In the past, we have written a lot of articles about cyber threats to SMBs, but the number of attacks on municipalities has increased so dramatically recently that we would be remiss if we didn’t address it. Both the number of attacks and the frequency have skyrocketed to the point that cyber security professionals can hardly go a day without reading something about municipal cyber attacks in the North American news. 

These attacks aren’t just a cause for ‘concern,’ they’re a cause for collective alarm. Why? Because, while cyber attacks on businesses can be devastating to owners and their staff, those types of attacks don’t affect the private sector – at least not as directly and abundantly as municipal cyber attacks. 

When government-run IT infrastructures are hacked it can impact the normal functions of city utilities, libraries, fire departments, emergency services, local law enforcement, and … the community’s citizens. Cybersecurity breaches like these also hamper the working of the government and threaten the integrity of private information.

In excerpts from an article by PacketLabs, They wrote, “Cyber attacks are not only weakening private businesses but also hampering administrative and executive work. Several municipalities and government offices worldwide have reported a loss of data and documents due to municipal cyber attacks. In the year 2020 alone, 44% of cyber-attacks targeted municipal offices.

Government offices store various information about citizens for their day-to-day activities as part of welfare and administrative work. As governments move into the age of computerization, government databases are also being digitized rapidly. So, the data stored by the government is a potential and attractive target for cybercriminals. The stakes are high because the stolen information can lead to fraud or crimes on a large scale.

The most significant drawback with software and equipment used by the government is that they are usually out of date. Municipal offices are more vulnerable to cybercrimes because their IT systems are not updated regularly like a private company’s. Even though they are insured against such crimes, data loss can still lead to a public outcry and damage personal reputation or property.

3 Municipal Cyber Attack Examples

Several instances of municipal cyber-attacks globally have raised concerns among citizens concerning the technological capabilities and security of large volumes of information stored by the government. Cybersecurity breaches like these hamper the working of the government and threaten the integrity of private information. Here are a few examples of municipal cybercrimes that have occurred in the past few years:

• Canadian Municipal Offices: The CBC reported the loss of confidential information from Canadian government offices at several levels. The estimated losses incurred by the government were between 3 and 5 billion dollars.
• Baltimore City ransomware: The city of Baltimore faced a ransomware attack. The attack derailed several administrative operations of the town and resulted in backlogs.
• Cockrell Hill, Texas: A city in Texas with about 4,000 residents was also the victim of cyber-crimes; the hackers got away with police department files. On being denied a ransom of four thousand dollars, the hackers erased the data, resulting in the loss of sensitive information related to crimes and criminals.

The Need for Action

The alarming statistics for municipal cyber attacks are a sure sign of how easy data storage can become a problem if the information is not adequately protected. The implications of a cyber-attack on a government office, such as a municipality, are often more harmful than they might seem on the surface. So, information security is a matter of great importance and should become a part of all governmental policies globally.”

Ontario, CA – Saint Mary’s Cyber Attack

Recently (July 2022) the Saint Mary’s municipality of Ontario, Canada experienced a cyberattack and a ransomware group threatened to publish stolen data. 

In an article by GlobalNews.ca they wrote, “As the town of St. Marys, Ont., coped with the aftereffects of a cybersecurity incident, which locked and encrypted its internal server, a notorious ransomware group threatened to release a swath of data purportedly belonging to the town onto the dark web.

St. Mary’s officials first became aware of the attack on July 19th, prompting staff to lock down the town’s IT systems and isolate its network to prevent any further damage, said Mayor Al Strathdee.

“Since that time, we realized that it is a malware attack. There was a message asking for ransom,” he said. “We have engaged a team of experts to help us through this and secure our network and we have been able to resume some operations. We also have the support of the OPP and legal counsel guiding us through what to do.”

In a media release Issued Friday, the town said that “cyber incident response experts” were working with St. Marys to determine the source of the incident, and to backup data and assess any impacts on its information.

“These experts are also assisting staff as they work to fully unlock and decrypt the town’s systems, a process that could take days,” the release read.

