Schedule a Consultation Today (614) 484-0918

Posted by A-Jay Orr

3 Things Making Small Municipalities Easy Targets for Cyber Crime

One of the most disruptive cyber attacks ever to strike a U.S. local government left us all bass-mouthed last month. A federal criminal investigation is looking into the attack. Here’s what we know so far:

Victim: the city of Atlanta

Attack type: ransomware

Method: hackers used a computer virus called SamSam to encrypt the city’s data. The ransom set for the data’s release is six bitcoins ($51,000 at the time).

Damages: By freezing all city employee computers and systems, hackers jammed the gears of the entire local government, including:
  • No access to databases
  • Freeze on all municipal court dates
  • The inability to collect public utility payments
  • Police reverting to paper reporting
Worst of all, this attack could impact EVERYONE whose personal information has been put into city systems or done business with the city.

For an entire week after the attack, government employees had zero ability to turn on work computers or access the wireless internet. As of this week, many department systems are up and running again, but employees are still feeling the aftershock. There is still no word on whether backup recovery was an option, or whether the city is planning to pay the ransom.

To be frank, it’s a miracle that an attack like this didn’t happen sooner. Local governments like the city of Atlanta have limited budgets, tight resources, and high operational demands. It was only a matter of time before someone maliciously capitalized on the situation. Here are three things making small municipalities hot targets for cybercrime:


1. No Written Cybersecurity Policies or Procedures

Local governments have the best of intentions, but not enough time and resources to carry them out. A prime example of this can be found in their lack of written policies and procedures surrounding the acceptable use of IT assets, internet access, data backup, and agency devices. Policies and procedures should detail expectations related to:
  • The handling of confidential data
  • The protection of personal and agency devices
  • Email safety
  • Password management
  • Secure transfer of data
  • Rules for remote employees
  • Disciplinary actions (should any policies or procedures be broken)

Creating policies and procedures around cybersecurity aren’t enough. These expectations must be shared frequently with government employees and enforced through culture and leadership.


2. No Recovery or Breach Notification Plan

This shortcoming is one shared by all types of organizations, large and small. We see cybersecurity attacks in the news almost every day but entertain the pretense that it will never happen to us. This couldn’t be further from the truth. Failure to consider ourselves the next target leaves the door wide open for attack and subsequent disaster. Every organization should be prepared at all times for an attack, including a plan of action for how to address successful breaches of security. This plan of action should be externally and internally focused. Address the following questions:
  • What constitutes a data breach?
  • Internally, who needs to know right away? (e.g., IT, legal, Communications, HR, Executives).
  • When is it time to notify the public? (e.g., authorities, customers, partnerships, etc.)
  • How are breaches reported (chain of command)?
  • How are breaches investigated (who is responsible)?
  • How will breaches be dealt with and data recovered?
This recovery plan should be detailed and clearly communicated to all parties involved in the notification and recuperation of your organization.


3. No IT Security Training For Employees

Ransomware attacks almost always use phishing emails to gain entry into a computer network, which makes your employees your greatest cybersecurity defense — and weakness. More than likely, a very convincing email fooled an Atlanta employee into clicking a link that led to the downfall of the entire local government system. It’s that easy.

Policies and plans of action are critical to the safety of your agency, but neither of them matter much without a properly trained workforce that knows how to spot, avoid, and report suspicious email bate.

Don’t make the same mistake as the city of Atlanta. Test your employees today to find out just how good they are at recognizing a phishing attack. It might shock you to know that, despite general awareness about how to avoid sketchy emails, 78 percent of people click on them anyways.

Phishing Security Test