The Indiana Office of Technology is teaming up with Purdue University and Indiana University to help the state’s cities, towns and counties beef up their cybersecurity.
Under the terms of the arrangement, the state is providing $3.96 million to fund cybersecurity assessments that will be conducted by staffers and students at Purdue and IU at no cost to the participating local governments.
Participating entities will be asked to fill out a questionnaire about their cybersecurity practices, and then a representative from Purdue or IU will conduct an on-site visit. After that, the participant will receive a report that includes a cybersecurity rating and a list of recommendations for improvement.
The Indiana Office of Technology, which is overseeing the program, says it expects to conduct at least 342 of the voluntary assessments over the next four years.
“I think it will make a serious impact to protect Hoosier data,” said Indiana Office of Technology spokesman Graig Lubsen.
The recommendations will focus on short-term actions that the government entity can implement quickly, Lubsen said.
The assessments will be useful to very small government entities that might be just starting to strengthen their cybersecurity, Lubsen said. But they should also be of value to larger entities that have more sophisticated setups.
“Having outside eyes look at how you’re implementing [a cybersecurity program] can really help improve you,” Lubsen said.
The idea for the program came from feedback that the Indiana Office of Technology has gathered from a listening tour that will have covered all 92 counties by the end of this year. During the tour, Lubsen said, local officials expressed an interest in cybersecurity assessments.
In the bigger picture, Lubsen said, the program will help secure the state’s overall cybersecurity posture. A cybersecurity vulnerability on the local level can harm state government systems and, vice versa, because of the amount of information that flows between local and state government.
“We’ve got a lot of systems that talk to each other: voting, taxes, etc.,” Lubsen said.
And Indiana government entities are being targeted by cybercriminals, statistics show.
A state law that went into effect in July 2021 requires all political subdivisions to report cyberattacks such as ransomware, business email compromise and other attacks within 48 hours of discovery.
Since then, Lubsen said, the Office of Technology has received about 200 incident reports. In about 70% of those cases, the reporter classified the incident as unsuccessful in gaining system access.
According to a “State of Ransomware in State and Local Government 2022” report, issued last month by the cybersecurity firm Sophos, 58% of local government organizations were hit by ransomware attacks in 2021. That’s in comparison to 34% that reported such attacks the previous year.
The Sophos report also said that only 20% of state and local government entities were able to stop the ransomware attacks before their data was encrypted, “suggesting that state and local government organizations are poorly equipped to identify and stop attacks before damage is done.”
That report was based on a survey conducted in January and February of 5,600 information technology professionals, including 199 from state and local governments, across 31 countries.
The Indiana cybersecurity program will begin this year with assessments on a “small, diverse set of Indiana local governments,” Lubsen said. And from there, Purdue and IU will build a methodology the assessment teams can use when the program scales up next year.
Interested participants can sign up here.