2019 was a tough year for the overall cybersecurity of state and local governments and municipal institutions. If you follow security news, there were times when not a week would go by without word of how the latest municipal cyberattacks impeded or even halted day-to-day operations.
This stream of recent hacking incidents targeting government and municipal institutions is developing into a tide — libraries, courthouses, schools, hospitals and government service agencies are all susceptible to attacks. In some cases, the consequences were arguably minimal. In others, they were much more severe. Generally speaking, the severity depends on which types of data each institution holds.
Often, the best initial strategy for preventing cyberattacks is to review what happened to others and derive lessons from those accounts. How do these attacks apply to other organizations or municipalities, and what can security professionals in these places do differently to avoid such attacks?
What Kinds of Public Sector Institutions Are Being Attacked?
To see what lessons we can learn from municipal cyberattacks, I’m highlighting several recent hacking incidents here followed by a few general strategies that organizations can put in place today to improve cybersecurity.
Hospitals and Healthcare Facilities
In April 2017, the Erie County Medical Center in New York was hit with a ransomware attack. Despite hackers’ demands for $30,000, the ultimate cost to the hospital came closer to $10 million because the intrusion crippled 6,000 computers, which forced the hospital to revert to paper and old-school methods. Subsequently, the hospital estimated that they would need to upgrade their technology, bolster security awareness and harden their systems, accruing additional expenses of about $250,000 to $400,000 a month.
Late last year in Minnesota, hospital operator Alomere Health suffered a data breach that affected 49,351 individuals. In this attack, the bad actor gained access to two employee email accounts around Halloween. The potential for personal data theft was significant: Names, addresses, dates of birth, medical record numbers, health insurance information, and diagnosis and treatment details were all compromised. Some patients’ Social Security numbers and driver’s license numbers were even exposed.
Like any small municipal, educational or governmental institution, schools manage a lot of personal data and are vulnerable to attack as they typically lack robust security resources.
Between January and the start of the 2019 school year, over 500 U.S. schools were victimized by ransomware in 54 different school districts and colleges. One case in Neosho, Missouri, had hackers demanding a local school fork over $1.6 million to decrypt its systems. Another attack forced the Houston County School District to postpone the first day of classes for over 6,000 students by more than 10 days.
Cities and Municipalities
Perhaps the biggest attack in terms of publicity occurred in the summer of 2019 when the city of Baltimore went into a state of disarray as it dealt with aggressive ransomware affecting its systems. While essential services like the police, fire department and ambulances weren’t affected, airports, hospitals, utility services, ATMs and factories producing vaccines were struck. Costs resulting from the attack are estimated at over $18 million.
The city of New Orleans was also hit by another well-publicized cyberattack in December 2019. As a result of the attack, routine government functions couldn’t be handled electronically and approximately one in five city computers was compromised to the point of being unrecoverable. As of January 2020, the city had spent more than $7 million on repairs and city email systems were still not fully restored.
Reduce Risk With Security Awareness and Hygiene
In many municipal cyberattacks, a common factor is someone clicking on something they shouldn’t — in other words, phishing or social engineering attacks. Instinctively and automatically, our minds are drawn to security awareness as the solution. If employees are more aware of phishing attacks, the municipality, school or government office for which they work should be better off, right?
When I spoke with security expert Bruce Schneier at the end of 2019, he told me that security awareness only applies to your worst employee. Even if you convince 99 out of 100 people not to click on that ransomware-laden link, the one person who didn’t get the memo may represent the greatest vulnerability in your security armor.
I get his point. I don’t think any organization will ever achieve 100 percent success with their awareness program. But isn’t cybersecurity all about risk? Aren’t we in a much better position to thwart an attack if 70 percent of our employees won’t click on that link compared to 40 percent? After I personally implemented security awareness programs at the government level — even before the days of ransomware — I recognized that full cybersecurity compliance was unattainable, but I would have slept better at night knowing that the program we created could increase our awareness by even 30 or 40 percent.
Many of these institutions have been forced to make an investment, but other state and local government institutions have a chance to invest in cybersecurity today, before they are attacked. They may not have the same resources as private enterprises, but municipal organizations should do all they can to reprioritize the budget so cybersecurity prevention moves toward the top of the list.
Regardless of budget, all institutions must also realize that security strategy is only as strong as your security hygiene, and the basics often don’t cost much. Data backups, implementing NIST’s Cybersecurity Framework and red team-blue team exercises, applied together, can work wonders for organizations willing to put forth a solid effort.