The importance of cyber safety, best practices and free resources to help ensure you’re not a cybercriminal’s next victim.
Municipalities take on a variety of important tasks and are made up of critical sectors that help keep our communities thriving. Unfortunately, the vital services that you provide for your community members—and the considerable amount of sensitive data stored—also makes your municipality the perfect target for cybercriminals who won’t think twice about holding a town’s services at ransom for a big payoff.
Think it can’t happen to you? Think again.
Here are a few alarming statistics:
- A new cyberattack occurs somewhere on the on the web every 39 seconds.
- 64% of companies worldwide have experienced at least one cyberattack.
- 77 local governments and agencies, and 1,043 schools were impacted by ransomware in 2021.
- Since 2016, public reports show more than 400 ransomware attacks have hit city and county governments in the United States.
Know your terminology.
With cyberattacks on the rise, staying up-to-date on key terminology can be an important first step to becoming cyber-aware and secured. The International City/County Management Association (ICMA) highlights the following definitions:
- Malware: Malicious software that’s installed and can encrypt data and files, block user access, exfiltrate data, etc.
- Ransomware: A type of malware that encrypts sensitive data and files, followed by demanding a ransom to unlock the encrypted info.
- Phishing: A form of social engineering in which cybercriminals fish for victims by sending emails with promises, opportunities or threats to deceive victims.
- Spear phishing: A more sophisticated, targeted form of phishing which has cybercriminals using just enough information to make the victim believe the email came from someone known to the victim or another trusted source.
- Brute force: When an attacker uses software to continuously “bang away” in an attempt to gain access to a victim’s computer, network or IT system.
- Zero-day: An attacker’s identification of a weakness in a network or IT system. One example includes using defects in outdated software versions.
- Denial of Service (DoS): An attack that sends massive volumes of traffic to overwhelm an organization’s website or server.
- Distributed Denial of Service (DDoS): A type of DoS attack that uses multiple computers simultaneously to shut down a website or server to all users. As this invisible threat continues to sweep the nation, let’s take a look at just two real-life examples of critical sectors that took a hit.
Water treatment system in City of Oldsmar, Florida
In February 2021, a hacker successfully accessed the city’s water treatment system and altered the sodium hydroxide levels from 100 parts per million to 11,100 parts per million.
While sodium hydroxide is used to control water acidity and remove metals from drinking water, it is also the main ingredient in liquid drain cleaners—making this a potentially dangerous increase.
Because the computers allowed remote access to select individuals to troubleshoot issues, the plant operator who was monitoring the system didn’t think much of it at first. When it happened again that afternoon, the operator noticed the intruder opening software functions that controlled the water being treated. After the sodium hydroxide levels were increased, the operator quickly stabilized the levels.
Fortunately, according to the sheriff, the public wasn’t in danger despite the hackers efforts. It would’ve taken 24 to 36 hours for that water to reach the water supply system, and even if the operator hadn’t caught the intruder in action, thankfully, there were other controls in place to check the water before its release.
The city of Baltimore was unfortunate enough to find themselves dealing with not only one, but two cyberattacks within two years.
In March 2018, a ransomware attack targeted and took down the city’s computer assisted dispatch (CAD) system that supports their 911 emergency dispatch and 311 non-emergency phone systems. Thankfully, city IT and cybersecurity staff quickly identified the problem and the system was restored in less than 24 hours. What caused the breach? It was later revealed that staff were working on part of the IT system and accidentally disabled a firewall—leaving them exposed for 24 hours.
A little over a year later, the city found that it had been hacked once again—but this attack was far more devastating. Through a phishing attack, almost all of Baltimore’s IT infrastructure was taken over, and a ransom was demanded to release the city’s systems and data. After refusing to pay the ransom of 13 bitcoin (which was worth around $76,000 at the time), it took months to get things back up and running.
Over this period, impacted services included water billing, property taxes, parking tickets, email and voicemail. Because the city’s system that handled property transfers was also offline, property sales were interrupted as well.
In this case, if Baltimore had installed a Microsoft patch that was made available in 2017, this cyber breach could have potentially been prevented.
The road to recover
The recovery process can vary—in some cases dragging on for months and even more than a year—and in instances where you pay a hackers’ ransom demands (which is never encouraged), the time it takes to restore and upgrade equipment can still be significant. In addition to the disruption to day-to-day operations, the cost of a breach can rack up millions.
In fact, according to IBM’s annual Cost of a Data Breach Report—which studied over 500 data breaches worldwide—the average cost of a breach rose from 3.86 million in 2020 to 4.24 in 2021 (with the average cost in the U.S alone being 9.05 million). This ranks as the highest average total cost in the history of the report! To calculate this number, four elements were taken into consideration: detection and escalation, notification activities, post breach response and lost business.
While these numbers are alarming enough, in some high-profile and extreme cases, they can be even higher. For example, following a ransomware attack on the city of Atlanta in 2018, the city spent more than $17 million to recover. Following the 2019 ransomware attack on Baltimore that we just reviewed, it cost them a whopping $18 million.
