State and local government agencies face multiple — and often interrelated — challenges to strengthening their resilience. They must address evolving cyber threats, modernize vulnerable legacy systems and meet growing expectations around digital services. Agencies often lack the budget and staff to take on these challenges and address the risks associated with them.
But a holistic approach to assessing and addressing potential failure points can help agencies augment staff skills, accelerate digital transformation and improve organizational resilience.
Governments need to sustain business processes and IT systems to deliver critical services despite natural and manmade disasters. However, ensuring that level of resilience remains a challenge. Nearly one-third of attendees at a July 2022 Government Technology webinar sponsored by Iron Bow said in an informal poll that they were not as confident as they should be in their organization’s ability to recover within 48 hours of a major security incident. Threats to government resilience are real and growing.
In 2021, nearly four in 10 public sector organizations globally said they had experienced a ransomware attack within the past year, according to a Sophos cybersecurity survey. And attacks on government agencies are often more likely to succeed. For example, 69% of local governments hit by an attack reported that cybercriminals had successfully encrypted their data, a success rate that’s 15 percentage points higher than the average for all organizations.
The costs of these vulnerabilities are staggering. Across all organizations, the average down time resulting from a ransomware attack is 21 days. But the challenge is broader than cybersecurity, and governments need to think beyond technology issues to address it.
It's not that governments have a security issue so much as a resilience issue. Because of traditional organizational silos, governments have many single points of failure - systems, processes, and security - that increase the risk level of each organization.
Agencies also need to ensure that systems and processes can scale up during unprecedented surges in demand. This was a common problem faced by state unemployment insurance systems during the pandemic. But governments face budgetary and technology limitations in addressing these and other barriers.
All of these risks and gaps present a challenge for governments: Can your government encounter a wide range of scenarios, I.e. the COVID-19 pandemic or a ransomware attack, and be able to continue delivering services to constituents with little to no interruption? How scalable and adaptable are your government operations considering cyber and non-cyber challenges? Or to put it more simply, can you take a hit in the mouth and keep going?
Here are four steps to get started in a more proactive resilience-as-a-service approach:
1. Conduct a comprehensive resilience assessment. Identify technical and non-technical gaps of failure, such as technology, people, and processes.
2. Develop a mitigation strategy. Prioritize efforts to address those gaps based on the level of risk each one presents.
3. Use workforce development to "future proof" staff and operations. Address potential single points of failure by leveling up skillsets.
4. Leverage partners to provide resilience-as-a-service. Service providers can offer robust security tools and practices that have been cultivated to serve multiple customers at scale.
This blog is an excerpt from a Center for Digital Government Issue Brief, "Resilience-as-a-Service: A holistic approach for ensuring continuity of government." You can read the full issue brief here.