In my last piece I discussed an international survey on ransomware attacks. The emphasis was on risks associated with attacks on government organizations. The survey found that both central and local governments were vulnerable to such attacks. Thus, the risk was substantive. Further, in many cases, governments paid the ransom to get their data unlocked. The survey also showed that governments, particularly local governments, were not well prepared to deal with such attacks. The willingness to pay and the lack of preparedness make governments a ripe target for ransomware attacks.
This piece looks at the recommendations made in two blogs on how to prepare for ransomware attacks. One is by Lisa Thompson. It appears in the ICMA blog dated June 4, 2021. (1) ICMA is the professional association for City/County Management. The other, also in 2021, is by GovPilot. (2) GovPilot is a software firm in the United Kingdom focused on government cyber needs.
I chose these two for several reasons. First, they show a consensus in several areas on how to prevent ransomware attacks. Second, while there is a consensus in some areas, there are difference worth noting. Third, many of the recommendations are relatively inexpensive to implement. This makes them easier to implement in times of budget constraints.
ICMA Blog
In her blog, Lisa Thompson lists four actions considered best practice. These are:
- Updates and Patches
- Antivirus Software and Firewalls
- Awareness and Training
- Backup and Recovery
The importance of updating systems and patches can be seen in the following statement. “Failure to timely update and patch all systems and devices that have access to municipal systems is like leaving your front door unlocked when you leave on vacation.” (3) Hackers look for weak points in the computer system. If there is a flaw that another hacker exploited, others will attempt to exploit the same flaw. Thus, it is important to ensure that system updates and patches are current. This can be done automatically or by having reminders on calendars
One area of risk which generic system updates or patches may not be as effective is upgrading legacy systems. As one commentator noted:
“For local officials throughout the country, the shift from old-school servers to rented cloud storage has made it tougher than ever to fund upgrades. They can budget physical equipment as capital expenses, meaning they could issue bonds to pay for them. But cloud computing is a service, … which means officials have to pay for it with operating funds – the same pool of money that goes towards addressing more tangible demands, such as parks and cops.” (4)
Having the resources needed to afford upgrades is one problem. How to prioritize spending in an increasingly risk impacted environment requires an approach which helps identify and prioritize risks. An Enterprise Risk Management process, while not mentioned in either blog, can assist in helping define and prioritize management the actions management should take based on risk.
The second-best practice is making sure that basic security practices such as having updated antivirus software and firewalls installed in the system. Here too, automatic scans for antivirus and checks on the firewall need to be done on a regular basis.
The third listed best practice is to train employees. Employees need to be aware of the risks of attacks and simple steps they can take to prevent them. Like updates this training should be regularly conducted.
The last best practice is one which the survey showed is the most problematic. Governments need to have backups to their systems and have a recovery plan. The backups are copies of the system’s data files. The backups can be used to quickly restore data encrypted by ransomware hackers. The backups should be made on a regular basis. They should be encrypted and stored off site. This reduces the chance that any malware or data corruption which might inhibit restoration of system data will occur. In addition, there should be a cyber-attack incident plan in place. The plan should include a) how to detect a cyber or ransomware attack, b) a list of people to contact when an attack is identified and c) procedures to follow to reduce the adverse impact of any attack.
Several of the recommendations above are like those suggested in the GovPilot blog.
GovPilot
The GovPilot blog makes six recommendations. They are:
- Begin using cloud-based technology.
- Switch to a .gov Domain.
- Encrypt Sensitive Information.
- Encourage Use of secure Passwords for All Employees.
- Train Employees on Cybersecurity Hygiene and identified of Phishing Emails.
- Utilize Two-Factor Authentication.
Items 1 and 5 are like those suggested in the ICMA blog. GovPilot has its own take on item 1 in that it recommends the use of GovPilot’s platform. Recognizing that GovPilot is recommending their platform when they cite the benefits, listing some of the benefits of a cloud platform provides an idea on what is available from the private sector. Some of the benefits of using cloud technology are:
- Automatic updates every 15 minutes
- Scheduled updates of software, packages, plugins, and servers.
- Upkeep and maintenance costs of cloud-based technology more cost effective.
The second recommendation is to switch to a .gov Domain name. This increases website security. A .gov domain automatically includes two-factor authentication for all users. This helps with items 4 and 6. The encryption of sensitive information is also suggested. The use of passwords should be ubiquitous. Similar to Lisa Thompson’s recommendation, GovPilot stresses continual cyber-security training and awareness.
The last recommendation is the use of a two-factor authentication. This is a security feature which sends a computer-generated numerical code to a cell phone or email address associated with the user. The received code is then entered into the computer thereby verifying that the user’s identity and cell phone number or email are aligned.
Summary
Ransomware attacks are a global problem. This is particularly true for government. Many governments are not as well prepared as the private sector to respond to such an attack. The two blogs discussed above provide some guidance on protecting from ransomware attacks or having to pay ransom if such attacks occur.
The two blogs have a substantive degree of commonality in the recommendations. The three most important are: Make sure employees are continually trained and updated on cyber threats and security measures. Second, have a cyber-attack recovery plan. The plan should detail who does what, when and how. Lastly, all critical data should be backed up on a regular basis. The back up can be a hard copy stored securely off site or in the cloud. Depending on the frequency of backup, the availability of stored data will reduce any data loss due to a ransomware attack.
Endnotes
- Thompson, Lisa N., 2021, “Practical Measures for Local Government to Avoid Ransomware”, ICMA Blog Post, June 4, https://icma.org/blog-posts/practical-measures-local-governments-avoid-ransomware
- GovPilot, 2021, “Government Cybersecurity 2021: How to Prevent Ransomware Attacks”, https://www.gov.pilot.com/blog/government-cybersecurity-2021-how-to-prevent-ransomware-attacks
- Thompson, Lisa, page 4.
- Varghese, Romy, 2019, “American’s Cities are running on Software From the 80’s”, Bloomberg Business Week, February 28, page 1. https://www.bloomberg.com/articles/20-19-02-28/american’s-cities-are-runing-on-software-from-the80’3.
Bio
James J. Kline is a Senior Member of ASQ, a Six Sigma Green Belt, a Manager of Quality/Organizational Excellence, and a Certified Enterprise Risk Manager. He has work for federal, state, and local government. He has over ten year’s supervisory and managerial experience in both the public and private sector. He has consulted on economic, quality and workforce development issues for state and local governments. He has authored numerous articles on quality and risk management. His book “Enterprise Risk Management in Government: Implementing ISO 31000:2018” is available on Amazon. He is the principle of JK Consulting. He can be contacted on LinkedIn.