Along with protecting that accumulated data, the city needs to safeguard technology used across municipal departments that's critical to maintaining vital services — everything from supplying drinking water to coordinating emergency responses.
And all of it makes a tempting array of targets for hackers and other cybercriminals.
"As you have likely seen in various news headlines over the past several months, cyber attacks are sweeping the country, from the data breaches of Minneapolis and St. Paul School Districts to the utility breaches in Ohio. Simply put, these cyber threats are real, the organizations that they have impacted are growing and they are ever-changing."
That was the memo to the Mankato City Council explaining why an entire council workshop was being devoted to the topic, featuring Doug Storm, the city's information technology director, and Christian Torkelson, a cybersecurity consultant for the League of Minnesota Cities.
"Cybersecurity is expensive, even when things go right," Torkelson warned. "It's doubly expensive when they don't."
Growing bag of tricks
Torkelson was generally complimentary of the efforts by Storm and his staff to protect the city's data and technology systems. But the risks they're facing continue to grow as the city, like virtually every other organization, increasingly relies on technology.
"It's kind of the glue that holds much of our operations together," Torkelson said.
The League of Minnesota Insurance Trust — a self-insured cooperative of LMC members offering property, liability, auto and workers' compensation coverage — has handled 98 cybersecurity claims since 2012. The cost of the claims varied widely but many totaled more than $10 per capita — a nearly half-million-dollar hit if Mankato was the victim.
About a third of claims involved data breaches where non-public data ended up in the hands of unauthorized parties, often because it was inadvertently disclosed by staff. In those cases, workers sent emails to the wrong recipient or mistakenly uploaded files with private data to a public website. The wrongly disclosed data ranged from Social Security numbers of employees to customer payment data from credit cards to personal information about holders of city permits and licenses.
Other times, criminals grabbed the data by spotting a vulnerability, through the physical theft of documents or via phishing scams. The latter was often an outsider requesting information via email by pretending to be a worker's manager.
Another category of data release is called "fraudulent instruction" in which scam artists impersonate vendors or employees and trick staffers in the finance department to change payment information. The result is public money being transferred to the criminal rather than the vendor.
"These happen quite regularly, and the challenge with them is they can be quite expensive," according to Torkelson, who said fraudulent instruction makes up 27% of claims and that the median value of the cases tops $500,000.
In ransomware attacks, which represent 16% of cyber claims, malicious software is used to steal or encrypt some of the electronic files of a city. The criminal then demands a ransom in exchange for restoring access to the files, which might be vital for maintaining city services.
An emerging concern, which has been increasingly a focus of federal anti-terrorism agencies, is cybersecurity vulnerabilities involving electronic manipulation of critical services such as delivering clean water to residents.
Expensive, time-consuming fight
Torkelson talked about the steps required to eliminate or reduce the danger of each type of cyberattack — assessing systems, exploring how they work, identifying weak spots, brainstorming possible protections, implementing strategies for backing up data and providing extensive training for all city employees.
"There's no easy way to do most of these things," he said. "... You need to spend the staff-time and energy to figure them out."
Training for employees is critical, according to Storm.
"Our biggest risks in cybersecurity are our users — ourselves," Storm said.
Last fall, the IT Department sent emails to 400 employees and others (including City Council members) who are part of the city of Mankato email system. Storm was listed as the sender, and the emails requested the recipient enter their security password because the IT Department needed to make updates. It was the epitome of a phishing attempt, but Storm was expecting roughly a third of recipients to make the mistake of entering their password.
"What surprised us was we were kind of around the 8-10% (range)," Storm said.
City Manager Susan Arntz said the better-than-expected performance by Mankato city employees is partly explained by the IT Department's accessibility. Employees don't feel intimidated by the tech experts and are willing to contact them with questions and advice because the IT folks don't mock even dumb questions.
"They may roll their eyes as they walk away but never, ever in front of us," Arntz said.
Storm recalled the moment the fake phishing email went out, pleased that employees were looking out for each other and for the integrity of the city's technology.
"You could hear them yelling, 'Don't open the link!'" he said.
But one in every 10 or 11 employees still made the mistake, and follow-up training is scheduled for later this month. More training and additional testing will come after that.
"That campaign will continue," Storm said. "It will not end."
On-going vigilance
While staff might be the biggest vulnerability, the technology itself also needs to be constantly monitored and improved. Storm talked about an outside security firm that monitors the city's systems 24/7 for suspicious traffic, the multiple firewalls that have been put in place, the more robust security software being explored for the email system, the more resilient data-backup strategies that have been employed and the cybersecurity resources constantly being offered by the state of Minnesota.
All of that effort has a side benefit when Mankato's bond rating is being set by firms such as Moody's and S&P Global Ratings, according to Administrative Services Director Parker Skophammer.
"That's a big part of what they want to know about," Skophammer said.
More evidence of the growing concern about cybersecurity is demonstrated by the fact that many insurance companies are getting out of the business of providing coverage. Those still offering coverage are raising rates while also placing more and more security requirements on clients. And now criminals have received a major gift in their endless search for new tools and techniques for gaining access to data and computer systems.
"A lot these are enhanced or made easier by using these artificial intelligence tools ...," Torkelson said. "There's a lot to be worried about moving into the future."
Enough so to make Storm a bit nostalgic for 1989.
"When I started at the city, there was no internet," he said. "It was a lot simpler back then."
Storm now supervises tech workers who weren't even born then. The multi-generational squad is performing well, according to Torkelson.
"I've been wildly impressed with Doug and the team in Mankato," he said.
Nonetheless, Torkelson made clear that the City Council shouldn't even consider being smug about how well Mankato is doing. Because no city can afford complacency.
"The point is, lots of work to be done here," he said. "And the federal government is very worried about it."
© 2024 The Free Press (Mankato, Minn.). Distributed by Tribune Content Agency, LLC.
