As a cyber security expert and a city mayor, Intrust IT’s own Dave Hatter is in a unique position to share insights on cybersecurity for municipalities.
Even before the COVID-19 crisis increased ransomware attacks, municipalities were prime targets. Atlanta and Baltimore are just two municipalities that had to pay hefty ransoms because their data was hacked, encrypted and made inaccessible.
In fact, 2019 saw a 60 percent increase in ransomware attacks against municipalities. When a town, city or county government system is attacked, it’s often taxpayers who foot the bill.
More and more cities are adding technology to run traffic lights, water systems, etc. Imagine what would happen if YOUR city police, fire or even water departments were hacked. Talk about chaos!
If you are a mayor, councilperson, fire chief or police chief, it’s time to get serious about cybersecurity. That means creating a plan (if you don’t have one) or reviewing your current cybersecurity measures with a qualified expert.
Municipalities Make Attractive Targets
Most organizations don’t have legal or health-related data, but municipalities do. Businesses are getting more savvy about cybersecurity but most local governments are behind the curve. That makes them easier targets. Also, because of the sensitive nature of government data, municipalities may be more likely to pay ransoms.
The largest cyber threats to cities are attacks in the form of ransomware and phishing (email-based attacks).
Ransomware Attacks on Municipalities
Cities and city-related organizations like fire departments are getting hit with ransomware because they have very sensitive data, including personal data on employees and data about criminal cases. Ransoms for municipalities are not cheap and they keep going up.
But the risk isn’t for data alone. More and more cities are adding technology to run traffic lights, water systems and more. The same way hackers breach to collect data, they could also gain control of these vital systems.
The FBI advises they not pay and many municipalities are following that advice after Baltimore mayor Bernard Young refused to pay a requested ransom in 2019. The U.S. Conference of Mayors adopted a resolution that states, in part:
…ransomware attacks can cost localities millions of dollars and lead to months of work to repair disrupted technology systems and files…
...paying ransomware attackers encourages continued attacks on other government systems, as perpetrators financially benefit…
…the United States Conference of Mayors has a vested interest in de-incentivizing these attacks to prevent further harm.
…the United States Conference of Mayors stands united against paying ransoms in the event of an IT security breach.
The U.S. Conference of Mayors
Phishing (Email Based Attacks)
Cybercriminals are incredibly creative with emails designed to trick people. The initial goal of the phishing email is to get the user to click a link or take another action that lets hackers into your system.
Once they get into your system through phishing an email, they can do even more damage: like changing invoices to direct money into their account rather than into the municipality’s bank. They can calso steal data, hold it for ransom and more.
Most municipalities, especially the smaller ones, don’t have IT staff. Or, if they do, it’s a single person or small team trying to do everything. There isn’t time to stay up to speed on the latest security threats and patches.
City leaders may not know the right questions to ask or don’t see the potential risk. It's only after an attack that they think, “Maybe we should have spent more money on cyber security rather than having to pay now to fix the breach and recover our data.” The cheapest and best way to do that is to use a managed service provider (MSP) and to make yourself a harder target.
From One Mayor to Another: Hire a Managed Service Provider
I’m not just the cybersecurity expert at Intrust IT: I’m also the mayor of a city. So, I know the true value of working with a managed service provider to secure your municipality. My city does.
An MSP will make sure your municipality’s network is constantly secure. MSPs use phish testing, management tests, employee training and software monitoring. A good MSP will do all this proactively because the company is incentivized to protect your municipality and keep operations running smoothly.
As city officials, we have a duty to taxpayers and residents to spend a little to prevent a breach instead of spending a lot to recover our municipality’s data after an attack. Especially since there is a real risk of not recovering your data or systems even if you do pay the ransom.
Choosing a Managed Service Provider for Your Municipality
Here are some things to consider when hiring a managed service provider (MSP) for your municipality:
- Hire an MSP with previous municipal experience. Municipalities are unique beasts with their own rules and regulations (e.g., open meetings law, open records law). Your managed service provider should have an understanding of these to be able to guide you. Also, that experience will help your MSP provide recommendations for how long you should hold on to data and when to archive or purge.
- Make sure your MSP has a deep enough bench. Keeping up with cyber security changes is challenging for anyone, but more so for smaller teams of people wearing multiple hats. With a larger team, you are more likely to have experts on hand who have experience with your particular issue or challenge.
- Cyber security is a very technical topic and you’ll need to explain at least the basics to city officials and employees. So, choose an MSP team that excels in plain-language explanations and training. You’ll want them to be approachable and responsive, too.
- To ease budget conversations with city employees or officials, find examples of other cities that have been hit with a cyber attack and add up the costs of not doing enough. Consider the dollars spent, of course, but also lost revenue during outages, and the lost ratings and confidence of taxpayers. Your MSP may be able to help with this research.
- Make sure you know what your municipality’s cyber insurance covers and what it doesn’t. Your MSP should be able to help you fill the gaps or evaluate alternative policies.