LockBit ransomware group involved

St. Mary’s spokesperson Brett O’Reilly confirmed to Global News that the incident was the result of the notorious ransomware group LockBit, which has been active since late 2019.

The group alleged Friday on its dark web portal that it had stolen 67 gigabytes worth of data belonging to St. Mary’s, including confidential data and financial documents. A countdown timer on the post stated that the town had until the afternoon of July 30 to pay the ransom or the data would be published, a tactic known as double extortion.

To date, the town has not paid the ransom, he said. “We’re going to act on our legal advice. As well, we’re engaged with the OPP and we’re waiting to take their advice and we will follow legal advice on all steps.”

CCCS notes that payment of a ransom doesn’t guarantee access to encrypted data, or that data stolen will be deleted by the ransomware group. “For example, threat actors may use wiper malware, which alters or permanently deletes your files once you pay the ransom.”

The LockBit ransomware group operates under a Ransomware as a Service (RaaS) model, meaning the people who carry out the attacks aren’t necessarily those who created the ransomware, said Brett Callow, a Vancouver Island-based threat analyst with cybersecurity firm Emsisoft.

“They effectively rent the ransomware and share a take of the proceeds with the people who created it. The people who carry out the attacks can and do work with multiple ransomware operations,” he said.

Ransomware is a growing threat to Canadian individuals and institutions, according to the Communications Security Establishment (CSE), Canada’s electronic intelligence agency.

Last month, the agency’s associate chief said in CSE’s annual report that the ransomware threat would be a “long-term problem, and something that’s going to affect Canadians for some time.”

The Reason Municipal Cyber Attacks are Increasing

Cyber attacks on municipalities are growing more rampant as government dependence on technology increases. According to excerpts from an article by NHMA, they wrote, “With the expansion of digital technologies such as mobile apps, sensors, and IoT, municipalities are becoming “smarter”, allowing interconnection between systems, people, and devices to improve infrastructure, efficiency, and convenience. 

Many municipalities are starting to invest in “smart” technology and increasingly, those that are not necessarily “smart cities” are evaluating how they can leverage technology to improve services and reduce costs.

However, the benefits of technology can also bring disadvantages for municipalities. As local governments become more high-tech, using Internet-connected systems and offering more municipal services online, they increase their vulnerability to a cyberattack. Without proper security protocols, municipal systems can easily be exploited by hackers by taking control of computer servers and knocking out public services, from traffic lights to water quality.

Local government networks are attractive targets for cybercriminals and are particularly susceptible to cyberattacks mainly because of the vast amounts of sensitive data they possess and maintain about infrastructure and their residents, including property tax information, social security numbers, tax and voter records. 

In addition, by law, government must be transparent. While open-government has made access to public records and information easier for citizens, it has also made it easier for cybercriminals to exploit public systems that contain sensitive information.

The Municipal Achilles Heel

Another reason municipalities are seen as prime targets by hackers is, unlike private businesses, they are less prepared for an attack. Local governments typically have limited budgets for upgrading networks and security systems, they often use outdated technology, and may not have dedicated IT staff to implement organizational safeguards to protect against the ever-increasing risk of a cyberattack.

With the cyber threats against municipalities only increasing, local governments cannot be complacent. Planning for a cyberattack is no longer optional and it is critical that local governments understand how to assess, mitigate, and prepare for those risks. Cybersecurity encompasses processes, standards, technology, and education, to protect computers, networks, and systems, including hardware, software, and data, from a cyberattack or unauthorized access. 

There are numerous technologies that local governments can implement, however, the most effective way to defend against cyberattacks is a layered approach that combines people, processes, and technology.

Local governments cannot afford to view cybersecurity as solely an IT issue or a problem that can be solved by technology alone. Cybersecurity should be viewed as a shared responsibility across the entire organization and requires a top-down approach that must include the entire chain of appointed and elected officials in local government. Local officials must be aware of the responsibilities that they have to ensure the security of personal information and the sensitive data they maintain.

