The Cost of Ignoring Patches: How State and Local Governments Can Mitigate Damaging Security Breaches

According to a recent report released by the Multi-State Information Sharing and Analysis Center, governmental agencies are facing an increase in ransomware attacks from nation-state actors and other increasingly clever hackers. In the past, when considering who might be the most vulnerable to a cyberattack, large corporations and federal agencies seemed like the most obvious choice. But over time, more local, essential services such as public safety, social services, education and health sectors find themselves in the crosshairs.

From social security numbers to medical records and private tax information, state and local organizations are home to loads of personal information that can make money-hungry crooks salivate. Combine a wealth of private data with a more rural community with lackluster security safeguards, and cybercriminals often think they can grab themselves a fairly tantalizing feast.

Perhaps one of the biggest weaknesses the public sector faces is the lack of intentionally proactive cybersecurity plans. This is largely due to insufficient funding, limited access to cybersecurity professionals, and an overall lack of documented processes. While many organizations have taken steps to strengthen cyber protections through cybersecurity awareness training, identity management and multi-factor authentication (MFA), powerful vulnerability patch management fails to be included. Failing to prioritize proper vulnerability management through the patching process can create massive security gaps that create backdoors for hackers and provide a broader attack surface.

Managing cyber risk should be the highest priority for a government entity. The consequences of an attack could range from disastrous breaches of national security to severe disruptions to critical infrastructure. As a result, it is crucial for entities to supplement these controls with modern approaches that leverage vulnerability management, increase threat intelligence and invest in cyber awareness training for personnel. Local, state, and even federal levels of government are no strangers to working off of legacy systems, many of which are outdated or lack the flexibility to meet modern needs. In turn, this makes legacy systems quite costly to maintain and requires even more downtime for routine maintenance windows.

With extensive systems and networks continuing to run off of fragmented groups of IT teams across various departments, many offices and out-sourced IT contractors find themselves in a particularly challenging position when it comes to patching vulnerabilities in their operating systems. Coordinating necessary downtime and repeatedly scheduling maintenance windows threatens daily business operations and also puts the sensitive data of the citizens who depend on their service at risk. Because of this, security vulnerabilities can remain unpatched for weeks or even months as tight budgets and overworked IT teams struggle to keep up with demands. Meanwhile, cybercriminals are given an all-access pass to cause widespread disruptions that can cost organizations millions, harming not only day-to-day operations but further reduces public trust.

Currently, the go-to process for addressing security vulnerabilities involves traditional methods that manually apply patches and bug fixes to vulnerabilities during scheduled system reboots. Because of this, patch management gets viewed as a highly disruptive, all-consuming process that often gets repeatedly pushed aside. This is where choosing to fight automation with automation in the patching process can be the difference between a company going under or narrowly avoiding a damaging attack.

Stepping away from traditional methods and switching to rebootless patching, or “live” patching, especially on out-dated enterprise systems, can allow IT teams to significantly streamline the process by automatically applying security patches in the background as soon as they become available or as soon as a vulnerability is detected. Immediate patch deployment also eliminates necessary downtime, minimizing the windows of exploitable vulnerabilities and allowing public service to continue operating at a smooth pace. Additionally, placing such a tedious task on autopilot further ensures that agencies remain compliant with regulations while reducing the number of resources and labor required to do so.

While patching is crucial, it is only one of the tools to have in your cybersecurity toolbox. A robust security strategy also involves proactive incident response plans and an increased cyber awareness that starts from the inside out. Human error is a significant reason for many repeated security breaches. Tired employees opening that last email of the day may accidentally click a phishing link without thinking or open a spam email that infects a computer within minutes.

Public service employees face an abundance of risk every time they sit behind a government issued computer. Their extensive networks create a high-profile target for hacking efforts due to the ease of access to critical infrastructure, public services and even security data. As a result, vigilance, least-privilege access and multi-factor authentication services are vital to the cyber success of an entity. While it is true that government employees often undergo cyber awareness training at the beginning of their service, it is essential to maintain these threat detection skills and establish annual ongoing education. By taking these practical steps to leverage automated solutions, understanding the importance of timely patching and prioritize proactive threat response and mitigation through cyber awareness, state and local communities can dramatically reduce threats and their associated costs.

About the Author

Joao Correia serves as the Technical Evangelist at TuxCare, an innovator in enterprise-grade cybersecurity for Linux. Joao can be reached online at @jcorreiacl and at our company website https://www.tuxcare.com/