By MarKeith Allen, Senior Vice-President and GM at Diligent Mission Driven Organizations
For some time, many local government officials did not recognize the risk of behaviors in which they were engaged. Then, 2020 happened and much of that changed. Local governments need security because of the high level of stored sensitive information and number of systems they use to share data with state and federal government programs. However, they don’t have a good handle on how to approach it but there are steps they can take if they are aware of the situation.
A Steady Drumbeat of Cybersecurity Threats
The amount of data that municipalities deal with has grown exponentially. While often operating on a shoestring budget and with aging infrastructures, local governments tend to rely on their IT team to ensure security rather than a dedicated cybersecurity expert. However, that IT department often does not have the investment it requires, so holes in their security leave them vulnerable to attacks — from viruses to hackers to phishing.
One type of scary cyberattack that has become more prevalent is ransomware, a type of malicious software that gains access to files or systems and blocks user access to those files or systems. These attacks often begin with an email with links or attachments that seem benign but give the hacker access to a single system followed by the network. Although a relatively unsophisticated cybercrime, they can shut down servers, expose data, paralyze 911 centers, and disrupt traffic management systems. A coordinated attack in the fall of 2019 hit 22 smaller Texas communities at once for a combined ransom of $2.5 million. While industry experts discourage paying ransoms for fear of encouraging this type of attack, many cities without reliable backup or backups that are encrypted are left with no option but to pay the ransom to get back up and running. The Texas attack showed that what once was thought to be a big city problem is leaving every local government vulnerable, and attacks are on the rise. 2019 was called the worst year on record for breaches, and then came 2020, and new breaches are being reported all the time. The Center for Internet Security’s Multi-State Information Sharing and Analysis Center (MS-ISAC) noted that 75 ransomware attacks across the country were reported by its 11,000 members between Jan. 1 and June 4.
The Impact of COVID on Security – Remote Work, Insecure Email, Portable Devices
2020 not only introduced us to the COVID-19 pandemic, but it also brought about what many refer to as a cyber pandemic. The forced quarantine in the wake of the COVID-19 pandemic had more people working remotely without access to IT and to security patches and updates. With tens of thousands of small government institutions, ransomware, once on the decline, has become low-hanging fruit for most cybercriminals. Identifying attackers is rare, so it is difficult to make someone accountable. At the outset of 2020, an informal survey conducted by Diligent of municipal officials involved in agenda creation revealed that 97% were transferring sensitive documents via email. With the threat of cyberattacks in the form of ransomware, using email to prepare or send meeting materials is concerning. When council members and staff are accustomed to receiving documents and updates via email, they are less likely to exercise caution when getting infected links or attachments. This is compounded by the fact that 88% of the survey respondents reported confidence in their organization’s security.
The prevalence of portable devices again exacerbates cyber risks. Most council members — and staff members — use their devices for information, but also entertainment and social media. When more than 70% of all ransomware attacks in the United States have hit state and local governments, this poses a hazard for cities. Groups that carry out these kinds of attacks have discovered that cities are an easy target.
Tips for Mitigating Risk and Human Error
In the area of cybersecurity, overall, it does not appear that public entities are doing enough to mitigate risks. Using email to either communicate or to prepare and transmit meeting materials is inviting unnecessary levels of risk. Elected board members are likely not aware of the risks or aware of their liability. Of breaches that come from inside the organization, 67% are not malicious but are from errors. Effective defense from cyberattacks ultimately depends on education and overriding the chance of human error whenever possible.
If they haven’t already, municipalities need to develop a cybersecurity plan, and it should be reviewed annually. By now, city administrators are becoming aware that they are a target, but it needs to be stressed to council members. Also, cities need to adopt a digital security mindset, with contingency and disaster plans in place. Working closely with other entities can help minimize threats. Below are some specific recommendations for increasing cybersecurity, even on a shoestring budget:
Utilize cloud-based software for both agenda creation as well as the distribution of materials to the council. Logging into a secure portal eliminates the likelihood of users clicking on a tainted email or attachment.
Utility grids that are interconnected can quickly cause cascading problems. Any device with data or applications on it needs to be remotely wiped in case of a threat. Only approved applications should be opened with devices belonging to the city.
When possible, it is best to have dedicated hardware. A tablet or laptop that can be updated and fully patched with all security updates easily is a necessity. Using a secure portal to prepare and host agenda materials that are password protected is the preferred vehicle to transmit council documents.
City officials and council members can no longer afford to ignore the risks. They need partners that can educate them about cybersecurity and help identify measures to help mitigate cybersecurity threats.