I spoke this week at the Regional Planning Committee meeting at the Barren River Area Development District (BRADD). The audience included mayors, county judges-executives, emergency management directors, planning directors, and many of the folks from the BRADD offices who work with the communities in their ten-county service area.
While we know many types of cyber attacks can and do occur within local government agencies, I chose to focus on ransomware attacks.
From a Sophos study, I found statistics that showed some frightening trends, which explain why local governments must pay attention to the ransomware threat.
Given those government agencies are limited in their resources and often have to respond to the urgent needs of their communities before implementing protective measures such as cyber security, the financial impact must be examined. The average ransom amount for a local government was $296K. This was $126K HIGHER than the average ransom for the other sectors in the study, which was $170K.
However, the financial impact does not stop there, unfortunately. This was just the ransom cost. Other costs of a ransomware attack include downtime, lost wages, loss of files/data, cost of replacing equipment (or installing security technology that should have been installed previously), third-party remediation/forensics, fines, and even the cost of credit monitoring for those whose data may have been compromised. With all this additional cost, the financial impact went from the average ransom of $296K to an average total bill of $1.64M.
So, how bad is the problem in local government, really?
According to the study, 34% of local government organizations were victims of ransomware attacks in the previous year. That means there probably had been a successful ransomware attack in three of BRADD’s ten counties.
Of the local governments who were hit with ransomware, 70% had their data encrypted by the attack. The significance of this is that for all other sectors in the study, the average was 55%. (Even if your data is not encrypted, an attacker can still “hold you hostage” via threats to expose data they have accessed from your systems.)
Of those who were attacked, only 42% could restore their systems from backups. Once again, there was a 15% difference between local government and other sectors because 57% of ransomware victims in other sectors could be restored from backups.
When the local IT teams were interviewed, 48% said that ransomware is so prevalent that they feel it is inevitable that they will get hit (“not a matter of if but when,” as we always say). 34% reported seeing an increase in attempted ransomware attacks, while 30% stated that they know they have weaknesses in their cyber security posture. While I am glad to know these folks realize they have weaknesses, I worry about the other 70% who don’t feel they have gaps!
The scary part is that 31% of those surveyed believed they would not be hit by ransomware.
The reasons cited offer two viewpoints. One is those with a false sense of security, and the other gives me hope that they are on the right track even though they believe they are safe from attack.
The “false sense of security group” cites the following reasons for why they believe they will not be victimized.
- “We have air-gapped backups,” according to 17%. It’s good to have backups (but not even air-gapped backups are safe from malware). But having backups does not prevent you from cyber attacks! That’s not only having a false sense of security; it just doesn’t make sense.
- “We have cyber security insurance” is cited by another 17%. Cyber insurance is NOT cyber security. It is a part of your recovery after you have been hit with a cyber attack. That’s like saying you have car insurance, so that means you won’t be in an accident. (Insert eye roll here!)
- “We are not a target,” according to 28%. Not a target? According to the numbers, local government IS a target because they are less protected and less likely to be able to restore from backups, so they are more likely to pay a ransom.
The group that gives me hope includes the ones that cited the following reasons why they believe they won’t be attacked.
- 38% are working with a 24/7 Security Operations Center, which includes experts in threat hunting who can identify anomalous behavior and stop an attack before it happens or immediately, thereby mitigating the damage.
- 48% say they use cyber security technology solutions such as endpoint detection and response to protect their devices. I hope they are also doing regular updates and patching and include physical and administrative solution sets as well.
- 52% report that they are training their staff. This, besides layered security, is critical to defending your systems.
The result of all this paints a picture of a sector that is at high risk for ransomware attacks. Local governments have the lowest ability to stop encryption and to restore from backups. Additionally, given they are more likely to HAVE to pay a ransom, they are more likely to be a target.
The recommendations for immediate implementation include:
- Assume you WILL be hit! With this mindset, you are more prepared.
- Backup with the 3-2-1 method…3 copies using 2 different systems with 1 stored offsite.
- Use Layered Defense (technical controls, physical security controls, and administrative policies/procedures/plans).
- Engage a Security Operations Center (SOC).
- Develop an incident response plan and practice it, then revise it, practice it again, and so on.
- Train your staff!
The stats may be specific to local government, but the message is the same. Everyone is at risk, and we must plan now.
Do you prioritize the safety and security of your organization? Allow Commonwealth Sentinel to be your partner in risk reduction and ensuring the well-being of all. Our comprehensive services range from software and hardware solutions to training and policy implementation. Contact us at (502) 320-9885 to learn more about how we can help you achieve peace of mind.