Ransomware and other types of cyberattacks against local and city government agencies are on the rise. Last month, the City of Baltimore was hit by a ransomware attack that caused most of its servers to shut down, disrupting many city services. A month later, the city is still not back to full operating capacity, and the estimated cost now exceeds $18 million in lost or delayed revenue, as well as costs for contractors and hardware to repair the damage.
Also last month, Philadelphia’s digital court system was shut down after a virus was detected on multiple computers in one of the city’s judicial districts. The system is still not fully operational, causing the city to implement work arounds for many of its daily tasks.
And earlier this week, Riviera Beach Florida, agreed to pay a ransom of roughly $600,000 worth of bitcoin to end an attack that has been ongoing for several weeks. The ransom is in addition to the $900,000 Riviera Beach is also paying for new IT equipment.
These are just a few recent examples of the growing trend in cyberattacks against local governments. These agencies are being increasingly targeted for several reasons:
Larger state and federal systems have the same problems as local government agencies, only magnified. In fact, the public version of a report released this month by the United States Government Accountability Office (GAO), highlights the ten most critical federal legacy IT systems in need of modernization. Ironically, at the top of the list is the Department of Health and Human Services (HHS), whose Office for Civil Rights (OCR) is charged with the enforcement of HIPAA privacy and security rules. The GAO report found HHS operating with decades old hardware and a lack of an IT modernization plan, and identified the agency as a high security risk.
Regardless of the size of the agency, the basic tools to combat cyberattacks are the same. Agencies must invest in the hardware and software necessary to maintain modern systems. They must have policies and procedures for the appropriate use of these systems, to protect the privacy and security of data, and to guide the agency’s response when incidents do occur. And, agencies must have well-trained and educated staff that are able to recognize and avoid falling prey to phishing attempts.