State and local governments, on the other hand, face no such deadline to update their security postures. Unfortunately, they are less secure as a result: The rate of ransomware attacks in state and local governments has increased from 58 percent to 69 percent year over year.
The federal government’s commitment is not just a bureaucratic mandate — it’s a strategic response that recognizes the importance of proactive defenses amid an escalating threat landscape. As federal agencies prepare to go zero trust in less than 12 months, let’s look at why state and local governments should set their own aggressive deadlines.
WHY MANDATES MATTER
The success of the federal government’s zero-trust transition highlights the need for state and local mandates. The strict deadline serves as a catalyst, compelling action and fostering a resilient cyber culture.
This is something that challenges even the private sector. Despite post-pandemic predictions that digital transformation, remote work and the growth of the cloud would speed up zero-trust adoption, actual progress has been slower than expected. While zero trust remains a top priority in boardrooms, a mere 1 percent of large enterprises boast a mature and measurable zero-trust program. In stark contrast, federal government agencies have spent the past two years under a directive to meet specific cybersecurity standards and objectives by the end of fiscal year 2024.
The deadline is prompting action. With a goal in sight, federal agencies have a systematic and organized path toward stronger defenses. In an era where cyber threats advance in sophistication and intensity, this proactive stance is paramount for securing critical systems and data. This is something state and local governments must consider when fortifying for the future.
EXPLOITED VULNERABILITIES, COMPROMISED CREDENTIALS
Examining the causes of the most significant ransomware attacks on state and local governments reveals a recurring pattern: exploited vulnerabilities and compromised credentials. These vulnerabilities are not just technical flaws but often result from a lack of a comprehensive security strategy. Zero-trust architecture, with its foundational principle of “never trust, always verify,” directly addresses these root causes.
Zero-trust architecture disrupts the conventional security model by operating under the assumption that threats can originate from inside or outside the network. By adopting a stance of continuous verification and validation, organizations can minimize the risk of exploited vulnerabilities. State and local governments must recognize the critical importance of this approach and integrate it into their cybersecurity frameworks.
Further, zero trust prioritizes multifactor authentication, constraining access through the principle of least privilege and continually monitoring user activities. These safeguards serve as a robust barrier to unauthorized entry, effectively diminishing the vulnerabilities linked to compromised credentials.
Putting such a system in place involves various solutions. The essential elements include zero-trust network access, identity access management, device security, cloud security and any solution customized to meet the enterprise’s requirements for in-device security, such as unified endpoint management and endpoint security solutions. Zero trust is a big project that demands a comprehensive approach and a firm completion date.
LEADERS MUST TAKE CHARGE IN BUILDING RESILIENCE
In the absence of mandates, it’s up to state and local cybersecurity leaders to chart their way to zero trust. Chief information officers must therefore play a pivotal role in setting timelines, analyzing defenses and working with executives to make this possible.
This begins with evaluating risks, identifying important assets and creating an implementation road map. CIOs also need to explain the significance of adopting a zero-trust mindset and make sure that all team members understand their roles in maintaining a secure digital environment. It often involves taking the lead and actively participating in educating the workforce, ensuring there are no weak human links for hackers to exploit.
The good news is that state leaders know the problems. The 2023 State CIO Survey from the National Association of State Chief Information Officers finds that endpoint detection and identity access management are receiving the most cybersecurity attention. Additionally, respondents say cybersecurity is their top priority for the year ahead. The bad news? Cybersecurity has been the top priority for 10 years running. Something more needs to happen to turn intention into reality. The urgency of state and local government cybersecurity demands it.
The federal government’s commitment, marked by strict deadlines and strategic responses, provides a persuasive blueprint. By setting timelines, addressing root causes and empowering CIOs, state and local entities can forge a unified front against online adversaries.
Apu Pavithran is CEO and founder of Hexnode.