Cybersecurity Assessment

The first step in improving cybersecurity is recognizing vulnerability. Most local governments do not have a complete picture of the security gaps in their systems and networks. To develop a cybersecurity program, municipalities must first conduct a comprehensive risk assessment across all departments, identifying potential risks, exposures, and areas for improvement. If a municipality cannot identify its cyber vulnerabilities it cannot expect to effectively defend against them. The risk assessment should identify the categories of risk that apply to municipalities, people, processes, systems, and vendors.

Local governments that do not assess their security weaknesses on a regular basis are most vulnerable. Oftentimes hardware, network equipment, software, and wi-fi access points are weak points. At a minimum, the assessment should identify the types of sensitive information that each department collects, where it is maintained, and who has access to that information within the organization. 

Once the risk assessment is finalized and potential vulnerabilities are identified, municipalities can create actionable solutions to address weaknesses in their system and direct resources to shore up security. Local governments should use their assessment as a focal point to bring together stakeholders to develop a comprehensive cybersecurity strategy. 

Preventing a Cybersecurity Breach

Cybercriminals target municipalities not only because of the valuable information they maintain, but because they are perceived as soft targets, often underfunded and unprepared. To be effective, cybersecurity risk mitigation requires both defensive and offensive strategies. While there is no one-size-fits-all approach that can prevent a cyberattack, there are several cost-effective strategies that municipalities can establish to manage cybersecurity risks.

***In addition to the recommendations below, Adaptive Office Solutions recommends Advanced EDR Software, Zero Day Exploit software, SOC and SIEM. 

Password Management Policy. One of the most important steps a municipality can take to prevent a data breach is to establish and enforce a password management policy for all employees. Employees should create unique hard-to-guess passwords for each account, computer, mobile device or wireless network, with at least 10 characters, containing a mix of upper- and lower-case letters, numbers and symbols. 

The same or similar passwords should never be used for different accounts or applications and sharing of passwords should be prohibited. In addition, it is essential that all personal mobile devices that access municipal networks and systems be password protected. For added security, passwords should be changed regularly (e.g., every 60-90 days) and never repeated.

Also, imposing strict session timeouts so that if a user leaves an account or application unattended for an extended period of time while logged in, the session will automatically time out and log the user off, requiring the user to re-enter their password to log back on. 

Multi-Factor Authentication. Since passwords are easy to crack, a password alone is not enough to protect municipal networks and systems from being breached. Implementing multi-factor authentication is an easy way to keep municipal networks secure. 

Multi-factor authentication is a security enhancement that requires a user to supply additional information besides just a username and password before being allowed to log into an account or gain access to a network or system [such as facial recognition or a code sent to a device]. 

Multi-factor authentication is highly recommended whenever employees request remote access to municipal networks and systems. While many apps and programs such as Office 365 already support multi-factor authentication, it is important not to overlook other critical software programs that are used by various departments.

Encryption. Local governments are tasked with safeguarding sensitive government data and personal information. Many employees routinely use laptops, USB drives and mobile devices to store and transmit sensitive data through e-mail, instant messaging, and other forms of digital communication. Lost or stolen laptops, USB drives and mobile devices that contain unencrypted data are the main cause of data breaches. 

While a password can prevent someone from logging into a lost or stolen laptop or mobile device, other means can be used to access and copy stored files and data. Encryption is an easy way to safeguard against unauthorized access to confidential data when a laptop, USB drive, or mobile device is lost or stolen. 

Encryption is where readable text, documents, or other data are converted into unreadable, scrambled code that can only be read by those authorized to access it with a password or security key. Local governments should consider what is called “full-disk” encryption, which can be used to encrypt data at rest. In addition, there are third-party cloud-based, hardware and software encryption solutions that can be used throughout an organization on servers, desktop computers, laptops, and mobile devices.

Stay Current with Updates. Routinely installing security updates as soon as they are released is an essential component of any cybersecurity program and can greatly improve a municipalities cyber resilience. Local governments that do not regularly install security patches and software updates on all devices, hardware and applications (e.g., antivirus software, browsers, desktop computers, laptops, mobile devices, operating systems, printers, routers, etc.) are vulnerable to attack. 

