Target-rich, resource-poor agencies – how to cross the cybersecurity poverty line

0

By Daniel Kwaku Ntiamoah ADDAI

In many parts of the world, especially in developing countries, government agencies and institutions operate with limited resources. This challenge is particularly acute in Africa, where budget constraints often limit these organizations’ ability to adequately protect themselves against growing cybersecurity threats.

Many government agencies are underfunded, and their cybersecurity programs receive even less attention. Despite being critical infrastructure, these institutions struggle to keep up with the evolving threat landscape due to inadequate financial and technological support.



One of the reasons for this lack of funding is political. In many democracies, particularly in Africa, governments are more focused on securing election victories than addressing systemic issues like cybersecurity. Politicians often prioritize short-term, high-visibility projects—such as infrastructure development or social programs—because they yield immediate results and can sway voters.

Cybersecurity, being a less tangible and less voter-friendly issue, frequently falls to the bottom of the list of priorities, leading to underfunded and vulnerable government institutions.

What does it mean to be “target-rich”?

A “target-rich” organization refers to one that possesses a wealth of valuable data, assets, or access that can be exploited by malicious actors. Government agencies store vast amounts of sensitive information such as citizens’ personal data, classified national security information, and financial records. These entities control essential systems like healthcare, public safety, and social welfare, making them lucrative targets for cybercriminals, nation-state actors, and hacktivists alike.

The concept of “resource-poor”

On the flip side, a “resource-poor” organization is one that lacks the financial, technological, and human capital necessary to effectively defend itself against cyber threats.

These institutions struggle to implement robust security measures due to constrained budgets, outdated infrastructure, and insufficient training for staff. Government agencies in resource-poor countries often fall into this category, operating with inadequate funding and struggling to maintain even basic cybersecurity hygiene.

Defining the cybersecurity poverty line

The term “cybersecurity poverty line” refers to the threshold at which an organization can no longer adequately defend itself against cyber threats. It is the point where the lack of resources directly translates into heightened vulnerability, leaving the organization exposed to a variety of cyberattacks.

Falling below this line means that even basic cybersecurity measures, such as timely software updates, data encryption, and intrusion detection systems, become unaffordable luxuries. For government agencies, being below this poverty line is particularly dangerous, as they are not only responsible for their own operations but also for the safety and security of millions of citizens.

Target-rich, resource-poor agencies: the basis of the cybersecurity poverty line

Target-rich, resource-poor agencies epitomize the cybersecurity poverty line. They possess valuable assets that make them attractive to hackers but lack the resources to adequately protect those assets.

This dichotomy leaves them in a precarious situation: they are highly desirable targets for cybercriminals yet lack the financial and technical means to defend against such attacks. The vast amount of sensitive data stored by government agencies, coupled with their resource limitations, means that they often find themselves below the cybersecurity poverty line.

Government agencies: prime targets for cyber attacks

Government agencies, especially in developing nations, are particularly vulnerable to cyberattacks for several reasons. First, they hold a wealth of sensitive data that can be exploited for financial gain, espionage, or political manipulation.

Second, they often serve as critical infrastructure hubs, meaning that any disruption to their operations can have wide-ranging consequences for public services and national security. Third, the public sector tends to lag behind the private sector in adopting advanced cybersecurity technologies and practices, making it an easier target for attackers.

Moreover, hackers often view government agencies as “low-hanging fruit”organizations that are easy to breach due to their outdated systems and lack of investment in cybersecurity. Whether motivated by financial incentives, political reasons, or the pursuit of power, cybercriminals recognize that government institutions are some of the most valuable yet under-defended entities in the world.

Bridging the cybersecurity gap for government agencies

Understanding the scope of the problem: government agencies as prime cyber targets

To fully appreciate the severity of the situation, we must look at the numbers. According to the 2023 IBM Cost of a Data Breach Report, the average cost of a data breach in the public sector reached US$2.07 million, with government agencies experiencing an average of 228 days to identify and contain breaches. Additionally, government entities saw a 33percent increase in ransomware attacks between 2021 and 2022.

In a report by the Center for Strategic and International Studies (CSIS), it was revealed that cyberattacks on government organizations accounted for 22percent of all recorded incidents globally in 2022. These numbers highlight the critical need for under-resourced institutions to bolster their cybersecurity defenses.

Limited budget for cybersecurity initiatives

Impact: Government agencies, especially in resource-constrained environments, often operate with very tight budgets. With cybersecurity competing against other urgent priorities like healthcare, education, and infrastructure, funding for protecting digital assets is often minimal or absent. This leaves vital systems exposed to threats like ransomware, phishing, and denial-of-service (DoS) attacks.

Remedies:

  • Prioritize basic cybersecurity measures: Governments can adopt essential low-cost cybersecurity practices like multi-factor authentication (MFA), regular software patching, and user access controls. These are often inexpensive or free and provide a significant security boost.
  • Leverage open-source tools: There are many open-source security solutions available (such as OpenVAS for vulnerability scanning or pfSense for firewall protection) that offer functionality like expensive commercial products.
  • Public-private partnerships: Governments can engage in partnerships with cybersecurity firms to get subsidized access to cybersecurity resources, training, and tools. Additionally, international aid organizations often offer cybersecurity funding, especially for developing countries.
  • Shared resources: Implementing shared cybersecurity services across different agencies can reduce costs. A centralized cybersecurity unit that monitors and manages the security needs of multiple agencies can save money while increasing the overall security posture.

