Posted by George G. Fournaris, CPA CGFM
The City of Atlanta has gotten a great deal of unwanted publicity since it fell victim to a ransomware attack in March 2018. The City decided early not to pay a $51,000 ransom demanded by the cyber-attackers. Since then, it has been reported that the City has spent between $2.6 million and $5 million to restore vital services. As of mid-May, services were only 90% restored, the Water Department still could not accept phone payments, and the Municipal Court was still operating using paper records.
All industries are vulnerable to ransomware and other cyber-attacks; however, county and municipal governments may be particularly sensitive. In government, information technology is subject to budgetary constraints and competes for scarce resources with policing, firefighting and pensions. It is often difficult to make the case for an important, but not well-understood, function to City Councils and citizens. Related to this, county and municipal governments cannot compete with tech companies and the private sector to attract talent. Even with good people, training budgets are limited. IT systems and software used by county and municipal governments are often old and contain exploitable weaknesses. Some major US cities are operating 1970s-era revenue systems.
While some IT departments may be underfunded, county and municipal government networks are rich in valuable data treasured by hackers and other cyber-criminals: wage, business, and other tax data; mortgage documents, deeds and other property records; medical records; social security numbers; and other personal information. Citizens turn over all this information, assuming that it will be kept secure. If this data is compromised, thousands of citizens could suffer identity theft and financial losses. The responsible government has large potential liabilities when this type of information is hacked.
With ransomware attacks, there are other costs, beyond the ransom demand.
- Ransomware recovery and resumption costs. These costs include the cost of computer investigations, the identification and deletion of malware, restoring backups and re-imaging systems. Most county and municipal governments do not have a security response team in-house and would need to bring in expensive outside consultants to help with recovery. Technology may also need to be upgraded or replaced.
- Cost of downtime during and after a ransomware attack. In November 2016, a ransomware attack took down ticketing systems in San Francisco’s public transit system. The city lost fares for more than a day while security engineers worked on fixing the issue. Atlanta’s IT operations were completely down for the first five days after the March 2018 attack and took many weeks to be restored. The amount of lost productivity of its 8,000 employees is staggering.
- Downstream processes affected. A government does not operate in a vacuum. When a ransomware attacks shuts down operations, vendors do not get paid, permits cannot be issued and billings do not get mailed. More seriously, when emergency-response systems are affected, lives are put at risk.
- Breach costs. When it is determined that a systems breach has occurred, the government is obligated to incur breach notification, crisis communication,and legal costs.
- Reputation costs. Although difficult to quantify, reputation costs can be enormous. Citizens that hear of a ransomware attack may be reluctant to trust the government in the future. No government leaders want to be in a situation where media outlets are reporting on how sensitive user data was lost. In the case of Atlanta, there is speculation that the handling of the ransomware incident could have a negative impact on Atlanta’s Amazon Headquarters bid. One just cannot put a price tag on a damaged reputation.
If government officials and managers better understand the dangers of security breaches and ransomware, they can better protect government systems. County and municipal governments should establish a standing information governance committee and program charged with developing an information security framework and security policy. Some of the steps that should be included to help defend their systems include:
- Back up data – Backups are the foundation of a data protection strategy and having a set of archived backups will ensure that the government has a copy of its data before it was infected with malware or ransomware.
- Keep computer operating systems updated – Most malware and ransomware exploit known system vulnerabilities. Keeping systems current with supported operating system and security updates will stop most attacks.
- Use antivirus software – Updates are important but running antivirus software is also required to make sure that systems have protection from known malware and ransomware.
- User training – Knowledgeable users are the first line of defense. Educating them on the nature of malware and ransomware can help prevent the initial infection. Many ransomware attacks are spread through phishing emails that entice users to click on them thereby executing the initial malware attack. According to the Harvard Business Review, 90% of breaches occur because of an internal mistake and 60% of breaches are a result of internal attacks.
If you have questions regarding cybersecurity issues in your organization, contact a member of our government audit team.