The International City/County Management Association (ICMA) partnered with the University of Maryland a few years ago on a nationwide survey of local government cyber security practices, including incident response (IR) plans. Among the many interesting data points in the published report was the finding that only 33.7 percent of respondents had a “formal, written plan for recovery from breaches.” Of those that did, fewer than one-third rated their plan’s effectiveness as high or very high.
Why Do So Few Local Governments Have IR Plans?
The survey results don’t elaborate on what the plans looked like for different cities. However, it’s not that surprising that so few local governments have incident response plans. Creating an effective incident response plan takes time and focused effort. That's the case whether you’re managing a program in the private sector or local government. Too many state and local governments hope for the best and cross their fingers that they will never have to live through a data breach or cyber attack. They haven’t budgeted the security personnel and other resources to document a plan.
For those state and local agencies that indicated that they had a documented plan, why did the majority rate the effectiveness of that plan as less than great? That’s likely because they hadn’t taken the next step, which is exercising those plans. Practicing an IR plan is essential to building confidence and improving efficiency.
Nevada: Leading the Charge on Standardization and Efficiency
One example of a state that’s doing this – and doing it well – is Nevada. State government agencies there have been very forward-thinking in bringing their counties and cities together to focus attention on cyber security the past 10 years. The state is leading the charge on standardization and efficiency by sharing resources. Every county and city in Nevada can participate through this initiative and take advantage of lessons learned by the pilot communities.
Most recently, I led a Delta Risk team that helped develop a set of IR plan templates that were first launched in one of Nevada’s fine cities. They are now being used in their largest county. In addition to recognizing the need for documented plans, Nevada is very active in exercising their plans to build muscle memory. They are not reinventing the wheel on this. They consider major cyber security incidents on par with other hazards in their emergency operations planning and make use of their existing exercise programs.
As recent ransomware attacks in cities like Atlanta and Baltimore illustrate, local governments are very attractive targets for malicious hackers. According to a follow up survey by the ICMA in 2017, 44 percent of local governments said they regularly face cyber attacks. More surprisingly, 41 percent didn’t know if their systems had been breached, and more than 50 percent said they didn't count or catalog attacks.
I’d love to see more local governments improve their cyber security by sharing resources and project deliverables, like IR plan templates. Given the ongoing barriers of too little funding and too few staff, more state and local governments should consider this approach.
What is an Incident Response Plan and Why Do You Need One?
Having an incident response plan can answer critical questions in advance and ensure your team is prepared if you have a data breach, ransomware attack, or other security incident. Some of the questions a plan should answer:
- When an incident occurs, who gets the first call?
- Who need to be involved and at what stage?
- What technical steps should you take to resolve an incident? What communication steps should you take?
- Is your organization prepared for an incident?
- What information does senior leadership need and how is it going to be communicated?
Once you have created your plan, you should review, update, and test it at least once a year.