The White House has issued a new order in response to growing cybersecurity threats.  Is your procurement office ready for a ransomware attack?

The recent rise in high-profile ransomware attacks on producers and distributors of critical commodities have hit targets like gasoline pipelines and meat processors.  A quick online search of news articles turns up dozens of examples of similar attacks on public sector entities as well.  The recent hacks of SolarWinds software and Microsoft Exchange exposed vulnerabilities in public sector systems nationwide. A March 2021 study by the consumer technology data group Comparitech reports that 79 ransomware attacks were carried out on government entities in the U.S. and cost an estimated $18.88 billion in downtime and recovery payments in 2020.

In response to this rapidly growing threat, the White House released an Executive Order on Improving the Nation’s Cybersecurity in May  2021.  This EO directs the investment of resources towards  minimizing the risk and impacts of future attacks.  The recommendations laid out in the order can be applied to public-sector organizations at every level.

Pulse is here with some steps procurement officials can take to improve your department’s cybersecurity and mitigate the risks of ransomware.

Step 1: Integrate cybersecurity into all stages of the process.  Get CIOs, CISOs, and agency SMEs more involved in solicitation development, sourcing, evaluation, contract development and management for IT services.  They will help to identify critical vulnerabilities and ensure that the IT services you acquire offer the strongest protections for your information systems and devices.  Update and standardize this process throughout the whole of government and user agencies.

For instructions and best practices for putting this into action, read the NASPO, NASCIO, and CIS report Buyer Be Aware: Integrating Cybersecurity into the Acquisition Process.

Step 2: Be proactive and use the latest tools.  The technologies that many government entities rely on are becoming antiquated at an alarming pace.  The Executive Order mandates that Federal organizations adopt several of the technologies that the private sector has been using for years.  Astute state offices would also take this opportunity to update their defenses, including:

• Using cloud services to back up data frequently and regularly so that your information is recoverable in the event of an attack.
• Adopting endpoint detection and response (EDR) technology to continuously search for, identify, and isolate threats and malware.
• Moving to a zero-trust framework and use multi-factor authentication and encryption on communications and login credentials, especially given the increase of remote teams and telework.

Step 3: Require IT service providers to share breach information.  Often, these service providers are hesitant to come forward when they have detected a breach.  They are averse to providing significant information due to public relations concerns and may use contractual clauses to keep the information shared to a minimum.  The recent EO calls on public sector purchasers to remove these barriers and instead contractually require service providers to promptly share information concerning any breach that could affect government networks.  This would allow your own IT specialists to enact a more robust and timely response.

Step 4: Develop response plans for cyber incidents.  Why wait for an attack to happen?  Work with your CIOs, CISOs, SMEs, and suppliers to create response protocols and risk mitigation strategies for various kinds of cyberattacks or data breaches.  Identify critical data systems and imagine what impacts an attack could have on them.  Make these response plans standard across all users and agencies. Train and educate your agency staff and end users regularly on how to spot and avoid threats and suspicious activity.  Preparation is an integral part of an effective defense.

More cybersecurity and procurement resources:

• For a comprehensive look at threats and defense strategies, read this report from Deloitte: Ransoming government:  What state and local governments can do to break free from ransomware attacks
• Feeling like you’re in over your head? Download this explainer from FCW and OpenGov:  The Non-Technical Guide to Cloud Advantages for Government
• For more about threat detection and EDR, watch this NASPO webinar on improving cybersecurity with StateRAMP and check out their guides and resources.
• For more about zero trust, the U.S. National Security Agency’s Cybersecurity Information Sheet: Embracing a Zero Trust Security Model explains concepts and provides recommendations.