Much like how burglars check for unlocked windows or doors to break into a house, cybercriminals are constantly scanning for security vulnerabilities to exploit so that they can gain access to critical systems that have valuable data. Local governments should prioritize raising awareness about the importance of installing updates and require all employees that have access to municipal networks to regularly update all personal devices and apps as soon as they are available. 

In addition, software that is no longer supported with updates and security patches present weaknesses that can be easily exploited and should be disabled or deleted (e.g., Windows XP, Internet Explorer versions 10 and older).

Education and Training. Protecting local government networks from cyberattacks requires more than technological solutions. When it comes to cyberattacks, studies show that one of the biggest risks in any organization is its own employees. Cybercriminals often specifically target employees with phishing emails designed to get them to release sensitive information or click a malicious link. 

However, when they receive regular training on cybersecurity best practices and potential scams, employees can also be the first line of defense. Too often cybersecurity strategies focus on preventing external threats without addressing internal threats. The cornerstone of any comprehensive cybersecurity strategy is training.

It is imperative for local governments to implement comprehensive security awareness training and testing for all employees (including contractors, appointed and elected officials, and interns) and anyone who interacts with its networks and systems. 

Effectively training all municipal employees on cybersecurity issues is an essential component of any comprehensive cybersecurity program and should, at a minimum, include educating employees on how to recognize risks and potential cyber threats such as phishing scams, malware, and ransomware. Regularly educating employees on the risks of downloading attachments from unknown sources, using unsecured networks, sharing passwords, and social engineering can greatly reduce the threat of a cyberattack. 

Since cyber threats are constantly evolving, creating a culture of awareness requires ongoing education and training and is not something that can be done just once. Continuing cybersecurity education should be mandatory for all municipal employees throughout the duration of their employment.

Back Up Data. A backup of municipal networks and systems is the best way to avoid data loss and can be invaluable if a catastrophic event such as a ransomware attack, fire, theft, natural disaster, server crash, or user error occurs. In fact, one of the easiest ways municipalities can protect their networks from ransomware includes keeping regular backups of their systems offsite. 

Backups should be encrypted so that they are protected from ransomware. Local governments should maintain their backup at a secure off-site location and store it in the cloud as well. Also, just as important as the backup itself, is the periodic testing of backups to ensure that data can be restored. Having one backup copy is not sufficient – to be safe it is advised to enable two backup options with at least one copy off-site or on a different server in case of an on-premise disaster or outage. 

It is important to note that while most local governments regularly back up their systems, employees are less likely to back up their local drives or mobile devices. To prevent the loss of data in the event of a cyberattack, local governments should require employees that use mobile devices such as smartphones, tablets, and laptops to routinely perform full backups of both data and software programs.

Cybersecurity Policies and Procedures.  Cybercriminals exploit both human and technical weaknesses, to manage those risks local governments should consider developing written cybersecurity policies and procedures for all employees to follow. In addition, all cybersecurity policies should be shared with everyone with access to municipal systems and networks to ensure that they are adopted and followed. 

Developing an effective cybersecurity policy requires proactive planning by all municipal departments, identifying risks, and explaining roles and responsibilities. When developing their cybersecurity policies municipalities should consider adopting the NIST cybersecurity framework. The framework proposes a common set of best practices and risk management principles that can be applied across a broad range of organizations. 

It is important to establish and enforce data security policies and procedures that address acceptable use of email, file sharing, the Internet, laptops, remote access, and social media. Since employees increasingly use their personal mobile devices for work, it is important to have a mobile device policy to protect municipal networks and systems. 

Another way local government can improve cybersecurity is by having an access management policy, granting access to confidential data and critical IT systems only to those employees who need it as necessary to fulfill their job responsibilities. It is important to keep in mind that as technology and cyber threats change, security policies and training should be updated on an annual basis. Also, local governments should periodically review their policies to ensure compliance with all applicable laws and regulations.  

