You are viewing 1 of 2 articles without an email address.

All our articles are free to read, but complete your details for free access to full site!

Already a Member?
Login Join us now

From wargames to insurance: Cities urged to revisit resilience strategies amid ransomware “new reality”

A new report from Deloitte addresses whether to pay ransom, cyber-insurance, skills and more.


Cyber-criminals are targeting state and local governments more frequently, expanding their attack base and asking for more money, warns a new report from Deloitte’s Center for Government Insights.

A focus on resilience is key, the Ransoming Government: What state and local government can do to break free from ransomware attacks report says.

"State and local governments should live and plan with the reality that their critical systems and data will be attacked," said Srini Subramanian, principal, Deloitte & Touche. "Even with cyber-insurance and preventive measures in place, the growing frequency and sophistication of attacks calls for government entities to perform cyber-health checks and revisit resilience strategies."


"The effort more than pays off," he continued. "Governments can be better positioned to defend against catastrophic events that are expensive to recover from and could impact public safety and trust."


Attacks on the increase

In 2019 alone, governments reported 163 ransomware attacks with more than $1.8 million in ransoms paid and tens of millions of dollars spent on recovery costs, representing an almost 150 per cent increase in reported attacks from 2018, according to the report.


The city of New Orleans declared a state of emergency in December following a cyber-attack. Other municipalities targeted included Baltimore, Riviera Beach, New Bedford, and Atlanta in 2018. Outside the US, the city of Johannesburg in South Africa was hacked in October 2019.

Criminal enterprises are demanding nearly ten times as much in ransom from public sector organisations as commercial entities.

Research last year from specialist security firm Coveware found that criminal enterprises are demanding nearly 10 times as much in ransom from public sector organisations as commercial entities.


To pay or not to pay?


Deciding whether to pay a ransom demand is a difficult decision for cities and the report noted that while refusing may be the "principled" option, it can also work out to be far more expensive.


Last year, the US Conference of Mayors passed a resolution urging cities not to pay assailants after cyber-attacks. However, some cities have opted to cough up.


Lake City in Florida, for instance, agreed to pay $460,000. It had cyber-insurance that covered the payment itself, leaving the city with only a $10,000 charge. Leaders of Riviera Beach, also in Florida, voted to pay almost $600,000 in ransom to hackers who had paralysed the city’s computer systems. Larger cities, such as Baltimore and Atlanta, refused to pay ransom but the cyber-attacks are expected to ultimately cost them millions. For example, Baltimore refused a $76,000 ransom demand but faced $18 million in recovery costs and lost revenues.


Some have called for legislative restrictions on ransom payments.


Deloitte’s report recommends mapping out scenarios in which cyber-insurance should be used in response.





The report outlines several key considerations for organisations to move forward in this “new reality”.

  • Smarter systems architecture: System upgrades could be key, with the report noting that many state and local governments have deferred IT modernisation, which leaves them "with increasingly vulnerable networks and systems”.

  • More prepared workforce: Governments should look to creative staffing approaches to train, retain and share more qualified cyber-talent, and foster private-public-higher education partnerships related to cybersecurity.

  • Better ‘cyber hygiene’: Attention to details such as timely software patches and updates, regular system back-ups and training for all staff can help to reduce risk. Organisations are also urged to compartmentalise data and develop “air-gapped” system back-ups to limit the scale of a breach.

  • Cyber-insurance: Deloitte said the use of cyber-insurance can be an effective strategy for governments to contain the cost of attacks but cautions: “Those that use cyber-insurance to fund ransom payments may unwittingly increase the incentives for criminals by increasing the likelihood of a big payday. Build scenarios for when to leverage cyber-insurance.”

  • Rehearsed response: Governments should practise responding to cyber-incidents with ’wargames’ and simulations, Deloitte said. Business programme leaders should be involved so they understand the threats and their roles in response and recovery.

"Connected devices, digital systems and integrated data mean governments have the opportunity to serve people and communities like never before," added Deborah Golden, principal, Deloitte & Touche, and cyber-risk services leader.


"It also means there is a large surface for cyber-criminals to attack local governments and hold sensitive citizen data hostage. Government officials need to understand the risk involved if their systems and data were suddenly gone or rendered useless."


You might also like:

Add New Comment
You must be a member if you wish to add a comment - why not join for free - it takes just 60 seconds!