Baltimore; Albany, New York; Lake City, Florida; 22 cities and towns in Texas. These are just a few of the 40 municipalities that have been hit by ransomware attacks this year alone. That doesn’t take into account attacks on airports (Cleveland), state departments (Colorado DOT), and school districts (Syracuse, New York; and 12 others in one two-day period last week).
According to Symantec, ransomware is now the “weapon of choice” not just for hackers and crackers, but for nation-states trying to obtain capacity-building funding. That’s because it works. GovTech,
a website focusing on government technology issues, reports that the financial toll of ransomware is exploding: In 2017, targets paid $5 billion, 15 times the tab in 2015. And the 2019 damages are expected to hit nearly $12 billion.
Here are some lessons to be learned by both businesses and municipalities.
Lesson One: Not paying the ransom is costly but right
The U.S. Council of Mayors recently agreed unanimously to a policy that municipalities across the country would NOT pay extortion in the form of ransomware to hackers (bit.ly/2knh47l). That’s a lofty goal and only time will tell if it’s a sustainable position. But municipalities also need to accept that ameliorating a ransomware attack is often far more costly – and certainly more time-consuming – than the ransomware itself. In March, Atlanta was hit with a ransomware attack that took out systems from the police department to the libraries, and, of course, the busiest airport in the U.S. The attackers asked for $50,000 in bitcoin – Atlanta refused – and while the final tally isn’t known, the city’s recovery effort will cost more than $17 million.
Lesson Two: Technology alone can’t fix it
The very best network gear will stop only 90% of malware from getting inside your network. Open-source malware accessible to any enterprising hacker on the dark web, coupled with the growth of the “ransomware as a service” (RaaS) model, are contributing to the explosive growth of malware, making it harder for systems and software to keep up.
Lesson Three: The danger is already in the house
Strong technology and IT staff are essential, but – on their own – not enough. The root cause of every cyberattack is an authenticated user doing something he shouldn’t or not doing something he should: violating a policy, opening an email, clicking on a link, downloading something he shouldn’t, or going to a website he shouldn’t. Companies talk about sales all the time. Because it is important. Security must be equally as important and get equal time.
Lesson Four: Small actions have big results
A culture of security works. The Wall Street Journal reported how the small city of Lubbock, Texas, was able to stop a ransomware attack in its tracks
(on.wsj.com/2kdHYP8). People often know when they’ve done the wrong thing, but do they feel comfortable telling someone and risking discipline or loss of status at work? They will if you create a culture that rewards that action, rather than punishing it. In the Lubbock situation, the IT staff was alerted immediately and did a very simple thing, very fast: They isolated the infected computer from the network.
Lesson Five: Cyber insurance is not a substitute for preparedness
The devil is in the details, especially in insurance policies. Whether or not your cyber policy covers you depends on a lot of details and definitions deep in the small type. The National Law Review cites several examples of the evolution of cyber insurance and the court cases that have ensued (bit.ly/2lu76kV). Not all policies protect all situations, and there may be requirements that your company must adhere to that can obviate your claim. Insurance is a part of your arsenal, but you need to make sure your policy addresses your specific vulnerabilities.