The State of Ransomware in Government 2021 report finds that government agencies are facing a ransomware “national emergency.” Local governments in particular face higher rates of encryption during cyber attacks due to constrained budgets and organizational pressure to divert funds away from cybersecurity, leaving gaps in their data protection. 

Meet Todd Bayley and Tonya Digiorno

We had the opportunity to talk at length with Pasco County CIO, Todd Bayley, and El Dorado County Director of IT, Tonya Digiorno, about the cybersecurity challenges facing state and local governments, and how they protect their critical data and the livelihoods of their citizens.

Jared Vichengrad: Tonya and Todd, thank you for the taking time to meet and talk about cybersecurity challenges facing state and local governments. To begin, please tell me about your role and organization. 

Tonya: My role as the IT Director at El Dorado County, California is to deliver secure and effective information technology systems, solutions, and services to County departments that support the residents of El Dorado County. 

Todd: As the Chief Information Officer for the centralized IT department of Pasco County, Florida, we service and support 600,000 residents, as well as 55 different lines of business from emergency services to natural resources, in addition to judicial and constitutional offices. 

Data Security in 2022

Jared Vichengrad: Can you describe the importance of the type of data you work with? What would happen if it was compromised? 

Tonya: In 2020, ransomware impacted over 2,300 government agencies, educational establishments, and healthcare providers, at a potential cost of untold billions of dollars. Each department owns and manages data, many of which have mission-critical applications that aid in providing valuable services to the public such as police, fire, and emergency services. If the data from any of these service areas were compromised, we would be unable to provide the service to the citizens of our county. 

Data is our gold mine. The cybercriminals understand how invaluable data is to us and that is precisely why they take it for ransom. 

Todd: Our reputation, trust, and integrity to our citizens are paramount. Our data is critical to operating every aspect of our organization, from protecting our fire/rescue patients to our safe drinking water systems. If this data was held for ransom, compromised, or corrupted, we have manual processes and backup plans. However, those processes and functions would be in a severely degraded state. In some situations, missing or corrupt data would cause systems to initially shut down especially utility or power-related, affecting clean water systems, and wastewater systems. 

The operational setback without our production data and systems would cost millions per week, but more importantly, we would jeopardize public trust and confidence.

Government agencies vs. ransomware

Jared Vichengrad: How are you managing and minimizing the impact of cybersecurity challenges facing state and local governments?

Tonya: At El Dorado County, we continuously train our employees on the threat landscape of cybersecurity. We need to know where our data resides and have a plan to manage and govern that data. All this revolves around our defense-in-depth strategy, which includes best practices, ensuring only the right people have the appropriate data access, along with strong user authentication, immutable backups, and fast recoveries with Rubrik Ransomware Monitoring & Investigation. 

In addition to the back-end protection, we have augmented our security office with a 24x7 Security Operation Center as a Service and implemented endpoint protection with augmentation to conduct investigations and remediation. It’s critical to have 24x7 monitoring, particularly within this landscape.

Todd: I meet with the County Administrator regularly, and follow all security best practices where possible, including CISA, MS-ISAC, and CISA’s Shields up. The best approach to managing and minimizing impact is to have a DR or incident response plan, table-top testing at a minimum, and an understanding of your internal weaknesses and vulnerabilities. My responsibility as a member of the senior management team at Pasco County is to continue to educate and tell our story regarding the importance of our cyber security initiatives, the value of our data, the critical nature of our operations, and recommend proactive methodologies and processes. Such methodologies include cyber training the workforce, shutting employees off the network if they fail phishing tests, and investing in critical technology such as Rubrik. 

At the end of the day, the most critical aspect is to keep our trust with the citizens of Pasco County, this alludes to doing whatever we can to safeguard the data that they have entrusted to us.

Available cybersecurity resources

Jared Vichengrad: How have you been able to leverage any federal funding such as stimulus funding, CARES Act, or ARPA for cybersecurity?

Tonya: We utilized the CARES Act for several security enhancements, including Rubrik’s Sensitive Data Monitoring & Remediation.

Todd: We had budgeted for this technology before the pandemic and never used CARES or ARPA funds, although they certainly apply and can be used. We review federal funding opportunities at the senior management level continuously, where we also address critical needs and concerns for our citizens. Having addressed our backup & restore strategies with Rubrik in our annual budget boosted our County Administrators’ confidence in our department.

Jared Vichengrad: Any lasting advice you’d like the leave your peers with? 

Tonya: As the custodians of your county’s data, it will always be your responsibility to understand your assets, your data, and the proper controls you must adhere to protect their data. Build those strong partnerships with your businesses and put that security education back out there. 

Todd: Have regular monthly meetings with your departments and leverage the issue of cybersecurity at the table to make sure every single person is prepared to mitigate any risk that may come at them. 

What’s next for cybersecurity

The future of cybersecurity is data security. Without data security solutions like Rubrik Security Cloud, organizations–both public and private–are vulnerable to ransomware attacks that leave their most valuable asset defenseless. To learn more about data security and its impact on cybersecurity, check out the Rubrik Data Security Summit to hear from top security leaders as they share their key insights and strategies for mitigating cyber risk.