Most Local Governments Provide Cyber Awareness Training. Why Do 25% Let Elected Leaders Opt Out?

Some local elected officials and their staff are getting a pass when it comes to cybersecurity training that’s often mandated for other municipal workers, according to a new report from the CompTIA Public Technology Institute.

The survey of local government IT executives, which was released Wednesday, found 92% of jurisdictions provide employees with cyber awareness training. However, nearly a quarter of the surveyed IT executives said their jurisdictions allow exemptions for elected officials, their staff or other senior leadership.

These types of training exemptions can set bad precedent and leave public officials at heightened risk, said Alan Shark, the CEO and executive director of CompTIA’s Public Technology Institute.

“It is important to remember that email addresses and contact information for elected leaders and management are easily available, meaning these officials are prime targets for phishing attempts and probing of government IT systems,” the report said. “Allowing for exemptions may also set a bad and demoralizing example to others in the organization who are required to follow strict protocols.”

There’s no excuse for elected officials who think they are too busy or technologically savvy enough to not require regular cybersecurity training, said Shark, adding that he participates in his organization’s regular cybersecurity training.

“These cut arounds are because they don’t want to be part of it,” Shark said, noting one incident in which a county’s chief information officer was reprimanded for sending a phishing test to elected officials. “When you have these exceptions, word gets out and that’s not good for morale.”

State and local governments have sought to improve cybersecurity awareness and defenses in recent years as an influx of cyber and ransomware attacks targeted government agencies. The CompTIA survey found 81% of local governments have governmentwide cybersecurity policies that set rules for employee behavior and operational safeguards and procedures.

A growing percentage of local governments also report having a cyber insurance policy to provide some level of protection in case they fall victim to a cyberattack. Ninety percent of local governments said they had cyber insurance, compared to 78% who reported having insurance in 2020. The cost of cyber insurance is on the rise, however, with 69% of local governments IT officials reporting that insurance premiums have increased since their last policy renewal.

The survey of 75 local government IT executives was conducted in August and September.

The coronavirus pandemic created unique cybersecurity challenges for state and local governments as many employees transitioned to work from home. A quarter of state and local government employees use personal digital devices like cell phones and tablets for work, putting them at higher risk for phishing attacks and other cyber intrusions.

Work-from-home situations have led more governments to adopt mobile device management policies for employees.

This year, 65% of governments had such a plan in place compared to 55% in 2020.

“Clearly the pandemic caused people to rethink things,” Shark said. “They realized they had to have policies because people were using their own devices and it posed, if unregulated, a huge security risk.”

Among the challenges to improve cybersecurity protections in local government is the cost. Federal lawmakers have sought to make more financial assistance available to state and local governments to pay for cybersecurity upgrades and system modernization. If those initiatives are approved, they could help. But 58% of IT executives said their organization’s cybersecurity budgets are not adequate.