By Russ Cohen, Vice President of Cyber Services, Chubb

From large metropolitan cities like Atlanta to smaller communities like Key Biscayne, every city in America is vulnerable to cyber-attacks.

In fact, according to the Chubb Cyber IndexSM, cyber incidents for public entities have tripled over the past three years. Further, the index data also shows that 77% of the cyber claims reported by Chubb’s public entity clients in 2018 were the result of external actors.

What’s behind these numbers? During these attacks, bad actors exploit public entities’ employees through phishing emails—which then allow these adversaries to deploy ransomware into a municipality’s network. In turn, adversaries are able to bring an entire system to a halt. Fortunately, there are a number of risk mitigation steps municipalities can take to help safeguard their systems, which begins by understanding what makes municipalities the ideal target.

Increasing Vulnerabilities in Dollars and Data

While both the public and private sector are vulnerable to ransomware attacks, there are several characteristics specific to municipalities that lead adversaries to target them more nefariously.

Like most local government debates, it generally starts with a question of funding. Particularly, cybersecurity funding for smaller municipalities is generally not as robust as other for-profit companies. Thus, cities and towns alike may lack the proper resources and expertise to upgrade equipment, install proper security software and perform adequate data backups.

It’s not just citizens’ social security and tax information that makes municipalities ideal targets. If adversaries gain unfettered access to a municipality’s systems, they can alter everything from traffic lights and 9-1-1 systems to employee payments and official document records. In turn, if emergency systems are affected, adversaries often feel emboldened to demand a higher ransom—as a municipality will likely want to resolve the situation as quickly as possible.

During any cyber event, it can be difficult to know the right move to make—how do you know when to pay a ransom or not? One critical element to keep in mind when weighing this decision is that, ultimately, the affected institution is responsible for any financial loss, safety issues, or wage disruption that might occur from a cyber incident—not to mention, there are also reputational and non-financial implications associated with these events. Often, the cost of paying a ransom can be less than the alternative.

In March 2019, a large county was forced to pay $400,000 in crypto-ransom after a ransomware event compromised its network, but also the entirety of its online backup. Because these information reserves were also compromised, they had little choice—it was ultimately less expensive for them to simply pay the ransom than it would have been to build a new system from scratch.

Compounding this issue is that while ransomware attacks are becoming more sophisticated, bad actors now have the ability to destroy records instantaneously. This fact has the potential to permanently cripple city-systems in the event that their files are not only compromised but also erased. These newfound consequences have also led to a significant rise in costs associated with these attacks; and as a result, public entities now often face six and seven-figure payout demands.

To make matters worse, municipalities’ cyber risks are not self-contained. As we get closer to having fully integrated smart cities, the increasingly interconnected nature of municipalities has led to a heightened cyber risk for all businesses. Ultimately, without proper cyber security protections in place, municipalities can be a weak link that allows bad actors the ability to infiltrate the larger business community, subsequently giving them access to a vendor, supplier, and partner data. In essence, municipalities can form the center of a spider’s web, with the larger business network and local community branching off and expanding from that center—like a spider, ransomware attacks have the potential to travel across the entire “web” of this interconnected ecosystem through each and every silky branch.

Pinpointing the Root Cause

Once municipalities understand why they are prime targets, they should then turn to how adversaries penetrate their systems.

Put simply, in order to deploy these calculated ransomware attacks, bad actors often exploit human vulnerabilities in city systems. For instance, these attacks can be triggered by an unsuspecting employee who opens a malicious email on a computer that is not properly protected. In doing so, these bad actors infiltrate the system and gather and hold vital data hostage until their demands for untraceable cryptocurrency payments are made.

To make matters worse, once one device is infected with ransomware, the malicious code can spread to other unprotected devices on the network. Often, the virus can do so without being noticed and may stay in the background for days, weeks, or even years—all the while, rooting itself deeper into a system—adding to the troves of hostage data and allowing adversaries to demand exponentially more for its release.

Fighting Back

While the threat can seem overwhelming, there is risk mitigation best practices municipalities can take to reduce their exposure.

To start, city employees should be taught to recognize the warning signs of potentially malicious content—such as, the inclusion of suspicious links, emails sent at an unusual time, misspelled words or an unrecognized sender—and should know exactly who to contact if they suspect something is awry. Employees should also have comprehensive social media education sessions, focusing on the dos and don’ts of posting online and what type of content can make them a target.

Beyond employee training, local governments should upgrade their email security practices to help block malicious emails at the perimeter. They should also install anti-malware protections and ensure the regular backups of all files and information. Backups should be scheduled (daily, weekly, monthly) and stored in a separate secure location (external drive, cloud) to prevent the backups themselves from being corrupted during a breach. Backups should also be tested from time-to-time to ensure they are usable and adequately protected.

However, no prevention tactic is perfect, so in addition to the appropriate preventative steps, a broad cyber insurance policy can help offer additional peace of mind. If a ransomware attack does occur, insurers—like Chubb—provide policyholders with access to forensics providers, IT and security professionals, and legal counsel to recommend the best course of action for each unique scenario. In many cases, an insurer can also connect municipalities with cybersecurity software vendors whose products are specifically designed for their needs. Such platforms can offer municipalities another way to help prevent ransomware attacks and contain the spread of malware to connected devices, in the event of a successful attack.

In an interconnected world where cybersecurity risks are ever-evolving, threats will always be present. However, taking the right steps can afford you the knowledge that your community is protected, no matter what.

About the Author

Russ Cohen serves as Chubb Vice President of Cyber Services, managing all policyholder services associated with the company’s pre- and post-incident cyber services, as well as supporting innovations in underwriting, data analytics, and predictive modeling associated with enterprise cybersecurity risks. Russ can be reached at russ.cohen@chubb.com and our company website is www.chubb.com.