Cyberattacks against municipalities are in the news, so much so lately, that they are becoming commonplace. That’s unfortunate for the affected communities and their citizens, as they experience lost time, resources, data and even money.
Cyberattacks against municipalities are in the news, so much so lately, that they are becoming commonplace.
That’s unfortunate for the affected communities and their citizens, as they experience lost time, resources, data and even money.
There are “inherent weaknesses in those types of organizations getting preyed on,” said Nathan Drager, founder and president of Quantum PC, a managed information technology business headquartered in Sturgeon Bay, Wisconsin. Town Web Design LLC partners with Quantum PC to offer managed IT services called Quantum Care to municipalities.
Municipalities store a lot of information and public records. While it’s not personally identifiable information, like social security numbers, or financial information, like credit cards, it’s still important. And municipalities may be required to keep information for a certain time.
“Hackers have fixated on these types of businesses or organizations,” Drager said, noting there are “weaknesses in the system and value in the information.”
Two recent cases in Wisconsin – in Oshkosh and Racine – resulted in downtime for websites and internal systems, such as email. News reports indicate the hackers were believed to be members of a well-known Russian group, although there was no mention that ransom was requested from either community.
Cyberattacks are usually financially motivated, Drager said. Typically, hackers use ransomware to encrypt data and require money to unlock it.
The long-term way to stop attacks, Drager said, is for municipalities, businesses and individuals to stop paying ransom.
Aside from the money, there’s lost time and resources. Systems can be shut down for hours or even days or weeks.
Whether a municipality has an in-house IT team or uses a managed provider, being down for more than a few hours is “completely inexcusable,” he said.
The solution is to have daily backups stored off site to use to restore a website or IT system. It’s the “only 100% safeguard measure against ransomware,” Drager said. While it’s important to scan for malware, double check all systems and protect against intrusion, at “the end of the day, you still have to have a solid backup that’s off site that can’t be contaminated.”
Town Web automatically backs up its municipal websites daily onto two servers in different locations, so if something happens to one, there is a fresh copy on another server. If a Town Web customer’s website was hacked, a backup would be readily available, and Town Web staff would take care of restoring the site quickly.
Town Web and Quantum PC use cyber security systems and follow best practices to keep their businesses and clients secure. Even so, a user could allow someone to log on to a computer, disable a firewall and get into the system. The only way to restore it would be through a backup, Drager said.
“A website may not have data compromised, but if it did, we have a backup, because that’s the surefire mechanism to recover,” Drager said.
All municipalities should seek protection for their websites and information technology systems with in-house or managed IT services. However, that isn’t without danger.
Drager’s business recently took over managing the IT system for a village with 16 employees that had been managed by a large IT firm. “I assumed they had very sophisticated systems in place,” Drager said. He was “very surprised” to learn staff were responsible for rotating external drives for backups. Staff had fallen out of practice of rotating them, and they weren’t sure what they were or if they worked.
Backup systems need to be automated and routine, Drager said, to ensure they will work when they need to.
“They didn’t have a major issue arise, but they had a false sense of security,” he said. What if it hadn’t worked? It could have taken days to rebuild, and during that time, employees would have been without email and access to records and unable to accept payments.
Drager suggests municipalities look for a provider with a proactive approach, not just someone you call when disaster strikes. “You need someone that is monitoring the machines and automatically maintaining them,” he said. A good provider will offer help desk support and a legitimate ticket system for issues, managed security software on all computers, and maintenance by IT professionals, not individual users.
Quantum PC has been able to help some communities through a Wisconsin Elections Commission grant program. The grants allowed municipalities to purchase third-party managed IT services, such as the Quantum Care program offered by Quantum PC.
“We learned a lot about election security through that,” Drager said. “It really comes down to what the government wants and … best practices.” The grants require a clean machine on a network monitored for foreign intrusion with security software installed. The computers are protected physically and virtually to prevent tampering or hacks during elections.
This is very different from the experience of many clerks who have a laptop they will take home and use for other purposes. Drager said a clerk in a small municipality may drive to Best Buy and buy a laptop and use it out of the box, with third-party applications installed and no security software.
That unsecure laptop also may be located in a shared municipal building, such as a library or a fire department, where members of the public have physical access to a network.
Drager also sees municipal leaders use Yahoo or Gmail for government email, which can lead to phishing attacks in which users are targeted through email. He encourages municipalities to use a business class email domain rather than a free consumer email address for conducting government business. Not only does it look more professional, it adds a lot of extra security, protection and spam filters for users, he said.
While funding may be an issue for municipalities, Drager said lack of knowledge may be a greater hindrance.
“Some of it is not having the awareness,” he said, “not really understanding that this is important or that there’s a need to secure the machines” and systems.