Page 1 of 12 Cyber Threats & Solutions Report: Municipal governments lack funding to reach high level of cybersecurity WASHINGTON May 2, 2017 The inability to pay competitive salaries, insufficient cybersecurity staff, and a general lack of funds present serious barriers to local governments achieving the highest levels of cybersecurity, according to a survey of local government chief information officers conducted by ICMA, the International City/County Management Association, in partnership with the University of Maryland Baltimore County. The goal of the Cybersecurity 2016 Survey was to better understand current local government cybersecurity practices and their related issues, including what capacities cities and counties possess, what kind of barriers they face, and what type of support they have to implement cybersecurity programs. Despite nearly a third (32 percent) of respondents reporting an increase in cyber attacks to their local government information during the past 12 months, 58 percent indicated that the inability to pay competitive salaries prohibited them from achieving high levels of cybersecurity. Fifty-three percent cited an insufficient number of cybersecurity staff as the primary obstacle, and 52 percent said it was a general lack of funds. The public sector pays considerably less than the private sector “Because the costs to restore compromised data are staggering, local governments must understand what resources they need to achieve their cybersecurity objectives and ensure the safety of their data.” for cybersecurity expertise, which places further pressure on U.S. local governments to find ways to fund compensation in this explosive industry. Currently, this booming field has zero unemployment and one million unfilled jobs, and experts estimate that the shortfall will reach 1.5 million by 2019. When asked to rank the top three things most needed to ensure the highest level of cybersecurity for their local government, respondents cited greater funding as number one, better cybersecurity policies as number two, and greater cybersecurity awareness among local government employees as number three in importance. “As local governments become increasingly reliant on technology and the Internet, they must also become increasingly diligent about the security they provide for the data and information they collect and manage,” said ICMA Executive Director Marc Ott. “Because the costs to restore compromised data are staggering, local governments must understand what resources they need to achieve their cybersecurity objectives and ensure the safety of their data. The results of the ICMA- UMBC Cybersecurity 2016 Survey can help local leaders identify and evaluate critical resource shortages.” Other highlights of the ICMA/ UMBC cybersecurity survey results include: Only 1 percent of responding lo- cal governments have a stand-alone cybersecurity department or unit. Primary responsibility for cybersecurity is most often located within the IT department. Roughly 62 percent of responding jurisdictions have developed a formal policy governing the use of personally-owned devices by governmental officials and employees. Nearly 70 percent of responding local governments have not developed a formal, written cybersecurity risk management plan, but nearly 41 percent conduct an annual risk assessment and an additional 16 percent take stock of their risk at least every two years. The Cybersecurity 2016 Survey was mailed (with an online option) to the chief information officers of 3,423 U.S. municipalities and counties with populations of 25,000 or greater. Responses were received from 411 local governments for a response rate of 12 percent. Review the complete results of the survey at: http://icma.org/cybersecurity2016surveyresults. About ICMA ICMA, the International City/ County Management Association, advances professional local government worldwide through leadership, management, innovation, and ethics. ICMA is second only to the federal government in the collection, analysis, and dissemination of data focused on issues related to local government management. Through expansive partnerships with local governments, federal agencies, nonprofits, and philanthropic funders, the organization gathers information on topics such as sustainability, health care, aging communities, 38 39 Introduction In 2016, the International City/County Management Association (ICMA), in partnership with the University of Maryland, Baltimore County (UMBC), conducted a survey to be ter understand local government cybersecurity practices. The results of this survey provide insights into the cybersecurity issues faced by U.S. local governments, including wha their capacities are, what kind of ba riers they face, and wha type of suppor they have to implement cybersecurity programs. Methodology The survey was sent on paper via postal mail to the chief information o ficers of 3,423 U.S. local governments with populations of 25,000 or greater. An online submission option was also made available to survey recipients. Responses were received from 411 of the governments surveyed, yielding a response rate of 12%. Cities were ove represented among respondents while counties were underrepresented. Similarly, higher percentage of responses received from larger communities compared to sma ler communities. Further, jurisdictions in the Mountain region of the U.S. were ove represented, while jurisdictions in the Mid-Atlantic and East South-Central regions were unde represented. The following report reflects trends among the unweighted survey responses, and should only be considered to be representative of the responding governments. Weighting should be applied to achieve representation of the broader survey population. Cybersecurity 2016 Survey Summary Report of Survey Results Cybersecurity 2016 Survey Number Surveyed Number Responding Response Rate Total 3423 411 12.0% Population Size Over 1,000,000 42 11 26.2% 500,000 - 1,000,000 98 20 20.4% 250,000 - 499,999 168 26 15.5% 100,000 - 249,999 532 63 11.8% 50,000 - 99,999 939 108 11.5% 25,000 - 49,999 1644 183 11.1% Geographic Division New England 183 23 12.6% Mid-Atlantic 391 23 5.9% East North-Central 782 94 12.0% West North-Central 266 26 9.8% South Atlantic 541 79 14.6% East South-Central 253 20 7.9% West South-Central 354 41 11.6% Mountain 220 48 21.8% Pacific Coast 433 57 13.2% Type of Government Municipalities 1893 267 14.1% Counties 1530 144 9.4% economic development, homeland security, alternative service delivery, as well as performance measurement and management data on a variety of local government services—all of which support related training, education, and technical assistance. About the University of Maryland Baltimore County UMBC is a dynamic public research university integrating teaching, research, and service to benefit the citizens of Maryland. As an Honors University, the campus offers academically talented students a strong undergraduate liberal arts foundation that prepares them for graduate and professional study, entry into the workforce, and community service and leadership. UMBC emphasizes science, engineering, information technology, human services and public policy at the graduate level. UMBC contributes to the economic development of the State and the region through entrepreneurial initiatives, workforce training, K-16 partnerships, and technology commercialization in collaboration with public agencies and the corporate community. UMBC is dedicated to cultural and ethnic diversity, social responsibility and lifelong learning.