Ransomware attacks are a fact of life these days. In 2018, there were only 55 publicly reported attacks and less than $60k in demanded ransom followed by 2019 with more than 163 ransomware attacks targeting local governments that ended with at least $1.8M paid to cybercriminals.
Cybersecurity experts reported an 800% surge in cybercrime since the start of the pandemic, with approximately 4,000 cyberattacks occurring every day. Atlanta and New Orleans were well-publicized ransomware events spending $17M and $7M respectively to recover. The reality is that this has become commonplace.
Roger Murphy, Avenu’s Director of IT, has lived through such an attack and here’s what he learned. Everyone thinks they’re prepared until it happens. And the clock will start ticking before you know you have a problem which puts you in a position of playing catch-up from the very beginning.
The truth is ransomware attacks are so disruptive to an organization that many of the following insights can also be applied to any disaster scenario, like a fire, earthquake or hurricane.
Preventative measures are necessary, but nothing will provide you with 100% protection. Most organizations have taken reasonable measures to prevent cyber-attacks such as having employee policies in place to ensure acceptable behavior occurs. In addition, the IT infrastructure and applications that support the business are usually in a supported state with protections in place. But roughly 70% of Ransomware occurs via Phishing; meaning that one person on your staff can innocently click on the wrong link or attachment in an email or text and put an entire organization at risk. You will not know this has occurred until the moment you cannot access your files and you receive a ransom note informing you that your files have been encrypted.
One afternoon, an accountant in an organization received an email from an individual claiming to have paid a late invoice. All the accountant needed to do to claim the payment was to click a link and provide their email credentials, which they did. Email is a goldmine of information and at the center of authentication in any organization. Once those credentials are stolen, the sky’s the limit for attackers.
Once the attacker got their hands on the accountant’s email credentials, they logged into the accountant’s email and studied the organizations wire transfer approval process by searching through emails. The attacker then used previously sent invoices and forms to fabricate an approval email chain that the attacker then sent to the wire transfers department. Suffice to say, the attacker walked away with a lucrative sum of money.
Cybercriminals using email to attack businesses are becoming more and more effective at evading detection – technology alone is only marginally effective at blocking these new email threats.
Organizations must educate their workforce so that employees can recognize threats and take appropriate action to protect the organization.
So if 100% protection does not exist, what should local governments be doing? There are 4 important questions you must answer to help guide you.
1. Do we know we are being attacked?
Cybersecurity architecture is one of the core components of digital safety. Poorly designed or shoddily implemented digital systems can entail significant cybersecurity vulnerabilities. It’s not necessarily a matter of bad technology; cybersecurity is as much as about how well you’ve built new technologies into your existing systems and communication channels as it is about the quality of the technology itself. Good data backups, up-to-date cybersecurity software and secure network connections are all parts of good cybersecurity architecture. And nowhere is the importance of cybersecurity architecture more evident than in our remote workforces today. The architecture that is implemented must also be supported with the tools and capability to alert you that you are under attack, or that you have been compromised.
2. Can we stop an attack?
Once alerted that you are under attack or that you have been compromised, you must have the capability to stop it. Using tools and security systems that include automated responses can accomplish this. The use of AI, and the use of machine learning to stop the attack is critical due to the complexity of the attack and the speed at which damage can occur. Without this capability, you are leaving the action to stop the attack to your staff who will follow policy and procedure. The inherent delay in this type of response allows significant damage to occur to your environment. Time is not on your side during an attack.
3. Can we safely restore or recover?
You must be able to restore and recover the environment. It is critical that the backup policies that are put in place address how frequently you want to take backups (Recovery Point Objective or RPO). RPO is concerned with the amount of data that is lost following the event. Losing citizen transactions can be catastrophic so the more frequent the environment is backed up means that if there is an event you will lose less data.
It is equally critical that you address the amount of downtime you can tolerate (Recovery Time Objective or RTO). RTO is concerned with applications and systems and amount of time those systems can be down. Within Public Safety organizations for instance, the tolerance for downtime can be zero or only a few minutes. Having the capability to ensure the infrastructure and applications to come back online quickly must be factored into your decisions.
4. Do we have action plans already in place so we can jump into action?
As an organization, we rely on our partners, suppliers, and vendors to help us deliver goods and services. It is critical that they understand our needs should we be attacked, and that we have a plan of action in place with each of them. In one case study, we needed 500 disk drives to replace those that had been destroyed during a Ransomware attack. Our partner at the time could not deliver that quantity. That left us in a very difficult situation, and we had to scramble to find those disk drives. I recommend that you have agreements in place with your partners so that you have the capability to quickly recover.
Within the organization, we rely on our employees to help us stop these attacks. Here are some key takeaways to remember:
Want to learn more about ways of making your organization better prepared and more secure? Please reach out to us at firstname.lastname@example.org.