Municipalities take on a variety of important tasks and are made up of critical sectors that help keep our communities thriving. Unfortunately, the vital services that you provide for your community members—and the considerable amount of sensitive data stored—also makes your municipality the perfect target for cybercriminals who won’t think twice about holding a town’s services at ransom for a big payoff.
Think it can’t happen to you? Think again.
Here are a few alarming statistics:
Know your terminology.
With cyberattacks on the rise, staying up-to-date on key terminology can be an important first step to becoming cyber-aware and secured. The International City/County Management Association (ICMA) highlights the following definitions:
In February 2021, a hacker successfully accessed the city’s water treatment system and altered the sodium hydroxide levels from 100 parts per million to 11,100 parts per million.
While sodium hydroxide is used to control water acidity and remove metals from drinking water, it is also the main ingredient in liquid drain cleaners—making this a potentially dangerous increase.
Because the computers allowed remote access to select individuals to troubleshoot issues, the plant operator who was monitoring the system didn’t think much of it at first. When it happened again that afternoon, the operator noticed the intruder opening software functions that controlled the water being treated. After the sodium hydroxide levels were increased, the operator quickly stabilized the levels.
Fortunately, according to the sheriff, the public wasn’t in danger despite the hackers efforts. It would’ve taken 24 to 36 hours for that water to reach the water supply system, and even if the operator hadn’t caught the intruder in action, thankfully, there were other controls in place to check the water before its release.
The city of Baltimore was unfortunate enough to find themselves dealing with not only one, but two cyberattacks within two years.
In March 2018, a ransomware attack targeted and took down the city’s computer assisted dispatch (CAD) system that supports their 911 emergency dispatch and 311 non-emergency phone systems. Thankfully, city IT and cybersecurity staff quickly identified the problem and the system was restored in less than 24 hours. What caused the breach? It was later revealed that staff were working on part of the IT system and accidentally disabled a firewall—leaving them exposed for 24 hours.
A little over a year later, the city found that it had been hacked once again—but this attack was far more devastating. Through a phishing attack, almost all of Baltimore’s IT infrastructure was taken over, and a ransom was demanded to release the city’s systems and data. After refusing to pay the ransom of 13 bitcoin (which was worth around $76,000 at the time), it took months to get things back up and running.
Over this period, impacted services included water billing, property taxes, parking tickets, email and voicemail. Because the city’s system that handled property transfers was also offline, property sales were interrupted as well.
In this case, if Baltimore had installed a Microsoft patch that was made available in 2017, this cyber breach could have potentially been prevented.
The road to recover
The recovery process can vary—in some cases dragging on for months and even more than a year—and in instances where you pay a hackers’ ransom demands (which is never encouraged), the time it takes to restore and upgrade equipment can still be significant. In addition to the disruption to day-to-day operations, the cost of a breach can rack up millions.
In fact, according to IBM’s annual Cost of a Data Breach Report—which studied over 500 data breaches worldwide—the average cost of a breach rose from 3.86 million in 2020 to 4.24 in 2021 (with the average cost in the U.S alone being 9.05 million). This ranks as the highest average total cost in the history of the report! To calculate this number, four elements were taken into consideration: detection and escalation, notification activities, post breach response and lost business.
While these numbers are alarming enough, in some high-profile and extreme cases, they can be even higher. For example, following a ransomware attack on the city of Atlanta in 2018, the city spent more than $17 million to recover. Following the 2019 ransomware attack on Baltimore that we just reviewed, it cost them a whopping $18 million.
What can you do to avoid falling victim? Matt Olphin, Director of Client Risk Solutions for Glatfelter Public Practice states, “We’re seeing more and more of our clients increasing their budgets for expenses such as hiring outside IT consultants to ensure networks and systems are up-to-date, engaging with cybersecurity experts for penetration testing and providing employee training to boost awareness. Don’t be the one that leaves yourself open for easy pickings because you aren’t making that investment.”
While there is no one-size-fits-all solution to preventing a cyberattack, there are plenty of additional strategies that you can put into place to help you minimize your cybersecurity risks. Consider the following tips to help keep your community safe and your sensitive data secured.
It is strongly recommended that businesses and organizations implement a variety of cybersecurity policies to help boost security and keep team members educated. According to ICMA, important policies to adopt include:
Establishing policies will be critical to protecting your operations and community, and all policies should be reviewed periodically to ensure they are up-to-date.
Following the ransomware attack on the Colonial Pipeline in May 2021, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released an announcement with recommendations to help prevent business disruptions from an attack and mitigate vulnerability.
While these recommended strategies are aimed toward the critical infrastructure industry, this information is relevant to almost all businesses and public entities.
In addition to these mitigation strategies, the FBI, CISA, Environmental Protection Agency (EPA) and National Security Agency (NSA) released another joint advisory to provide risk management tactics that are specific to the water and wastewater sector.
Considering the fact that more than 90% of all cyberattacks begin with phishing, being able to identify these types of emails will be critical. Here are 4 red flags to look out for:
Visit our cybersecurity site for even more free, valuable tools and best practices to help keep you and your municipality safer online.
Just one cyber breach can have you forking over millions, impact the operations that your community members rely on and damage your reputation. “Talk to your boards and leadership about increasing budgets for cybersecurity. Use the headlines and awareness of these threats to your advantage to fund upgrades, assessments and patches, and help harden your cybersecurity defenses,” says Matt.
Don’t wait. Now is the time to make sure you're taking steps in the right direction to better protect yourself from cybercriminals.