Ransomware tests local governments

Ransomware tests local governments
(Image credit: TheDigitalArtist / Pixabay)

Ransomware is a big business for criminals and painfully expensive for companies. More and more cities and local governments around the world have become a hot target, with hackers shutting down government services, hospitals, blue light services, schools and universities. 

These types of attacks have been notable in the United States and in the last 10 months alone 140 local governments, police stations and hospitals have been held hostage by ransomware attacks, despite having antivirus software and other basic protections in place. 

As a result, hospitals are halting admissions of new patients, first responders are slower to respond to distress calls, city services are interrupted, and schools are suspending classes. 

About the author

Frank Krieger is the Vice President of Governance, Risk & Compliance at iland.

States hit hard

Ransomware attacks are hitting the States hard and unfortunately many organisations are opting to pay ransoms for their data, creating a lucrative market for ransomware hackers. In October, an Alabama hospital paid hackers an undisclosed amount to unlock its data after being forced to halt new patient admissions. In June, Lake City, Florida paid $460,000, and Riviera Beach, Florida paid more than $600,000 in Florida to recover their data. 

The landscape is just as vulnerable in the UK. In the first half of 2019, the number of malicious attacks in the UK increased 195% . Both the US and UK have seen a surge in malware incidents, and as we venture into 2020 the trend will undoubtedly continue as hackers exploit common vulnerabilities of regional and local governments and education authorities with limited budgets and easy access to affordable cyber insurance.

Most local governments are forced to assign IT budgets and resources to improve services through next-generation technologies like 5G networks, IoT, and cloud computing. In the process, their operations and data are becoming more connected through local and global networks, and their IT professionals are overwhelmed by IT data regulations and demand for innovation. There’s little time or resources left to protect their networks.

A tempting solution might be to buy cyber insurance and prepare to accept disruption in the event of a successful attack. However, there are ways government and education authorities can fortify their defences through outside resources and best practices that are just as affordable and as easy to implement as cyber insurance. Many of these start with changing the way we think about the problem.

Penalties vs consequences – what’s the difference?

There is a big difference between penalties and consequences when it comes to cybersecurity. While there might not be a specific penalty for public sector organisations who fall victim to ransomware attacks, they still face significant human consequences. When services are down, citizens can’t contact emergency services, frozen property records might stall loan applications, or hospitals might be unable to admit and treat new patients.

A ransom payment, backed by cyber insurance, can put data and operations back in order. But what’s the cost to citizens that rely on services and to the overall reputation of the public service provider? Worse, by paying ransoms, we’re just encouraging hackers, which explains the momentum of these occurrences. 

These hackers know who is paying for insurance and how much coverage they have. Furthermore, no one should assume they are safe from penalties. A ransomware attack that gives attackers exposure to personal data puts the organisation in breach of the GDPR and facing potentially huge fines. What is the alternative and what steps can be taken? 

Strengthening IT through subscription-based cybersecurity

Whether it is data backup, IT compliance, or security programs, most cloud-based IT services today are available through monthly subscriptions, which can equal the same price or less than cyber insurance.

Most local authorities have stretched IT resources, which means they're focused on resolving the latest trouble ticket, instead of keeping equipment and software updated. Hackers know when the newest software upgrades or patches are issued and that the smaller organisations will likely take their time to make the upgrades. 

In contrast, companies that provide cloud-based services are regularly issuing and making upgrades and installing patches on their services and data centres to make sure security is as tight as possible. 

Minimise risk by keeping access controls up to date

One of the easiest ways into a local authority or school network is through an access point with outdated credentials, arising for example when an employee leaves the organisation. Logins and passwords need to be immediately removed when employees leave their jobs. Knowing that onsite resources are limited, this process needs to be communicated and treated as a top priority.

Securing sensors and IoT devices through network segmentation

As local authorities expand services over next-generation technologies to build smart cities, they are increasingly becoming more connected.  By 2025, more than 75 billion devices are expected to be connected over the Internet of Things (IoT) , but a single, unprotected access point can leave any database vulnerable.

IoT devices rely on sensors to collect data on power grids, traffic, refuse collection, or road conditions to deliver services more efficiently. However, hackers know that many smaller authorities lack the IT resources and expertise to lock down these sensors. Hackers can use this access to hold services hostage through ransomware, sometimes crippling critical systems for months at a time.

At most, security measures should be applied to these sensors and their IoT devices. At the very least, city officials should store and run their data and applications through different data centres. This can also be done over the cloud.

Just say “no” 

Local government organisations with data backup and contingency plans nearly always have the option to say no to ransomware attackers. An effective back up and DR system should be able to get systems restored quickly and with minimal, if any, data loss. 

By refusing to pay ransoms, and taking out a practical “insurance policy” of having a solid back up and DR plan or DRaaS service in place, public sector organisations can resist ransomware attackers and send a clear message that they are a harder target, not an easy victim.


Frank Krieger is the Vice President of Governance, Risk & Compliance at iland.

Frank Krieger is the Vice President of Governance, Risk & Compliance at iland.