What can you do to avoid falling victim? Matt Olphin, Director of Client Risk Solutions for Glatfelter Public Practice states, “We’re seeing more and more of our clients increasing their budgets for expenses such as hiring outside IT consultants to ensure networks and systems are up-to-date, engaging with cybersecurity experts for penetration testing and providing employee training to boost awareness. Don’t be the one that leaves yourself open for easy pickings because you aren’t making that investment.”
While there is no one-size-fits-all solution to preventing a cyberattack, there are plenty of additional strategies that you can put into place to help you minimize your cybersecurity risks. Consider the following tips to help keep your community safe and your sensitive data secured.
1. Put policies in place
It is strongly recommended that businesses and organizations implement a variety of cybersecurity policies to help boost security and keep team members educated. According to ICMA, important policies to adopt include:
- Formal cybersecurity policy
- Password management policy
- Policy regarding applying software patches
- Cyber risk management plan
- Incident response/disaster recovery/business continuity plan
- Policy on the use of external devices, such as cell phones, flash drives, etc.
- Policy for vendors, contractors and cloud services
Establishing policies will be critical to protecting your operations and community, and all policies should be reviewed periodically to ensure they are up-to-date.
2. Minimize vulnerabilities and the risk of operational disruptions
Following the ransomware attack on the Colonial Pipeline in May 2021, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released an announcement with recommendations to help prevent business disruptions from an attack and mitigate vulnerability.
While these recommended strategies are aimed toward the critical infrastructure industry, this information is relevant to almost all businesses and public entities.
- Reduce your risk of compromise:
- Require multi-factor authentication for remote access to OT and IT networks
- Enable strong spam filters to help prevent phishing emails
- Implement a user training program and simulated attacks for spearphishing
- Filter network traffic to help prevent access to malicious websites
- Update software such as operating systems, application and firmware on IT network assets regularly
- Limit access to resources over networks, especially by restricting Remote Desktop Protocol (RDP)
- Set antivirus/antimalware programs to conduct regular scans
- Implement unauthorized execution prevention
- To minimize severe business disruption in the event of a future attack:
- Implement and ensure network segmentation between IT and OT networks
- Organize OT assets into logical zones
- Identify OT and IT network inter-dependencies and develop workarounds or manual controls
- Regularly test manual controls
- Implement regular data backup procedures on both the IT and OT networks
- Ensure user and process accounts are limited through account use policies, user account control and privileged account management.
- If impacted by a ransomware incident:
- Isolate the infected system.
- Turn off other computers and devices that share a network with the infected computer(s) that have not been fully encrypted by ransomware.
- Ensure your backup data is offline and secure.
In addition to these mitigation strategies, the FBI, CISA, Environmental Protection Agency (EPA) and National Security Agency (NSA) released another joint advisory to provide risk management tactics that are specific to the water and wastewater sector.
3. Learn to spot phishing emails
Considering the fact that more than 90% of all cyberattacks begin with phishing, being able to identify these types of emails will be critical. Here are 4 red flags to look out for:
- Unknown email sender
- Email requests personal or financial information
- Email wants the recipient to respond immediately or makes an urgent request for information (be on the lookout for upsetting or exciting statements asking you to act fast)
- Email wants the recipient to open an attachment or click a link unexpectedly (hover your mouse over the link to see what website URL appears)
4. Find additional cyber resources
Visit our cybersecurity site for even more free, valuable tools and best practices to help keep you and your municipality safer online.
Just one cyber breach can have you forking over millions, impact the operations that your community members rely on and damage your reputation. “Talk to your boards and leadership about increasing budgets for cybersecurity. Use the headlines and awareness of these threats to your advantage to fund upgrades, assessments and patches, and help harden your cybersecurity defenses,” says Matt.
Don’t wait. Now is the time to make sure you're taking steps in the right direction to better protect yourself from cybercriminals.
Richie Almeida, Integrated Marketing Specialist
Richie is an avid movie goer with an addiction to Sour Patch Kids. If he isn’t at the movies, he is at the gym or on a hike trying to make up for his bad eating habits.
The information contained in this blog post is intended for educational purposes only and is not intended to replace expert advice in connection with the topics presented. Glatfelter specifically disclaims any liability for any act or omission by any person or entity in connection with the preparation, use or implementation of plans, principles, concepts or information contained in this publication.
Glatfelter does not make any representation or warranty, expressed or implied, with respect to the results obtained by the use, adherence or implementation of the material contained in this publication. The implementation of the plans, principles, concepts or materials contained in this publication is not a guarantee that you will achieve a certain desired result. It is strongly recommended that you consult with a professional advisor, architect or other expert prior to the implementation of plans, principles, concepts or materials contained in this publication.
It’s important to make sure your website is able to serve everyone—or you could find yourself in legal, financial or reputational trouble.