Vendor Management. Many smaller municipalities often outsource functions and rely on third-party service providers and other vendors for a range of services such as credit card processing and payroll services. To combat cybersecurity threats local governments must conduct adequate due diligence and risk management assessments on all third-party vendors that have access to any confidential data and that interact with municipal networks and systems, verifying that they are capable of complying with all relevant data security laws. 

This can easily be accomplished by having vendors complete a comprehensive due diligence questionnaire. In addition, municipalities should require all vendors to provide security documentation. Furthermore, municipalities should impose contractual obligations on vendors, requiring up-to-date on-time patching of vulnerabilities, prompt reporting of potential cyber incidents, cooperation in investigating an incident and preserving relevant evidence, etc. 

As part of their ongoing third-party due diligence, local governments should evaluate vendors for compliance and risk on an annual basis. To effectively manage vendor risk, local governments should consider creating a vendor database to collect and store due diligence information, risk ratings, and monitoring information. The database could also include current and past versions of contracts as well as exceptions to vendor policies and procedures.

Incident Response Planning. A common refrain in the cybersecurity industry is “it’s not if, but when” a cyberattack will occur. Just as local governments routinely prepare plans for the continuity of operations in the event of a natural disaster, they must also prepare plans to restore critical computer systems and networks as quickly as possible in the event of a cyberattack. 

The time to develop an incident response plan is not in the wake of a cyberattack. Prior to a cyberattack, local governments must proactively develop a comprehensive written incident response plan. Only with a documented incident response plan can consistent action and mitigation measures be taken. An incident response plan is a set of procedures designed to identify, investigate and respond to a cyberattack in a way that reduces the impact and allows the municipality to return to normal operations as quickly and efficiently as possible. 

Local governments should consider using resources like the NIST cybersecurity framework when developing an incident response plan. An effective incident response plan should include a step-by-step plan to determine the nature and extent of the incident, specifying the actions to be taken and identifying the roles of key employees, vendors, and other stakeholders for each step in the plan.

Communication. Every local government relies on critical services and communication systems, that would significantly impact its ability to function if compromised. Communication is crucial during any disaster or emergency, including a cyberattack. In the event of a cyberattack that knocks out municipal servers, electronic communications such as email, instant messaging, and texting may be shut down, potentially impacting the delivery of critical public safety services such as emergency medical personnel, fire, and police, which rely on access to computer systems and networks to communicate. 

Local governments need to be prepared to communicate using different forms of communication during a cyberattack. It is critical that, as part of their incident response planning, local governments include procedures on how the organization will communicate and coordinate after a cyberattack, including how to inform residents which services may be impacted.

Conclusion

Cybersecurity is a critical issue for all municipalities regardless of size or location. While many local governments may cite a lack of funds or resources for not being cyber resilient,  as discussed above, many security measures are simple and low-cost, such as having a password policy, keeping software, browsers, and operating systems updated, and providing on-going staff training and education to prevent cyberattacks.

As local governments leverage new technologies, it is critical to understand not only the new security risks that go with them but the growing cybersecurity challenges as well. Cybersecurity is a permanent state of vigilance and is not something that local governments can achieve with a “one and done” approach. As cyberattacks on local governments become more commonplace, municipalities should view cybersecurity as the new normal.”

At Adaptive Office Solutions, cybersecurity is our specialty. We keep cybercrimes at bay by using analysis, forensics, and reverse engineering to prevent malware attempts and patch vulnerability issues. By making an investment in multilayered cybersecurity, you can leverage our expertise to boost your defenses, mitigate risks, and protect your data with next-gen IT security solutions.

When you know your technology is being looked after, you can forget about struggling with IT issues and concentrate on running your business. By making an upfront investment in your cybersecurity, you can lower your costs through systems that are running at their prime; creating greater efficiency and preventing data loss and costly downtime. 

To schedule your Cyber Security Risk Review, call the Adaptive Office Solutions’ hotline at 506-624-9480 or email us at helpdesk@adaptiveoffice.ca