Why are Local Government Entities Vulnerable to Ransomware and What Can We All Learn from this?

By: Angela Polania, Principal, Elevate.

In the past few months, it appears that an increase of malware and ransomware infections have struck a number of cities in the U.S.

Just recently in June, two cities in Florida (Riviera Beach and Lake City) have agreed to pay over 1 million collectively to get out of a ransom and get their data and use of their systems back.

In April, the city of Greenville, North Carolina, Imperial County in California, city of Stuart in Florida, city of Augusta in Maine and a municipality owned airport in Cleveland, Ohio got hit with ransomware that accounted for several down systems. The havoc in these and other such instances almost necessitate having to pay the ransom.

Cities are providing more services via the web, making their exposure higher and more attractive to hackers to seek to exploit their systems

Although ransomware appears to be a more recent phenomenon, local governments have most definitely been impacted by these issues. One can remember the most high-profile city ransomware attack last year to the City of Atlanta in Georgia.  According to Wired magazine, the City of Atlanta spent 2.6 million to deal with and respond to the attack. The ransom amount was only $50,000.

Some explanations as to why local governments are more attractive and can be more vulnerable to ransomware attacks are as follows:

  • Data stored in city systems are an attractive target. Cities have all types of information from their residents and cybercriminals want to take advantage of this and it is well known that government many times lack the security expenditures and systems to protect themselves adequately.
  • Cities are providing more services via the web, making their exposure higher and more attractive to hackers to seek to exploit their systems
  • Local government entities don’t have the budgets or pay the salaries to attract the best talent or enough talent and lack behind in cybersecurity controls mainly due to these reasons.  Also, although NIST has issued standards required by the federal government, these are not forced and/or mandated at the local and state level and with little compliance and regulatory oversight (outside of FDLE for the police network and data) the imminent pressure of audits and compliance is not felt the same as with financial institutions and other industries.
  • Also, cities often struggle to keep pace with technology refresh cycles and agility in procuring technology solutions to keep up with the pace of need and changes. Hence technologies can be older without proper patching and/or security protections.

Thus, what can we learn from this:

  • Know your data’s value and protect it accordingly.
  • Train your users as these ransomware attacks are coming from users clicking on phishing
  • Seek to have cyber insurance and an incident response plan in place
  • Invest in security, unfortunately, the risk is too pervasive not to do this
  • Don’t wait for an audit to do the right thing to protect yourself. Unregulated or minimally regulated industries do not feel the pressure and ‘forget’ that their information value is what makes them attractive to hackers.
  • Stay up to date with patching, system updates and technology investments
  • If investing in third-party providers (e.g. SaaS applications) ensure appropriate vendor due diligence takes place to ensure these vendors have data security controls