A cybersecurity breach is a tough scenario for any city manager.
Imagine receiving a call early in the morning to learn that in one of the city’s departments, a large number of computer files — items necessary for the day-to-day operations of that department, if not the overall city — are now encrypted by an unknown party and inaccessible.
IT staff and leadership are now working to determine the extent of the cybersecurity breach. Potentially, hackers are already anonymously communicating with the city, seeking a ransom payment in exchange for releasing the systems and files.
Cybersecurity processes can help prevent these scenarios — antivirus software, two-factor authentication, strong and frequently changed passwords, and regularly scheduled, air-gapped system backups. Staff training can help as well. Even so, cybersecurity breaches are common enough that a threat is likely to get past the defenses eventually.
This is the moment when the municipality’s processes and leadership will be put to the test to determine the scope of the problem, what’s going to be done next and how anyone whose data was breached may be notified. Leadership must also figure out how the city will restore its systems — a process which can easily take months — and how to maintain operations in the meantime.
Desirée Fragoso, now a Field Services manager with the Municipal Association of SC, as well as Allison Gantte, deputy city manager for the City of Clemson, have both experienced the process of navigating a cyberattack. They shared their experiences during the Association’s first-ever Risk Management Services Conference in August.
In her Field Services work, Fragoso said she has emphasized to cities that no matter their size and computer sophistication, they need to dedicate time and resources to cyberattack preparations.
“There are very simple solutions that folks really should think about, because you never think it’s going to happen to you. It happens so frequently nowadays. They’re [cyber criminals] getting very sophisticated, and it’s pretty scary, she said.
Given that her expertise isn’t in IT, she spoke of the importance of working with a cybersecurity firm to manage a breach.
“I found that so incredibly helpful, finding somebody that can speak that language in a way that you can understand and explain it, made us feel very secure, you know, ‘here’s what we’re going to do,’” she said.
Gantte emphasized that leaders need to communicate to their staff why security measures like password requirements, internet restrictions and ongoing training are in place, and the negative outcomes they help prevent.
With computer systems disrupted, “our water and sewer systems can go down, and people can’t flush their toilets. Our officers won’t be able to get into their systems,” she said. “Really understanding the impact that it can make will hopefully make them think twice before they click a [possibly malicious] link.”
The City of Clemson requires “every employee to bring in their laptop at least once a week, to connect to our network to obtain the updates and security,” she said. “And we don't allow any outside devices to connect to our internal network. If you come present before council, you have to bring your own hotspot. We are not allowed to connect any of our devices to any [unknown] networks.”
The SC Law Enforcement Division’s SC Critical Infrastructure Cyberreality initiative has built resources for cyber threat intelligence and cybersecurity practices, found online. Its offerings include IT security assessments, cyber threat intelligence, and security training and awareness exercises for governmental services. It also provides these entities a means of reporting cyber incidents to SLED and the SC CIC Task Force.
The SC Municipal Insurance and Risk Financing Fund offers the eRiskHub as a member resource for cybersecurity training and ransomware resources.