State governments are struggling to ward off millions of increasingly complex threats to the security of their technological systems each week, according to a new report about cybersecurity in the states from Deloitte and the National Association of State Chief Information Officers.
Cybersecurity is the task of protecting computer networks and data, in this case that underpin all of the business that state governments conduct. Cited threats range from hackers attempting financial fraud and “hactivism,” or hacking aimed at making a political statement, to stolen laptops and foreign state-sponsored espionage.
A survey of state chief information security officers found that only 24 percent are “very confident” that their state assets are protected against external threats, while only 32 percent say their staff have the required cybersecurity competency. Government agencies have lost more than 94 million citizen records since 2009. The average cost per lost or breached record is $194.
“The states have the most comprehensive information about citizens from birth to death, from doctor visits to tax information and benefits information,” says Srini Subramanian, leader of Deloitte's security and privacy practice to state governments and one of the report's authors. “States have the most comprehensive information compared to any private sector organization.”
Lack of adequate funding, increasingly sophisticated threats and inadequate availability of cybersecurity professionals are the primary obstacles cited by the security officers. Competition for top talent from higher-paying private-sector employers has made recruiting and retention a challenge in this area.
States are increasingly experimenting with outsourcing some security functions, but that, too, comes with its own security risks and challenges. “There is an argument to be made to outsource certain specialized security functions, but when you do, you have to make sure that you have adequate controls in place,” Subramanian says.
States too often rely on the language in the contract to delineate the contractors' responsibilities, he says, but states will be accountable to the public if security is breached. He suggests putting additional processes in place to ensure compliance.
The report's recommendations include adoption of uniform security frameworks, better articulating the risks to other stakeholders in state government and increased monitoring and auditing of security contracts with private sector providers.