The CompTIA 2021 National Survey of Local Government Cybersecurity and Cloud Initiatives is out. Its a (US) national survey of local government cyber-security programs, and gives you an idea of the strengths, weakness, strategies, and areas of increased spend ahead.
A few things stood out to me. The first was around Cyber Awareness Training.
Ninety-two percent of respondents state their jurisdiction provides employees with cyber awareness training – what to do and what not to do when it comes to Cybersecurity. Fiftynine percent state that training is provided on an on-going basis throughout the year; 34% state that training is provided once a year.
When asked if elected officials, their staff and senior leadership are exempted from awareness training, 24% responded yes.CompTIA 2021 Survey
92% is a good number to be providing the training. But, 24% allow the most senior people, and their elected officials, to skip. This is super worrying, they have the easiest to guess email addresses, the most external mail, and, often the greatest internal ‘power’ or ‘security’. This means they are the most interesting target. Why would we exempt anyone from taking (and passing, and, re-taking if not passing)? It’s probably hard to tell the Mayor to take a course, but its certainly less embarrassing than explaining the bad outcome later.
Another thing that stood out to me was Cloud Computing adoption.
I’m a huge proponent. Properly done, your security goes up, your operational cost goes down, and you get a better experience for all. The cloud environments offer better security tools overall, from audit to DDoS to backup and disaster recovery.
But, that is a big chunk who have no plans, And a big chunk who are just starting.
Another thing stood out to me: lack of awareness of what to do following a breach. The vast majority are unsure. What is their plan, look it up on the locked down machines that the ransomware gang is busily ex filtrating your data from?
So, the good news, increasing progress, hardening, awareness in the public sector. There was no question around the use of multi-factor authentication, which is one I would love to know. What organisations require this for all users (and do not exempt anyone). What organisations require this on all networks (not just external)? And all applications (not just “important“)?