Outdated technology and infrastructure

Impact: Over 45percent of government agencies continue to operate on legacy systems, according to a report by the Government Accountability Office (GAO). These systems are more vulnerable to known exploits and are difficult to maintain securely.

Remedies:

  • Phased upgrades: Agencies can phase out legacy systems, prioritizing the replacement of the most critical systems first. Rather than upgrading all at once, a phased approach can spread costs over time.
  • Low-cost solutions: Open-source platforms and cloud-based government solutions can offer more secure alternatives without the upfront investment required for commercial products. Governments can move non-sensitive systems to cloud environments for better security at lower costs.
  • Vendor support for legacy systems: If an upgrade isn’t immediately possible, governments should ensure that vendors continue to provide critical security patches and support for legacy systems until they can be replaced.

Lack of skilled cybersecurity personnel

Impact: The global cybersecurity workforce gap was 3.4 million in 2022, with government agencies having trouble recruiting talent due to lower salaries compared to the private sector.

Remedies:

  • Upskill existing IT staff: Agencies can train existing IT personnel to take on cybersecurity roles by offering affordable online courses, certifications, or workshops. Platforms like Coursera, EC Council, Cybrary, or free resources from SANS and YouTube provide excellent training opportunities.
  • Cybersecurity internships: Partnering with universities to offer internships or apprenticeships in cybersecurity can provide agencies with enthusiastic learners, filling talent gaps while giving students practical experience.
  • Remote assistance: Agencies can contract cybersecurity professionals on a part-time or consulting basis rather than full-time hires, especially for specialized needs like incident response or threat hunting.
  • Leverage international cooperation: Engage in international knowledge-sharing programs or collaborate with organizations like the Cybersecurity and Infrastructure Security Agency (CISA) to gain access to tools, training, and skilled professionals.

Insufficient incident response plans

Impact: Only 40percent of government agencies have a documented incident response plan, according to the SANS 2022 State of Cybersecurity in Government Report. This leaves agencies ill-prepared to manage the aftermath of an attack.

Remedies:

  • Develop a basic incident response plan: Agencies should create a simple, actionable IRP that includes roles, responsibilities, communication protocols, and recovery steps. Free templates and frameworks are available online, including resources from NIST (National Institute of Standards and Technology).
  • Regular drills and simulations: Conducting cost-effective tabletop exercises and incident response simulations helps ensure readiness. These can be done with existing IT staff without requiring significant additional resources.
  • Use managed security services: If maintaining in-house incident response teams is too expensive, agencies can consider managed security service providers (MSSPs) for 24/7 monitoring and response at a lower cost than building their own team.

Poor cybersecurity awareness among employees

Impact: According to Proofpoint’s 2023 Human Factor Report, 75percent of successful cyberattacks involve phishing, a method that preys on unaware employees. This highlights the importance of security awareness training.

Remedies:

  • Regular low-cost cybersecurity training: Agencies can run regular training sessions using free or low-cost tools like KnowBe4, which offer phishing simulations and security awareness courses. Free resources from Google’s Jigsaw platform also provide excellent content.
  • Create a cyber-aware culture: Encourage a culture where employees are empowered to report suspicious activity. A simple policy like encouraging staff to verify email requests can prevent phishing attacks.
  • Phishing simulations: Free tools like Gophish can help run phishing simulations within the agency to test employees’ responses, allowing agencies to reinforce lessons through experience.

Limited access to advanced threat detection tools

Impact: Data from the Cybersecurity and Infrastructure Security Agency (CISA) indicates that many government agencies lack basic threat detection tools, leaving them blind to sophisticated threats.

Remedies:

  • Open-source threat detection: Tools like Suricata (an IDS/IPS engine) and Security Onion (for enterprise security monitoring) provide advanced threat detection capabilities without the high costs associated with commercial solutions.
  • Cyber threat sharing networks: Agencies can join cyber threat intelligence sharing communities such as the Information Sharing and Analysis Centers (ISACs). These platforms provide intelligence on emerging threats at little or no cost.
  • Leverage national-level resources: In some countries, national cybersecurity agencies (eg. Cybersecurity Authority, CSA) provide tools and services to government agencies. Governments should make full use of these shared services where available.

Lack of a cybersecurity culture

Impact: Without a cybersecurity-focused culture, policies and procedures are often ignored. A study by McKinsey showed that 60% of cyber incidents within government agencies could have been prevented with a more proactive security culture.

Remedies:

  • Engage leadership: Agency leaders must champion cybersecurity efforts, setting the tone from the top. Simple actions like discussing cybersecurity at leadership meetings and integrating security into performance evaluations can foster a culture of security.
  • Policy reinforcement: Governments should regularly review and update their cybersecurity policies and ensure they are implemented consistently. Agencies can reinforce policies through internal communication campaigns, posters, or email reminders.
  • Recognize cybersecurity efforts: Publicly recognizing employees who follow good cybersecurity practices or identify potential threats can help incentivize a culture of security across the agency.

A roadmap for crossing the cybersecurity poverty line

To ensure government agencies can cross the cybersecurity poverty line, it is essential to address the fundamental gaps in funding, technology, personnel, and awareness. By prioritizing cybersecurity at a national level, investing in modern infrastructure, and fostering a culture of security, governments can better protect their critical assets from growing cyber threats. Bridging this gap is not only vital for national security but also for the trust and safety of the citizens who rely on these institutions every day.

>>>the writer is a Cyber Incident Response and Digital Forensic Examiner, Threat Combat Ltd.

RELATED ARTICLESMORE FROM AUTHOR

Leave a Reply