Not If, but When: Cities Use Preparation and Training to Counter Cyberattacks

When the City of Newberry received ransomware letters a few years ago, asking for compensation to unlock the city’s computer files that had been corrupted, the IT department and city leaders were ready.

Newberry responded to the two attacks, believed to be from hackers in Russia and Poland, by immediately isolating the computer servers that had been breached, cleaning them and restoring the information with backup servers that are kept off-site. The city also contacted the authorities, including its police department and the U.S. Secret Service.

“Even though we had ransomware letters, we never once communicated with the ransomware people. We never emailed with them. We isolated, cleaned up, rebooted, reloaded, and in about six hours we were back online, 100%,” said Matt DeWitt, Newberry’s city manager. “When this happened to the City of Atlanta, they paid $20 million to have their computer files unlocked. That was the same group that attacked us.”

As news of cyberattacks garner headlines and cybersecurity issues dominate planning meetings, municipalities have worked to understand the importance of being prepared.

“In today’s world, there are many ways for a security breach to occur. It can come from lost equipment, passwords written down in plain sight, phishing and physical intrusions, to name just a few. This is one of the issues that keeps me awake at night. In most cases, it is not a matter of if you are attacked, but when,” said Tommy Sunday, the chief technology officer for the Town of Bluffton.

For municipalities, that means making sure both the systems and the city staff are kept up-to-date.

“Our IT department implemented a cybersecurity training program a few years ago that is required for all our end users. The human firewall can stop many of these attacks,” Sunday said. “Each quarter, we require anyone that uses a town email address to complete cyber training.”

The training includes topics ranging from email security and social media to incident reporting and internet use, he said. Bluffton also does a simulated phishing test with the staff many times a year to help them recognize illegitimate emails. 

While the best antivirus software and firewall equipment can help prevent various styles of attacks, nothing is perfect and some dangers will still get through those defenses. 
“The end user is always the best firewall,” Sunday said.

Keeping those users updated and informed is key, said Jason Thomton, Town of Fort Mill information technology administrator and current president of the Municipal Technology Association of South Carolina.

“I’ve been doing this for 15 years, and you used to hear people say that security is an IT problem and not a user problem. As the security landscape has evolved, that’s not true anymore,” Thomton said. “You’re only as good as the weakest link in a chain.”

And that means it’s key to get users to buy in to the importance of recognizing possible hacks before it becomes a crisis.

“It’s so important to have a good relationship [with employees] where they can say, ‘I got an email’ or ‘I got a text message I thought was weird.’ Having that interaction is huge,” Thomton said.

Thomton said he shares headlines and articles explaining cyber threats, and flags staffers about things like bogus emails regarding gift cards, showing them how to better recognize threats.

“The majority of people aren’t tech people, but we need to make sure they understand,” he said. “Communications is key on how we are expected to handle things and how we get people to be more mindful of what you’re clicking on. It’s about communication and holding that line open all the time so they feel like they can come to you.”

As it did with many facets in the workplace, the COVID-19 pandemic caused IT directors to broaden the number of topics to think — and worry — about.

“When COVID hit last year, it seemed like every week our mail filtering system was being hammered with new types of phishing emails,” Sunday said. “With people working from home during that time, it was clear that the hackers were looking for new ways to try and compromise a system.”

Aside from keeping the end users educated, cities and towns also must make sure they are using the best software and technical procedures to prevent cyberattacks from creating major problems.

Like many other municipalities, Sunday said Bluffton does on-site backups, cloud-based backups off-site, and bare-metal backups for all of its vital servers. While normal backups only back up data that is saved, bare metal backups do a complete backup of the servers and their settings. That improves response time if networks are compromised.

“It is also very important to test your backups. We know they are there, and everyone gets those pretty reports each day saying that they backed up something, but when was the last time you took time to verify that what they are backing up is good data? This part could be the difference in keeping your job or updating your resume,” Sunday said.

Cities without strong backup systems can end up having major issues or being forced pay the ransom in cyberattacks.

Without a backup system, “you’re fighting everything with one hand tied behind your back. You’re not in a position to withstand any type of adversity. If you have something crash, how do you get it back if you don’t know what’s on there or what’s lost?” Thomton said. “It’s the boring stuff that nobody thinks is exciting and fun. And it’s not. But it’s the boring stuff that’s important. Your documentation, testing your backups, those are the things that are gravely important. And in time of crisis, it can set up an IT team in a city for success or for failure.”

Along with off-site backups and communication with employees, cities are also adding measures such as two-factor identification for all network users to further isolate servers from being hacked. The SC Law Enforcement Division also offers an intrusion detection system at no cost to cities.

And even when a city does everything correctly and takes precautions, cyberattacks can still happen. 

“The message here is to be prepared. And we were prepared,” Newberry’s DeWitt said. “We have great IT people, we kept up with what was happening in the news, seeing that cyberattacks were more prevalent. We had team meetings to see how to prepare ourselves. The last thing we wanted to do was come in one day and find out all of our information was locked up.”

Still, in just the six hours Newberry was offline following each of the two cyberattacks, the city estimated it cost $17,000 in lost productivity, with staffers unable to do their jobs because they couldn’t access necessary information.

“So, it’s not to say it doesn’t hurt, but it could have been a whole lot worse,” DeWitt said. “We could have been bent over a barrel by these ransomware people.”