Securing local government information systems and data is an ongoing—and alarming—concern for local government managers and chief information officers (CIOs), and news stories about cybersecurity vulnerabilities appear almost daily.

That’s why ICMA, in partnership with the University of Maryland Baltimore County (UMBC) surveyed CIOs about cybersecurity practices and related issues. And while the survey responses were being analyzed, yet another news story appeared: A column in Governing, The Cyberthreat to Government That's Lurking in the Shadows (April 2017), highlighted the threat posed by the use of unsanctioned software on workplace computers as technological advances make it increasingly easy to download and install software and access cloud services.

The goal of the Cybersecurity 2016 Survey was to better understand the local government cybersecurity landscape, including what capacities cities and counties possess, what kind of barriers they face, and what type of support they have to implement cybersecurity programs.

Cybersecurity Survey Findings

Perhaps unsurprisingly, a key finding of the ICMA/UMBC survey was that insufficient resources presented the greatest barrier to achieving the highest levels of cybersecurity. Although nearly a third (32 percent) of respondents reported that their local government information systems had experienced more attacks, incidents, and breaches during the past 12 months than in the previous period, 58 percent cited the inability to pay competitive salaries as the greatest barrier; 53 percent cited insufficient number of cybersecurity staff; and 52 percent indicated that it was a general lack of funds.

It’s true that the public sector pays considerably less than the private sector for cybersecurity expertise, which places further pressure on U.S. local governments to find ways to fund compensation in this explosive industry. Currently, this booming field has zero unemployment and one million unfilled jobs, and experts estimate that the shortfall will reach 1.5 million by 2019.

On a more positive note, 77 percent of survey respondents reported that their local government had developed rules governing the creation and changing of passwords, and 62 percent had policies governing the use of personally owned devices.

Furthermore, when responding to questions about the top appointed official, only 3 percent reported that this official was unaware of cybersecurity issues, and only 3 percent reported that the official provided no support for cybersecurity.

When asked to rank the top three things most needed to ensure the highest level of cybersecurity for their local government, respondents cited greater funding as number one, better cybersecurity policies as number two, and greater cybersecurity awareness among local government employees as number three in importance.

Other highlights of the ICMA/UMBC cybersecurity survey results include:

  • Only 1 percent of responding local governments have a stand-alone cybersecurity department or unit. Primary responsibility for cybersecurity is most often located within the IT department.
  • Despite the fact that nearly 70 percent of responding local governments have not developed a formal, written cybersecurity risk management plan, nearly 41 percent conduct an annual risk assessment and an additional 16 percent take stock of their risk at least every two years.

Access the complete survey results.

Cybersecurity Resources from ICMA

ICMA has published articles and blog posts that describe ransomware and other cyberattacks, explain vulnerabilities and risks, and provide advice for securing systems and preventing breaches. Here are some key resources:


New, Reduced Membership Dues

A new, reduced dues rate is available for CAOs/ACAOs, along with additional discounts for those in smaller communities, has been implemented. Learn more and be sure to join or renew today!