A new report from Deloitte addresses whether to pay ransom, cyber-insurance, skills and more.
Cyber-criminals are targeting state and local governments more frequently, expanding their attack base and asking for more money, warns a new report from Deloitte’s Center for Government Insights.
A focus on resilience is key, the Ransoming Government: What state and local government can do to break free from ransomware attacks report says.
"State and local governments should live and plan with the reality that their critical systems and data will be attacked," said Srini Subramanian, principal, Deloitte & Touche. "Even with cyber-insurance and preventive measures in place, the growing frequency and sophistication of attacks calls for government entities to perform cyber-health checks and revisit resilience strategies."
"The effort more than pays off," he continued. "Governments can be better positioned to defend against catastrophic events that are expensive to recover from and could impact public safety and trust."
In 2019 alone, governments reported 163 ransomware attacks with more than $1.8 million in ransoms paid and tens of millions of dollars spent on recovery costs, representing an almost 150 per cent increase in reported attacks from 2018, according to the report.
The city of New Orleans declared a state of emergency in December following a cyber-attack. Other municipalities targeted included Baltimore, Riviera Beach, New Bedford, and Atlanta in 2018. Outside the US, the city of Johannesburg in South Africa was hacked in October 2019.
Criminal enterprises are demanding nearly ten times as much in ransom from public sector organisations as commercial entities.
Research last year from specialist security firm Coveware found that criminal enterprises are demanding nearly 10 times as much in ransom from public sector organisations as commercial entities.
Deciding whether to pay a ransom demand is a difficult decision for cities and the report noted that while refusing may be the "principled" option, it can also work out to be far more expensive.
Last year, the US Conference of Mayors passed a resolution urging cities not to pay assailants after cyber-attacks. However, some cities have opted to cough up.
Lake City in Florida, for instance, agreed to pay $460,000. It had cyber-insurance that covered the payment itself, leaving the city with only a $10,000 charge. Leaders of Riviera Beach, also in Florida, voted to pay almost $600,000 in ransom to hackers who had paralysed the city’s computer systems. Larger cities, such as Baltimore and Atlanta, refused to pay ransom but the cyber-attacks are expected to ultimately cost them millions. For example, Baltimore refused a $76,000 ransom demand but faced $18 million in recovery costs and lost revenues.
Some have called for legislative restrictions on ransom payments.
Deloitte’s report recommends mapping out scenarios in which cyber-insurance should be used in response.
The report outlines several key considerations for organisations to move forward in this “new reality”.
"Connected devices, digital systems and integrated data mean governments have the opportunity to serve people and communities like never before," added Deborah Golden, principal, Deloitte & Touche, and cyber-risk services leader.
"It also means there is a large surface for cyber-criminals to attack local governments and hold sensitive citizen data hostage. Government officials need to understand the risk involved if their systems and data were suddenly gone or rendered useless."
You might also like: