Lessons learned: Ransomware edition
Ransomware attacks on municipalities grow in frequency and expense
By Laura Haight
Originally published as The Digital Maven in Upstate Business Journal
Baltimore, MD, Albany, NY, Lake City, FL, 22 cities and towns in Texas. These are just a few of the 40 municipalities that have been hit by ransomware attacks this year alone. That doesn’t take into account attacks on airports (Cleveland), state departments (Colorado DOT), school districts (Syracuse, NY and 12 others in one two-day period last week).
According to Symantec, Ransomware is now the “weapon of choice” not just for hackers and crackers, but for nation states trying to obtain capacity-building funding. That’s because it works. GovTech (bit.ly/2kdKLYE), a website focusing on government technology issues, reports the financial toll of ransomware is exploding: In 2017, targets paid $5 billion, 15 times the tab in 2015. And the 2019 damages are expected to hit nearly $12 billion.
So many incidents, so much coverage. So surely there are lessons to be learned by both businesses and municipalities. You bet.
Lesson One: Not paying the ransom is costly but right. The US Council of Mayors recently agreed unanimously to a policy that municipalities across the country would NOT pay extortion in the form of ransomware to hackers. (bit.ly/2knh47l) That’s a lofty goal and only time will tell if it’s a sustainable position. But municipalities also need to accept that ameliorating a ransomware attack is often far more costly – and certainly more time consuming – than the ransomware itself. In March 2019, Atlanta was hit with a ransomware attack that took out systems from the police department to the libraries, and, of course, the busiest airport in the US. The attackers asked for $50,000 in bitcoin. Atlanta refused. The final tally isn’t known but it is widely expected that the city’s recovery effort will cost upward of $17 million. Law enforcement agencies and the FBI strongly urge not paying the ransom for the obvious reasons: If it works, they’ll keep doing it.
Lesson Two: Technology alone can’t fix it. The response after an attack is often predictable. An IT exec gets fired. A security company is hired. The pocketbooks open up for massive spending on higher levels of security. Here’s the issue: The very best network gear will only stop 90 percent of malware from getting inside your network. Open source malware accessible to any enterprising hacker on the Dark Web, coupled with the growth of the Ransomware as a Service (RaaS) model, are contributing to explosive growth of malware, making it harder for systems and software to keep up with.
Couple that with the fact that analysis of penetration tests in the healthcare industry (bit.ly/2kdMblW), for an example, shows anywhere from 7.5 to 30+ percent of employees will click on a phishing or impersonation scam email.
Lesson Three: The danger is already in the house. Strong technology and IT staff are essential, but – on their own – not enough. The root cause of every cyber attack is an authenticated user doing something they shouldn’t or not doing something they should: Violating a policy, opening an email, clicking on a link, downloading something they shouldn’t, or going to a website they shouldn’t. The best malware in the world is worthless if they can’t get it in your business. One training or email to alert your staff isn’t going to do it either. Companies talk about sales all the time. Because it is important. Security must be equally as important and get equal time.
Lesson Four: Small actions have big results. A culture of security works. The Wall Street Journal reported how the small city of Lubbock, TX, was able to stop a ransomware attack in its tracks. (on.wsj.com/2kdHYP8) People often know when they’ve done the wrong thing – clicked on a download that didn’t seem to do anything, for example – but do they feel comfortable telling someone and risking discipline or loss of status at work? They will if you create a culture that rewards that action, rather than punishing it. Phishing emails are good and getting better. That’s why they work. In the Lubbock situation, the IT staff was alerted immediately and did a very simple thing, very fast: they isolated the infected computer from the network. That stopped the propogation of the malware from one device to the entire network and, potentially community.
Lesson Five: Cyber insurance is not a substitute for preparedness. The devil is in the details, especially in insurance policies. Whether or not your cyber policy covers you depends on a lot of details and definitions deep in the small type. The National Law Review cites several examples of the evolution of cyber insurance and the court cases that have ensued (bit.ly/2lu76kV). Not all policies protect all situations and there may be requirements that your company must adhere to that can obviate your claim. For example, one case involved a company that had sensitive information exposed (“published” in insurance-speak) by a third-party vendor on an unprotected server. The court found that the insurer was not responsible for paying this claim because the client was not insured for the actions of a third party. Insurance is a part of your arsenal, but you need to make sure your policy addresses your specific vulnerabilities.