In the November 23, 2019, CERM Risk Insights issue #256 I discussed the problem of Ransomware in government. I also discussed the multiple cyber-attack risks in my book on implementing ISO 31000: 2018 in government. These discussions presented individual examples, in January 2021 SOPHOS, a software company in the United Kingdom, conducted an international survey to determine the extent of Ransomware attacks worldwide.
This article discusses the results of the government sectors’ response to this survey. (Ransomware attacks in this survey was defined as having multiple computers being impacted by a ransomware attack.)
Scope
The survey was conducted between January and February 2021. The survey was sent to 5,400 IT decision makers. The objective of the survey was to determine the extent of ransomware attacks. The survey covered fourteen economic sectors. While the focus of this piece is government, it is important to understand how government compares to the other sectors in term of ransomware attacks. (1)
The two sectors which reported the highest level of ransomware attacks were Retail and Education with 44%. The second was Business and Professional services with 42%. Central Government with 40% was third. Local Government with 34% ranked tenth. The lowest reporting sector was Distribution and Transport at 25%.
The responses indicate that all fourteen of the sectors were hit with ransomware attacks. The difference being the focus of the attackers. Except for Distribution and Transport, at least 30% of the respondents in each sector reported attacks. By any measure that is a significant number. Thus, a ransomware attack is a significant risk that all sectors of the economy need to consider. This is especially true of government.
Government Response
Two hundred and forty-eight responses were received from government organizations. There were 117 responses received from central governments and 131 from local governments. The table below shows the break down by geographic region.
| Region | # Respondents Central Govt | # Respondents Local Govt |
| America | 29 | 39 |
| Europe | 52 | 27 |
| Middle East/Africa | 16 | 18 |
| Asia Pacific | 20 | 17 |
| Total | 117 | 131 |
The responses indicate a wide geographic distribution dominated by Europe for Central Government response and America for local government. The distribution between central and local government is somewhat reflective of the difference in number between central and local government. Recognizing that each level may have a different ransomware experience the discussion of the responses are separated for central and local government.
Central Government
The survey found that 40% of central governments were hit by ransomware attacks in 2020. Of these, 49% said the attackers succeeded in encrypting their data. Another 13% did not have their data encrypted but were held for ransom anyway. According to the results, this is the highest percentage of extortion among all the sectors in the survey. In other words, hackers, even when they have not been able to encrypt data, have found central governments easy targets to extort.
Looking at the subsequent action taken, it was found that 61% of those whose data was encrypted used backups to restore data. More broadly, 81% of the central governments had a malware incident recovery plan. This percentage is the second lowest of all the sectors sampled.
The survey determined that the average cost for recovering from a ransomware attack, including downtime, labor costs, device costs, network costs, lost opportunity, and ransomware paid, averages $1.37 million in United States dollars.
In summation central governments are vulnerable to cyber-attacks, particularly ransomware. The results also indicate that central governments are not as prepared as the private sector to recover from such attacks.
Local Government
Local government respondents indicate that 34% were hit by ransomware in 2020. Of these, 69% indicated that attackers were successful in encrypting their data. Forty-two percent of those who were attacked paid to get their data back. Backups were used to restore the data that was encrypted by 42%. With respect to responding to the attack, 73% had a malware incident recovery plan. This is the lowest level of all respondents. The average cost of ransomware attacks was $1.64 million.
The survey demonstrates that local governments are vulnerable to ransomware attacks. These attacks are costly. By in large, local governments are not as well prepared to deal with them as other sectors. A major constraint is resources. Except for large municipalities, local governments cannot match the private sector when competing for cyber security talent. A further complication, as I point out in my book, is that many of their computer systems are older legacy systems which are expensive to replace or upgrade.
Summary
Ransomware attacks are a serious risk to all sector of the economy worldwide. Governments are particularly vulnerable because they often lack the resources needed to compete for the cyber-security talent necessary in today’s interconnected environment. In addition, their computer systems are often older systems. This makes government an easy target. It also makes government a profitable target in terms of likelihood to pay ransomware.
Local governments are the least prepared to deal with ransomware attacks and more willing to pay ransomware attackers to retrieve the encrypted data.
Regardless of level the average cost to recover from a ransomware attack is substantive, averaging $1.37 million for central governments and $1.64 million for local governments.
Endnote
- SOPHOS, 2021, The State of Ransomware in Government 2021, https://secure2sophos.com/en-w/medlibrary/Gated-Assets/white-papers/sophos-state-of-ransomware-in-government-2021-wp.pdf.
Bio:
James J. Kline is a Senior Member of ASQ, a Six Sigma Green Belt, a Manager of Quality/Organizational Excellence, and a Certified Enterprise Risk Manager. He has work for federal, state, and local government. He has over ten year’s supervisory and managerial experience in both the public and private sector. He has consulted on economic, quality and workforce development issues for state and local governments. He has authored numerous articles on quality and risk management. His book “Enterprise Risk Management in Government: Implementing ISO 31000:2018” is available on Amazon. He is the principle of JK Consulting. He can be contacted on LinkedIn. (My e-mail was hacked. For those who received a request for money, it was not from me. I apologize. I am working to resolve the issue.)