Despite increasing ransomware attacks on state and local governments, a high number of employees have seen no change in preparedness from their employers.

That’s according to a new Harris Poll survey sponsored by IBM Security, which polled 690 employees who work for state or local government organizations in the United States.

Seventy-three percent of government employees surveyed are concerned about impending ransomware threats to cities across the country, and more employees fear cyberattacks to their community than natural disasters and terrorist attacks.

IBM’s Christopher Scott

Christopher Scott, global remediation lead for IBM X-Force Incident Response and Intelligence Services (IRIS), tells us the security industry is seeing a skills gap, and it’s even more difficult for state and local governments to secure top security talent.

“However, government decision makers should understand that they don’t need to be handling these issues alone and that securing assistance from MSSPs can help to strengthen their security defenses,” he said.

More than 100 cities across the United States were hit with ransomware in 2019, according to research from Emsisoft. The Harris survey found one in six respondents disclosing their department was impacted by a ransomware attack.

Despite the growth of these attacks, half of the employees surveyed have not seen any change in preparedness from their employers, with only 38% receiving general ransomware prevention training. Also, budgets for managing cyberattacks have remained stagnant according to 52% of state and local government IT/security professionals polled.

“Governments should be ensuring their teams are maintaining and testing backups of their systems, patching systems, creating and implementing incident response plans, and regularly testing their preparedness via threat simulations,” Scott said. “If employees are armed with the proper next steps, governments can avoid crucial missteps and save time in incident response and recovery. Beyond that, providing basic cybersecurity training and raising awareness around common cyber threats is a great starting point.”

Some general best practices include:

Election security is top of mind for government employees, according to the survey. Some 63% of respondents are concerned that a cyberattack could disrupt the upcoming elections, with most government employees placing their local board of elections among the top three most vulnerable systems in their communities.

The Cybersecurity Infrastructure Security Agency (CISA) has warned that ransomware attacks, in particular, pose a heightened risk to the elections. According to the study, the fear of ransomware attacks feels real to the vast majority of responding government employees, with 73% expressing concerns about threats to U.S. cities.

“The world of cybersecurity continues to evolve and there are real threats to many of our cherished and trusted systems,” Scott said. “For these systems, making sure that people are paying attention to anything suspicious with voting machines and securing them through functions such as red-team…

…testing before and after votes, making sure any accounts and passwords are properly changed and maintained, and understanding what the risks are and being able to articulate the security of those systems to voters.”

Education respondents had the lowest amount of cybersecurity training compared to other surveyed state and local professionals. In general, 44% of those from the public education sector said they hadn’t received basic cybersecurity training, and 70% said they hadn’t received adequate training specifically on how to respond to a cyberattack. With low training numbers, the majority of education respondents aren’t overly confident in their ability to recognize and prevent a ransomware attack – confidence is nearly 20% lower than other state and local employees surveyed.

With ransomware attacks against cities likely to continue in 2020, both U.S. government employees and taxpayers believe the federal government should step in to assist. The survey shows 78% of government employees believe the federal government should provide assistance to communities in responding to cyberattacks, echoing sentiments from IBM’s 2019 study where 50% of U.S. taxpayers said it’s the federal government’s responsibility to protect cities from ransomware. The majority of state and local employees also believe cyberattacks warrant emergency support, similar to those used for natural disasters.

While the study details where work needs to be done in preparing cities for cyberattacks, the results also showed some improvements made since last year. When asked whether they had seen any increases in preparedness and concern for cybersecurity in their departments, government employees said they had seen more improvements than not, and nearly 70% think their employers are currently taking the threat of cyberattacks seriously. City and state employees ranked ransomware No. 3 among the threats they were most familiar with – demonstrating that well-publicized attacks are increasing awareness of incident response plans, and regularly testing their preparedness via threat simulations.