Modernization

Study: N.J. localities poorly equipped to manage IT risk

A Rutgers University study argues that many of New Jersey's municipalities don't have the tools to keep their networks safe and data secure.

By Alex Koma

January 8, 2016

Many of New Jersey’s local governments are ill equipped to safeguard against the risks inherent in managing their networks and working with citizens’ data, according to the results of a new report.

The study, prepared by researchers at Rutgers University’s Bloustein Local Government Research Center and released late last month, reveals substantial problems with how many of the state’s cities and counties manage IT, and attempts to offer solutions to remedy those issues. Most notably, a survey of 174 of New Jersey’s 565 local governments revealed that just nine municipalities have a data breach policy in place, and only 56 have performed any sort of strategic IT planning.

Similarly, the survey found that only 30 governments have ever commissioned third-party audits of their IT, and the same number has conducted intrusion testing of their systems. In all, researchers noted that more than half of the respondents managed personally identifiable information, “with most of it stored on worksheets or in databases,” leaving it vulnerable.

“Our technological sophistication is all over the place,” Marc Pfeiffer, the study’s author, told StateScoop. “We’ve got places that do a great job, some municipalities have no understanding of what they’re doing at all.”

Pfeiffer said the study — conducted at the behest of the governments’ self-insurance fund — reveals that the cities and counties are about to hit “an inflection point” when it comes to learning to deal with risks associated with IT.

While he stressed that cybersecurity is a huge area of concern, he added that it’s hardly the only area that governments need to consider as they try to cut down on technological risk.

In the report, Pfeiffer emphasized that simple human error can often be as a damaging to municipalities as any advanced cyber attacker. He said that his research revealed that the people managing government networks often lacked the necessary technical proficiency to effectively keep them safe, simply because the municipalities don’t have the resources to hire full-time IT staffers.

“We have situations in smaller places where a police officer who was into computers at some point is managing the networks,” Pfeiffer said. “Do they have any training, other than what they’ve learned by the seat of their pants? Probably not.”

Pfeiffer added that many smaller municipalities contract out the work of managing their networks — his survey found that 59 percent of 130 respondents said they used contractors for network maintenance — and that can cause bigger problems.

“If I’m a guy that’s serving as a network admin for a town, I’m part time, I’m working remotely,” Pfeiffer said. “Most folks don’t know or appreciate the risks that are out there [they] may be politically connected, friends of the mayor, friends of somebody, or they’re just a small business person who’s helping out.”

With such scattered management, Pfeiffer noted that the lack of IT governance policies or other strategies is particularly disturbing. He attributed that to the frequent turnover of elected officials at the local level, leading to shortsighted thinking about technology that can hamstring municipalities.

“Governing body members still need to understand that they have responsibility for this,” Pfeiffer said. “It requires permanent attention to spend that they didn’t have to spend before.”

That’s why one of the study’s biggest recommendations is that municipalities work to establish clear governance policies that lay out “some focus of responsibility for how IT decisions are made,” as well as plans for how they’ll manage IT over the next several years, Pfeiffer said.

“Set up a three-year plan, but revisit it and modify it because it’s going to change,” Pfeiffer said. “It can just be the mayor or county administrator or governing body member, sitting down and saying ‘OK, what do we think we’re doing for the next couple years? What’re the risks we have to deal with?’”

Pfeiffer also hopes to see governments focus on training workers and leaders alike on good “cyber hygiene” habits, and boost their “technical competence” as much as possible as well.

“It takes training the folks who say, ‘I’ve got more important stuff to do, stuff that’s biting me every day, this technology risk is more amorphous, it may never happen, I may not ever have to do something,’” Pfeiffer said. “Give them some guidance and fill in their knowledge gaps about what they can do.”

Yet, outside of personal experience with a data breach, Pfeiffer worries that many government workers may struggle to get the message, since “it’s something new, but government doesn’t adapt to new very easily.”

But he’s optimistic that the state’s municipalities will come around eventually, and he hopes other governments heed his warnings too.

“Even though we focused on Jersey, the concepts of proficiency and risk maturity, they have applicability in a much wider spectrum than just our government agencies here,” Pfeiffer said.