemic. While the pandemic has highlighted the resilience of public sector cyber leaders, it has also called attention to long-standing challenges facing state IT and cybersecurity organizations such as securing adequate budgets and talent, and coordinating consistent security implementation across agencies.

Remote work creating new opportunities for cyber threats

These challenges were exacerbated by the abrupt shift to remote work spurred by the pandemic. According to the study:

• Before the pandemic, 52% of respondents said less than 5% of staff worked remotely.
• During the pandemic, 35 states have had more than half of employees working remotely; nine states have had more than 90% remote workers.

“The last six months have created new opportunities for cyber threats and amplified existing cybersecurity challenges for state governments,” said Meredith Ward, director of policy and research at NASCIO.

“The budget and talent challenges experienced in recent years have only grown, and CISOs are now also faced with an acceleration of strategic initiatives to address threats associated with the pandemic.”

“The pandemic forced state governments to act quickly, not just in terms of public health and safety, but also with regard to cybersecurity,” said Srini Subramanian, principal, Deloitte & Touche LLP.

“However, continuing challenges with resources beset state CISOs/CIOs. This is evident when comparing the much higher levels of budget that federal agencies and other industries like financial services receive to fight cyber threats.”

The need for digital modernization amplified by the pandemic

State governments’ longstanding need for digital modernization has only been amplified by the pandemic, along with the essential role that cybersecurity needs to play in the discussion. Key takeaways from the 2020 study include:

• Fewer than 40% of states reported having a dedicated budget line item for cybersecurity.
• Half of states still allocate less than 3% of their total information technology budget on cybersecurity.
• CISOs identified financial fraud as three times greater of a threat as they did in 2018.
• Overall, respondents said they believe the probability of a security breach is higher in the next 12 months, compared to responses to the same question in the 2018 study.
• Only 27% of states provide cybersecurity training to local governments and public education entities.
• Only 28% of states reported that they had collaborated extensively with local governments as part of their state’s security program during the past year, with 65% reporting limited collaboration.