With Hourly Cyberattacks, Is Your Local Government Safe?

With cyberattacks on the rise, small municipalities are just as likely as larger ones to be subject to an attack. Educating city employees about phishing and regular software updates can help keep your city secure.

by Matthew Reid, MetroWest Daily News / July 24, 2019

(TNS) — Places such as Baltimore and Atlanta have been hit with massive cyberattacks in recent years, but it's not just major cities that are at risk of losing data or having their systems hacked. Smaller municipalities are also targets.

According to a 2019 report from the International City Management Association, approximately one in three local governments do not know how frequently their information system is subject to attacks, incidents and breaches. Of those that do, 60 percent report they are subject to daily cyberattacks, often hourly or more.

Tiffany Schoenike, chief operating officer for the National Cyber Security Alliance, warns smaller municipalities are just as likely as larger cities to be the target of an attack. This could include anything from sensitive data being lost or stolen to systems being locked with the only recourse paying the hacker to regain access.

"Sometimes funding levels make things worse," Schoenike said. "This could be from not being able to afford the right kinds of technology, or not being able to hire the best people for the job."

But ultimately, hackers won't discriminate based on the type of government or system they target.

"They go where the money is," she said. "Just like some criminals rob banks and others rob convenience stores, every hacker is different. That's why every community, large or small, needs to be protected."

'Think before you click'

Phishing, Schoenike said, remains one of the most-effective methods for hackers to gain access to a city or town's data. The act, which involves a cybercriminal posing as a legitimate person or company as a way to obtain private information, is nothing new. But the methods used are constantly being refined.

A police detective's laptop was infected in Melrose, Mass., in 2016 through a phishing attack, after an officer opened an attachment that set off a virus and encrypted all of the data on the computer. The attack compelled the department to pay nearly $500 for a Bitcoin ransom to regain control of its network. The city's technology director transferred the digital currency to the hackers via a mobile app, following instructions the hackers had left on the laptop.

Officials in Leominster, Mass., paid $10,000 in Bitcoin last year when a similar incident occurred involving the school district's computer systems, which affected every school in the district.

A computer virus shut down municipal computers in New Bedford, Mass., in early July, and nearly two weeks later city officials were implementing restoration plans on its municipal computer network. The city had released little information as of July 17, but said that the virus at least shut down some of the computers at both City Hall and in the Fire Department.

Issues such as these are causing many municipal officials to act, before something similar happens in their community.

In May, voters in Burlington, Mass., approved a Town Meeting article to request a report by year's end from the Board of Selectman on the current status of the town's cybersecurity, including a risk assessment and recommendations moving forward. The town has reactivated its Information Systems Advisory Committee to assist.

"The article was put on the warrant to be proactive," said David Miller, an advisory committee member. "A lot of people hear about various cities across the nation being hit with things like ransomware and/or other hacking attacks, and (we) want Burlington to get ahead of the curve."

Education is key

In Framingham, a city with about 600 regular users on its network, trainings occur regularly to ensure the system is not compromised.

"We are constantly taking a look at ways to improve security," said Carly Melo, director of technology services. "Something even as small as a two-minute video reminding people of best practices can go a long way."

Melo said the city has increased its cybersecurity methods even in the past year, as new vulnerabilities are always popping up.

"We even offer advice on how our staff behaves on social media," she said. "We tell people to always think before they click on a link. There's always the chance of a vulnerability leading to something bad happening."

Schoenike said the education of municipal employees, regardless of their comfort and familiarity with technology, is crucial.

"You can have the best tech in place, but if one person clicks on a link they shouldn't, or opens the wrong attachment, that's all some people need to gain access," she said. "And these criminals are getting very good at disguising themselves, so people think they're dealing with something that is safe and secure."

The City of Newton has been training municipal employees on the dangers of phishing, and has seen positive results so far.

"We're about seven months in, and it's been a total success," said Newton Chief Information Officer Joseph Mulvey.

As part of the training, fake phishing emails have been sent to city employees in an attempt to lure them into interacting with what's in the message. The emails are catered to specific departments, such as messages related to banking being sent to staff in the Finance Department.

Mulvey said the city expected 20 to 30 percent of staff to fall for the bait and click on the emails when they first rolled out last December, but it ended up being less than 20 percent. Subsequent attempts have yielded even lower numbers.

"We've also been doing live presentations for staff," Mulvey said. "And we have training movies, about eight-and-a-half minutes long, that we put online for anyone to watch."

The city has done cybersecurity vulnerability assessments multiple times since 2015, with another coming in the fall.

Mulvey said stealing information used to be the biggest concern for cybersecurity officials, but safeguards have been put in place to make that much harder for criminals. For example, Newton now has a third party oversee financial transactions with residents, and credit card information is not tied to the city's central online infrastructure.

Now, he said, the bigger concern is having city data held hostage.

"The ransomware really is the thing we're seeing everywhere," Mulvey said. "The last thing we ever want to do is be in a position where we have to pay someone to get access restored to our own systems."

©2019 MetroWest Daily News, Framingham, Mass. Distributed by Tribune Content Agency, LLC.

Platforms & Programs