FACT SHEET

Four Cybersecurity Essentials for SLTTs

Publish Date
Related topics:
Cybersecurity Best Practices

Cyberattacks can cause widespread disruption. Cybersecurity isn’t just best practice—it’s civic duty. State, local, tribal and territorial (SLTT) governments should start with these foundational practices:

Protect Government Systems and Information with Phishing Training

device shown with a phishing message

Phishing happens when attackers trick people into clicking harmful links, opening fake emails or downloading malicious attachments. These actions can expose sensitive information or install malware. Train employees to recognize and avoid suspicious messages.

  1. Use available training resources.

    Threat literacy helps staff understand how attackers operate and how to respond. Use phishing simulations that mimic real threats your agency might face. Frequent, realistic testing helps employees build lasting awareness. Coordinate with state-level cybersecurity programs or fusion centers for resources.

  2. Keep employees informed.

    Designate someone to track emerging threats. Ask them to share updates between trainings. Remind employees to stay alert. If a message feels off, staff should verify it—but not by replying or using any phone number or link in the message. Instead, use a search engine to look up the business’s phone number or use a known contact method.

  3. Build a culture of cybersecurity.

    Make it safe to report phishing attempts, even if they have inadvertently downloaded malware or shared data. A no-blame culture promotes quick action and reduces the chance of widespread damage. Ensure policies cover how to report phishing attempts and how to use official communication channels, and lay out requirements for regular security training.

Return to top

Require Strong Passwords

device shown with someone entering a strong password

Strong passwords are a simple but powerful way to block criminals from accessing your accounts through guessing or automated attacks. Make strong passwords standard practice.

  1. Require strong, unique passwords.

    Enforce policies that require passwords that are long (16+ characters), random (mix of upper and lowercase letters, numbers, symbols or a passphrase of 5–7 unrelated words) and unique (different for each account). Follow trends to update password policies.

  2. Provide a password manager.

    An organization-wide password manager makes it easier for employees to follow best practices. It generates complex passwords, fills them in and stores them securely. Employees only need to remember one strong password for the password manager. 

  3. Change default passwords.

    Many products come with default usernames and passwords that are widely known and easily exploited. Require staff to change default credentials before using systems. 

  4. Set password management policies.

    Ensure policies include scheduled password updates, immediate disabling of default or unused accounts, logging/monitoring of failed login attempts, and regular training.

Return to top

Require Multifactor Authentication (MFA)

two devices shown using multifactor authentication

MFA helps prevent unauthorized access, even if credentials are compromised, making it one of the most effective ways SLTTs can protect operations and public safety.

  1. Require MFA wherever possible.

    Work with your IT team to implement MFA across systems like email, file storage and remote access. Start with admin accounts and employees who handle sensitive data.

  2. Use the most secure MFA method you can.

    Some forms are much stronger at keeping attackers out. Preferred methods include:

    • Security key: Use a physical security key (like a YubiKey) to log in. Provides the best protection against phishing and is easy to use.
    • Authenticator app (with number matching) pushes a prompt to your phone. You enter a number shown on the login screen to confirm.
    • Authenticator app (with one-time code) generates a new code every 30 seconds. You enter the code on the login screen to confirm. 
         

  3. Make MFA a policy—not a preference.

    Formalize MFA in your policies. Mandate it for all users and require it in vendor agreements. Train employees to recognize/report MFA fatigue and push notification abuse scams.

Return to top

Update Government Software

device shown with someone performing a software update

Outdated software and operating systems are prime entry points for cyber attackers. Updating software regularly and patching known vulnerabilities are two of the simplest, most effective ways to protect your community and your data.

  1. Patch promptly and turn on automatic updates.

    Prioritize critical vulnerabilities especially for public-facing or legacy systems. Use CISA’s free Known Exploited Vulnerabilities (KEV) Catalog to identify urgent updates.

  2. Replace legacy systems and devices. 

    Isolate legacy systems and monitor them closely for unusual activity. Develop a transition plan for migrating to supported platforms. CISA’s free Cyber Hygiene Services can help you identify outdated systems.

  3. Train employees to take updates seriously.

    Remind staff to leave devices on and connected to the internet to download updates pushed by your IT team, reboot regularly to install updates and check with IT before installing apps.

  4. Coordinate across departments.

    Coordinate updates and patch management across various offices like public safety, courts, transportation and administrative offices. Confirm that your organization's entire network is protected by antivirus/antimalware software and prioritize updates for these tools.

Return to top

CISA has free resources, tools and guidance to help SLTT governments implement these best practices. Share these tips with your team!

 

Printer Friendly Version

Tags

Language: English
Topics: Cybersecurity Best Practices

Related Resources