You know a situation is bad when even local governments are calling in the IT cavalry for help. But that’s the reality for municipalities struggling to combat increasingly frequent ransomware attacks that are targeting towns and cities across North America.
The problem is so severe that the Association of Municipalities of Ontario—a body that represents 444 of the province’s towns and cities—is encouraging greater information collecting and sharing between members, and calling on senior levels of government to provide funding to help protect their data and fend off this growing threat.
“AMO has also been urging the provincial and federal governments to work closely with municipal governments to help protect governments from cyberattacks, and to help public services weather attacks with less disruption,” AMO president Jamie McGarvey, the mayor of Parry Sound, Ont., told the Toronto Star, as published in a recent article.
Ransomware—a type of cybercrime where a hacker seizes or encrypts data and demands some form of payment, often untrackable Bitcoin, for its release—isn’t just plaguing big cities such as Toronto. Smaller communities with less robust digital infrastructure are also prime targets. So far the victims include Wasaga Beach, Stratford and Midland, to name only a few. More are sure to follow.
A North America-wide problem
If it offers any comfort to municipalities and business owners in Ontario, a recent New York Times piece reminds us that hackers using ransomware to hijack public or private data do not discriminate when it comes to nationality. This is far from a Canadian phenomenon:
“More than 40 municipalities have been the victims of cyberattacks this year, from major cities such as Baltimore, Albany and Laredo, Tex., to smaller towns including Lake City, Fla. Lake City is one of the few cities to have paid a ransom demand — about $460,000 in Bitcoin, a cryptocurrency — because it thought reconstructing its systems would be even more costly
In most ransomware cases, the identities and whereabouts of culprits are cloaked by clever digital diversions. Intelligence officials, using data collected by the National Security Agency and others in an effort to identify the sources of the hacking, say many have come from Eastern Europe, Iran and, in some cases, the United States. The majority have targeted small-town America, figuring that sleepy, cash-strapped local governments are the least likely to have updated their cyberdefenses or backed up their data.”
And therein lies the challenge. Many municipal governments have cut their IT budgets to such a degree (or never funded them properly in the first place) that their systems are virtually open to cyber criminals. In some cases, data is being held hostage for millions of dollars. While in many instances these crimes are being orchestrated by sophisticated organized crime syndicates, a skilled teenager with a laptop can manage the same feat with minimal effort.
It’s one thing to lock up the data of an SME, but what happens when entire hospitals or health care systems are shut down by a clever hacker with a grudge, or a desire to cash in? These attacks are becoming so sophisticated that civic agencies and businesses of all sizes and across industries are at risk.
A very human problem
As I’ve noted in previous blogs, most cybersecurity vulnerabilities stem from human error or negligence. Case in point: the town of Allentown, Pa., was targeted in a malware attack last year that shut down some municipal computers for weeks. The hacker exploited a vulnerability in a single employee’s laptop while that worker was on the road. Not surprisingly, the laptop hadn’t been updated to the latest software and was an easy target for the malware-toting hacker. That attack cost about $1 million to fix.
Now imagine that same unexpected cost taking a nasty bite out of your balance sheet and annual financial projections. When figures such as those are bandied about, it brings home the scope and seriousness of the problem—and underscores the need to take action.
That requires policies that ensure regular software updates of all machines, especially if your employees work off-site. It requires sufficient spending on IT, security and employee training. If we all agree that this is a ‘people’ challenge, we can start taking steps to fix the problem.
Employees should be trained to recognize phishing emails. They need to be equipped with VPNs for off-site work, and an understanding that websites that look fake often are—and are potentially run by a hacker residing in the cyber netherworld, waiting to pounce on an unsuspecting victim. They must also never share passwords and should change theirs on a regular basis.
These are all seemingly rudimentary best practices—and this is by no means an exhaustive list of essential cybersecurity tactics—but when combined, they form the foundation of an effective cybersecurity net that can protect an organization from digital worst-case scenarios.
Because once you get a $1 million ransom note from a hacker to release your data, the costs of being proactive seem quite reasonable by comparison.
Winston Stewart, President and CEO