COVID-19 disruptions rapidly changed both the IT landscape for cities and towns as well as the associated technology risks. Not only were municipal councils suddenly conducting meetings by videoconference using home internet connections, but also many employees were working from home. This combination of events significantly increased the vulnerability of cyberattacks since users were connecting to municipal servers by using personal devices.
Hackers, meanwhile, lost no time taking advantage of the coronavirus situation. Security company Barracuda Networks counted 137 email phishing attacks related to COVID-19 in January, which exploded to 1,188 in February and 9,116 in the first three weeks of March. The scams involved topics like coronavirus cures, face masks, fake charities or investments in vaccine development.
A phishing attack involves emails from what appear to be trusted senders as a way of gathering sensitive information, such as login credentials. Once hackers use this information to break into a city's computer system, they might encrypt the city's files or its entire computer system. The cybercriminal can then demand a ransom through the untraceable Bitcoin cryptocurrency to restore access. Beyond losing access to records and files, a city could also lose access to its email and phone systems.
Local governments can and do pay the ransom sometimes. Some examples from 2019 include ransoms ranging from $400,000 to $600,000. The City of New Orleans, LA caught an attacker relatively early in the process and did not pay, but still wound up with $7 million in damages.
Be ready for email attacks
Cities and towns can take steps to make their operations safer, with training to help staff identify incoming phishing attempts at the top of the list. Hackers can pull organizational information from a city's website or social media to create an email address that looks as though it's coming from a high-ranking member of staff or council. Emails are then sent with a virus as an attachment or link, or the email includes a request for sensitive information. Things for municipal officials and staff to watch out for include
- urgent language that demands or encourages immediate action,
- failure to address the recipient by name,
- email addresses with the wrong domain name, or which otherwise don't match up with the supposed sender's actual email address,
- unexpected email attachments,
- links with unknown or suspicious destinations, and
- large numbers of typos or grammar errors.
Technology staff and others can help with training by showing users the text of actual incoming emails identified as phishing attempts. Users should be trained and encouraged to send all suspicious emails to the IT department for evaluation. Some departments stage drills with dummy phishing attempts as a way of encouraging vigilance and identifying training needs.
If a city does experience a cyberattack and cannot conduct regular business, municipal officials can face the difficult choice of whether to pay the ransom or rebuild from nothing if the city does not have adequate data backups. Data backups offer a less painful way to rebuild, although it still costs resources and significant delays in getting operations running again.
Data backups and the appropriate infrastructure can be handled through an IT contractor or the municipal staff. If a city handles its own nightly backups, the data should be stored offsite, or at least in a physically separate location from wherever the primary copies of data are located.
Cybersecurity is a frequent meeting topic for the Municipal Technology Association of South Carolina. Find materials from past meetings online.