Sponsored content powered by Lock America.

Ransomware Attack on City Of Dallas Knocks Police Website Offline (CNN Online, May 3, 2023)

Cyberattack Disrupts Lowell City Government, Shuts Down Computers (CBS News, Boston, April 25)

These were the two most recent cybercrime stories when this article was submitted for publication. You can probably add two more as you read it. Dallas appears to be lucky, with the reported attack confined to the court system. This isn’t the first time that a big American city’s police department has been impacted by ransomware. The most prominent attack on law enforcement was perhaps when a Russian-speaking criminal group leaked online a trove of data stolen from the Washington, DC, Police Department in 2021.

Lowell, Massachusetts is a smaller city, so the crooks had the power to knock out more of its systems, shutting down the city for days. City Manager Tom Golden is reassuring, if a little vague. “The other professionals in law enforcement have looked at this, and we’re all comfortable, but it’s going to take us a little bit of time.”

The CBS News article quotes Boston College cybersecurity expert Brian Powers, asserting that “it’s not a matter of if but when local governments will be attacked by cybercriminals.” The article goes on to say that “Lowell officials have alerted law enforcement to the attack, and Golden says it could be days before the city’s system is fully up and running.”

Ransomware and data theft are a constant threat to businesses and government agencies. These attacks typically lock computer files so hackers can demand a ransom and access valuable data for dark web auction or worse. A 2019 attack on the city of Baltimore halted the city’s ability to process water-billing payments for three months, according to The Baltimore Sun. Baltimore officials estimated at the time that the ransomware attack would cost the city at least $18 million.

Quentin Rhoads-Herrera, a Dallas-based cybersecurity executive, told CNN that when he is hired to test the cybersecurity of state and local governments, “we commonly find their security posture to be weaker than that of the average corporate company.” Herrera added, “This is not due to a lack of concern, but rather a lack of resources and manpower to address the ever-growing challenges of cybersecurity.”

Why the Attacks on City Government?

Simply put, municipal systems are low-hanging fruit. Unlike businesses, which have budget and staffing flexibility, most municipal information systems are underfunded, although many wind up eventually paying more than they can handle when they’re hijacked.

New Orleans was hit with ransomware in late 2019, and it took 10 days to get some of their computers running again, and a full 20 days to get everything restored. It ended up costing the city over $5 million. Information Manager Kimberly LaGue reminds us that, in today’s tech world, a cyberattack can happen to anyone.

Spotting the Weak Points and Building and Strengthening Defenses

With limits on spending and people, what’s the best path to follow? Focus on what Peter Thermos of Palindrome Technologies points out: Ninety percent of all data breaches and compromises are the result of human error. TeachPrivacy, a cybersecurity company, jests that the best way to protect data security is to get rid of all the humans, and Plan B is to train them. Training and motivating your staff is your best, most cost-effective defense. You have neither the time nor the money to replace your existing computer systems or to perform major updates. PalindromeTech identifies three non-tech employee areas to address for cybersecurity:

Awareness and Culture. As Palindrome CEO Peter Thermos pointed out, the weak link is human error. Management must commit to initial security training, then constant reinforcement and follow-up. You can’t just give a perfunctory lecture and consider the problem solved. There needs to be continual follow up, for example, by delivering a cybersecurity message prominently in every employee newsletter or periodic email. We’ve probably all seen movies or TV shows where the mighty fortress is breached by someone leaving a door open. That’s how computer systems are taken down—through a figurative open door or window.

The guidelines are pretty clear: Don’t open an attachment from an unknown email sender. Don’t download kitty videos or place your bets on company time, which could provide an opening for the enemy. Promote a culture of compliance. Don’t encourage lax behavior, and sanction it when it happens.

Policy and Procedures. Develop consistent policies and guidelines to enforce company policy. Allow no exceptions and promote the expectation that it’s everyone’s job to protect the organization. Prohibit the downloading of unauthorized software, even if it’s a test file for a tech manager. Prohibit copying text from an unauthorized site.

Governance and Compliance. The organization needs to broadcast its commitment to security and back that up with periodic training and refresher courses. There are many resources that won’t cost a lot of money. Most states have programs to help communities protect their data. And unlike businesses that compete with each other, municipalities can cooperate and learn from their neighbors, sharing best practices and broadcasting alerts and new approaches.

The Bottom Line

There are additional cost-effective resources, such as state and local conferences and organizations. They can provide the latest strategies and best practices, but this knowledge must be communicated and implemented, down to the individual employee. Cybersecurity starts at the top, but it must reach every level of the organization.

Cybercrime is a constant threat to municipalities. You can’t spend your way to protection. You protect your systems by building organization-wide compliance with clearly defined security requirements. The key to maintaining security is to work to strengthen the weakest link. Take low-cost steps to protect yourself now and plan long term for the next attack.

 

RICH MORAHAN writes frequently on security and marketing for the ATM, fuel marketing, information management, self-storage, and vending industries. You can contact him at 617-240-0372, rmwriteg@gmail.com, or www.rmorahan.com.