Many Local Governments Face a Cybersecurity Awareness Gap

According to a report from the International City Management Association, one in three local governments are oblivious about how often their information systems are attacked by would-be cybercriminals.

by Amy Saltzman and Matthew Reid, Wicket Local Metro / August 8, 2019
Shutterstock/Timofeev Vladimir

(TNS) — Places such as Baltimore and Atlanta have been hit with massive cyberattacks in recent years, but it's not just major cities that are at risk of losing data or having their systems hacked. Smaller municipalities are also targets.

According to a 2019 report from the International City Management Association, approximately one in three local governments do not know how frequently their information system is subject to attacks, incidents and breaches. Of those that do, 60 percent report they are subject to daily cyberattacks, often hourly or more.

Tiffany Schoenike, chief operating officer for the National Cyber Security Alliance, warns smaller municipalities are just as likely as larger cities to be the target of an attack. This could include anything from sensitive data being lost or stolen to systems being locked with the only recourse paying the hacker to regain access.

"Sometimes funding levels make things worse," Schoenike said. "This could be from not being able to afford the right kinds of technology, or not being able to hire the best people for the job."

But ultimately, hackers won't discriminate based on the type of government or system they target.

"They go where the money is," she said. "Just like some criminals rob banks and others rob convenience stores, every hacker is different. That's why every community, large or small, needs to be protected."

'Constantly researching new tools'

Phishing, Schoenike said, remains one of the most-effective methods for hackers to gain access to a city or town's data. The act, which involves a cybercriminal posing as a legitimate person or company as a way to obtain private information, is nothing new. But the methods used are constantly being refined.

In Cambridge, phishing is one of the most time-consuming challenges the city faces, according to Lee Gianetti, director of communications for the city of Cambridge.

Not including schools and public safety, the city receives about 45,000 email messages a day, 15,000 of which are some type of malware, phishing, or ransomware. The city's Information Technology department uses a Microsoft product to replace all email links with a vetted clean link, preventing the common technique in scams of misdirecting logins, Gianetti said.

The product reduces risk, but is far from perfect and incorrectly classifies many messages, he said. In the meantime, the city is looking into other companies offering similar products to further reduce phishing attempts.

"We do understand there is no solution that will 100% successfully block everything, but we are constantly researching new tools and ideas to remediate low-level threats and prioritize investigation of critical threats that require human judgement," he said.

Although, Gianetti didn't offer any specific phishing attacks in Cambridge, other communities around the state have reported similar issues.

A Melrose Police detective's laptop was infected in 2016 through a phishing attack, after an officer opened an attachment that set off a virus and encrypted all of the data on the computer. The attack compelled the department to pay nearly $500 for a Bitcoin ransom to regain control of its network. The city's technology director transferred the digital currency to the hackers via a mobile app, following instructions the hackers had left on the laptop.

Officials in Leominster paid $10,000 in Bitcoin last year when a similar incident occurred involving the school district's computer systems, which affected every school in the district.

A computer virus shut down municipal computers in New Bedford in early July, and nearly two weeks later city officials were implementing restoration plans on its municipal computer network. The city had released little information as of July 17, but said that the virus at least shut down some of the computers at both City Hall and in the Fire Department.

Education is key

Cambridge's IT department has a fiscal 2020 budget of $9.1 million. Teaching municipal employees about the dangers of cyberhacking, including identifying phishing and email scams, is part of an increased investment over the last four years. The city also recently hired a new security manager and a technical training specialist to improve cybersecurity.

"Educating employees about the phishing phenomenon is imperative for overall protection and could be considered the last layer of protection to avoid a breach," Gianetti said. "We are continuing the cybersecurity education for the foreseeable future."

Schoenike said the education of municipal employees, regardless of their comfort and familiarity with technology, is crucial.

"You can have the best tech in place, but if one person clicks on a link they shouldn't, or opens the wrong attachment, that's all some people need to gain access," she said. "And these criminals are getting very good at disguising themselves, so people think they're dealing with something that is safe and secure."

©2019 Wicked Local Metro, Needham, Mass. Distributed by Tribune Content Agency, LLC.

Platforms & Programs