City and state governments are increasingly feeling the heat from ransomware attacks. Ransomware attacks in 2019 on federal and state entities, healthcare providers, and educational institutions cost more than $7.5 billion, according to a new study. Additionally, the number of cyber attacks on local governments, especially in the form of ransomware attacks, are starting to increase, despite a slight downward trend at the beginning of 2020. For example, Knoxville, TN, was forced to shut down its IT network following a ransomware attack in June.
What lessons can you learn from these attacks? How can you determine if your local government is properly protected?
Cyber Attacks on Local Governments
In 2019, ransomware hit 22 Texas municipalities. Baltimore was also hit by attacks that crippled the city’s computers.
At the time of the Baltimore ransomware attack, experts debated if Robbinhood, the ransomware strain used in that attack, used NSA hacking tool EternalBlue. While the Texas and Baltimore incidents got plenty of attention, other local governments are being hit, too.
Cyber attackers also hit two places in North Carolina in 2019. The city of Greenville fell victim to the Robbinhood strain, and Orange County was hit for the third time in six years. Additionally, ransomware hit seven municipalities in Florida in 2019.
As more details come out on all these attacks the real focus should be on what lessons can be learned. Ask yourself a few questions. Are you doing enough to protect yourself from a cyber security standpoint? If not, what steps do you need to take to get there?
The Bottom Line
Most organizations aren’t addressing the critical vulnerability EternalBlue. This is despite high publicity and a patch being available for over two years – a fact that the National Security Agency (NSA) is using to deflect criticism.
Organizations have had several years to install one critical patch – and they haven’t. This patch alone can save hundreds of thousands of dollars in remediation costs or ransoms. The cost of the Baltimore cyber attack is now estimated at $18.2 million. Around $4.6 million is tied to direct costs from the incident.
Every single risk and vulnerability assessment I led in the last few years has involved machines that were vulnerable to EternalBlue. These assessments were all done at the state and local government level, so it’s no surprise that we’re seeing a continuation of attacks on public sector targets.
Why Aren’t Local Governments Protecting Themselves?
If a city or state government doesn’t have properly patched systems or a vulnerability management program, it usually means they don’t have the money, the staff, or both. While that’s an easy concept to understand, implementing patches isn’t as simple.
Finding the right balance between security and operations is tough. It’s a battle that IT and cyber security professionals find themselves fighting all the time. For small governments especially, there is little to no budget for security. This means the balance is usually skewed towards operations and keeping customers and citizens happy. This model works until there’s an incident, like the Baltimore cyber attack, or the Atlanta incident in 2018.
Ransomware attacks are not going away. According to the 2020 Verizon Data Breach Investigation Report (DBIR), 17 percent of attacks involved malware, and 27 percent of malware incidents were ransomware. There are plenty of other attacks besides these, of course.
How Can You Make Sure You’re Protected?
Since simply giving up isn’t an option, what can you do?
- Get a Vulnerability Assessment
If you haven’t had a vulnerability assessment in the past two years, consider getting one immediately. It should be done by a third party. Think of it as someone else checking your blind spots. - Implement a Vulnerability Management Program
This is basic maintenance that goes a long way to improve your cyber hygiene. It also boosts your resilience to malicious actors. The bare minimum is having antivirus protection on your endpoints, but it’s in your best interest to have next generation endpoint management and protection. Endpoint security is a crucial part of protecting your business from cyber threats like ransomware, and traditional endpoint security tools have blind spots. At the very least, scan your systems and manually patch the critical vulnerabilities. - Stay Informed
Part of keeping a balance between cyber security and operations is keeping up with the changing cyber security landscape. There are several ways you can stay up to date:
- Get current threat information and participate in cyber security events through Information Security and Analysis Centers (ISACs).
- Subscribe to a few good blogs (like this one) – check out the Security Bloggers Network for hundreds of blogs to follow, or sign up for their handy RSS feed.
- Join one of over 80 InfraGard chapters.
Is Paying the Ransom an Option?
Should you pay the ransom? The government says you shouldn’t because you’re supporting the criminals. Security experts warn that paying the ransom doesn’t mean you’ll regain access to your files and data. But, in my opinion, the option of paying the ransom should be left on the table. It should be factored into your risk calculus. If paying a $400,000 ransom saves you $4.8 million in direct costs, that’s a compelling argument.
If that’s something you decide to do, and you regain access to your systems, don’t just sweep this under the rug. You must still follow through with the proper steps after the fact—a cyber hunt or compromise assessment, remediation, and disaster recovery. The good news is, you’ll have less remediation to do if you’ve regained access quickly, and operations have continued pretty much as normal. And, if you have aging infrastructure that needs to be replaced, this could be an opportunity to get resources for delayed upgrades.
Summary
So, how do you effectively advocate for resources to prevent cyber attacks on local governments in an era of tight or decreasing budgets? How can you convincingly present your case to non-IT decision makers? Cyber security explanations are anything but simple, but high-profile ransomware cases like Baltimore (remember that $18.2 million number?) can help you make your case.
A good risk and vulnerability assessment can also help you seal the deal. When Delta Risk conducts an assessment, we tailor our recommendations to support your needs. The goal is to improve your cyber security, not to punish the people working to keep your systems secure. Findings from our assessments are characterized to be constructive and will help you justify funding for cyber security priorities.