TECH INSIGHTS: Combating Evolving Threats: A Cybersecurity Framework for Towns and Cities
The information contained in this article is not intended as legal advice and may no longer be accurate due to changes in the law. Consult NHMA's legal services or your municipal attorney.
Relentlessly targeted by cyberattacks in 2021, municipalities are facing scary repercussions as a result of ransomware, malware, and malicious hacker behavior. It’s scary to contemplate what hackers can potentially do to municipalities.
In 2021 so far:
- A municipal utility in Jersey City, New Jersey experienced a severe ransomware attack that “lasted months and threatened to cause a ‘public health crisis.’”
- The City of Covington, Louisiana experienced a cybersecurity breach related to a Microsoft email vulnerability that affected the municipality’s finance and billing departments.
- The Resort Municipality of Whistler in British Columbia, Canada “suffered a ransomware attack that forced them to shut down their network, website, email, and phone systems.”
- In Oldsmar, Florida, a hacker tried to poison the city’s water supply by increasing the amount of lye to dangerous levels.
Are these hackers primarily hacking past firewalls, antivirus software, and software vulnerabilities? Actually, 95% of all successful attacks over the past two years started in email. That means hackers are using trickery—also known as social engineering—to get employees to click on suspicious links and attachments, give up usernames and passwords, and enter your systems.
Evolving Threats
After hundreds of major and minor data breaches over the past 10 years, hackers are more easily able to access user credentials. In addition to using social engineering tactics to trick employees, hackers can also find stolen credentials on the dark web and use those credentials to break into your systems. In many cases, other hackers have done the hard work already. With so many ways to steal user credentials, the risk of a breach continues to increase.
Hackers also continue to exploit software vulnerabilities and outdated operating systems through zero day vulnerabilities (vulnerabilities that no one has ever seen before) and going after soft targets—such as municipalities. Many municipalities do not have rigorous cybersecurity measures in place, a reliable data backup system, and IT support that proactively monitors systems. Cybercrime rings, for example, may use automated software to look for vulnerable organizations—many of which include municipalities.
Cyber threat detection has also become a bigger issue for all organizations. Once inside your systems, hackers often remain undetected for many, many months. According to IBM’s 2020 Cost of a Data Breach Report, “The average time to identify [a breach] was 207 days and the average time to contain [a breach] was 73 days, for a combined 280 days.” That’s a long time for a cyberattacker to be inside your systems.
Cyber Liability Insurance
As cyberattacks increase and become more financially damaging, cyber liability insurance premiums have gone up. Direct written premium growth increased over 22 percent in 2020. Due to remote work during the pandemic, cyber liability insurance providers have grown wary of increased cybersecurity risks due to remote work. Many have even left the cyber liability insurance business entirely. While cyber liability insurance remains incredibly valuable, its premiums can be lessened by demonstrating cybersecurity best practices.
A Framework to Help Fend Off Cyberattacks
The National Institute of Standards and Technology (NIST) has created a widely accepted framework that covers what organizations need as part of a cybersecurity strategy—and this framework is flexible enough to apply to even smaller municipalities.
Identify
This part of the framework focuses mostly on assessing your cybersecurity risks, understanding unique cyber threats to your organization, and developing a plan to secure your data.
Protect
Most organizations already have some level of cybersecurity protection. This part of the framework includes solutions to proactively identify weaknesses in your IT infrastructure and alert your city to security-related issues. Antivirus software, spam filtering, and employee training all fall under this category.
Detect
Often overlooked by organizations, detection technologies such as endpoint detection and response are used to detect suspicious network traffic or behavior. Our recent article, The Threat from Inside: Why Your Cybersecurity Tools Must Now Detect as Well as Prevent, covers this area in depth.
Respond / Recover
Finally, a cybersecurity strategy needs solutions and processes that help mitigate the impact of a security incident such as data backups, an incident response plan, and cyber liability insurance.
JOIN US ON JULY 27TH FOR A “Stay out of the Headlines” WEBINAR ON CYBERSECURITY MUST HAVES!
If this high-level overview interests you in taking a deeper look at your cybersecurity strategy and plan, then we encourage you to join us at 12:00 noon to 1:00 pm on Tuesday, July 27, 2021. During this webinar, VC3’s Joe Howland will discuss the NIST framework in more depth and provide a checklist that towns and cities can use to evaluate their own cybersecurity measures.
About Joe Howland
Joe has been in the IT industry for over 20 years and has extensive IT management experience that spans multiple industries. A UCLA grad with a degree in Mathematics Computation with a Computer Specialization, he worked with Computer Sciences Corporation for 10 years supporting defense and financial sector contracts. Joe joined VC3 in 2009 and during his time with VC3, Joe has performed in the role of Virtual CIO for some of VC3’s largest government customers. Joe is currently VC3’s Chief Information Security Officer and is responsible for VC3’s IT security as well as advising on security for VC3’s customers.
About VC3
VC3 is a leading managed services provider focused on municipal government. Founded in 1994 with offices across the east coast, VC3 forms partnerships with municipalities to achieve their technology goals and harness their data. In addition to providing comprehensive managed IT solutions, VC3 offers cybersecurity, website design, custom application development, and business intelligence services. Visit www.vc3.com to learn more.