Municipal cyber security on a shoestring
Municipalities are severely resource-constrained, but cyber attacks are a growing problem. Here’s what municipalities can do to mitigate risk on a budget.
The recent ransomware attack on a large local municipality – just the latest in a string of attacks on municipal systems around the world – serves as a harsh reminder that cyber criminals are upping their game.
Targeting any organisation where there is money or valuable data to be gained, even amateur cyber criminals are joining the fray.
For municipalities, which often hold a great deal of customer data but which may not have the most advanced IT infrastructures and security architectures in place, this should be cause for serious concern.
In the latest local incident, ransomware attackers demanded four Bitcoins – which they did not receive – but attacks elsewhere in the world have cost municipalities a great deal.
Lake City in Florida, US, paid $460 000 in Bitcoin to attackers in June, shortly after Florida’s Riviera Beach paid $600 000 in Bitcoin to attackers. In July, hackers demanded $5.3 million of the city of New Bedford, and in August, 23 cities in Texas came under fire in a coordinated attack.
Mitigating the risks demands best practice cyber security and every advanced solution municipalities can muster.
The city of Cornelia in Georgia was attacked three times this year alone, and Atlanta in Georgia, US, spent a reported $2.6 million recovering from a ransomware attack last year, in which it also paid $52 000 in ransom.
The mounting ransomware costs are far from the only damage inflicted in these attacks – crucially, sensitive data is breached and key services are undermined. Should attackers target critical infrastructure, the outcomes could be disastrous. Mitigating the risks demands best practice cyber security and every advanced solution municipalities can muster.
Security best practice is one thing, but on-the-ground reality is often quite another. Many South African municipalities are currently so resource-constrained they can barely keep the lights on, let alone roll out extensive next-generation IT projects embedded with bleeding-edge cyber security solutions.
However, any organisation that is connected is at risk. This means South Africa’s municipalities, no matter how small and resource-constrained they may be, have to move to address vulnerabilities and mitigate risk within their constraints.
Where budgets are extremely limited, municipalities should:
- Prioritise cyber security: Cyber security spending should top the list of ICT priorities. Where new projects that control data or are Internet-facing are planned, security has to be embedded from the outset. Security also has to be a top consideration in DevOps, where data is used for development and testing in the cloud. If the budget does not cover the costs of adequate security in a project, the project should be rolled over to the next budget cycle when it can be accommodated.
- Properly maintain existing solutions: Ensure all software subscriptions and equipment are up to date. It is pointless having a firewall that is not being updated because the subscription was not renewed.
- Consolidate solutions: In many cases, municipalities have cyber security in place in the form of a number of point solutions. Consolidating these technologies with a single solution offering multiple features may both reduce the solution costs and the costs involved in running a complex environment. At the same time, a consolidated solution offers improved visibility and management of the environment.
- Improve backup and recovery procedures: Once ransomware has infected the system, the best measures are to detect it early, and reinstall the system with up to date backups – especially on the endpoints. It is important to backup regularly, and test thoroughly for availability and integrity.
- Update incident response plans: In the event of a cyber attack, rapid response helps reduce the impact. Staff must be well versed in the incident response procedure. They need to know basics such as what procedures should be followed to contain the infection, the roles and responsibilities of all team members, and who should be notified.
- Outsource cyber security: IT security skills shortages are a global problem, and likely more pronounced in small municipalities. Instead of procuring costly and scarce skills, municipalities can appoint a consultant or security auditor to advise on a cyber security roadmap, or outsource all cyber security to experts.
- Focus on training and awareness: The easiest and most common way to penetrate a network is through e-mail. And even with heightened awareness, there are many instances where staff have to click on links or download attachments – such as when HR has to review applicants’ CVs. Sandboxing, backed by ongoing cyber security training and awareness, help minimise this risk.
Doros Hadjizenonos is regional sales director at Fortinet. Hadjizenonos has specialised in the IT security field since 1998. Currently heading up the business for Fortinet in the SADC region, he has been involved in many roles in the IT security industry, from technical, management and sales at leading system integration companies, to owning successful distribution company VAD Africa. He holds BSc Electrical Engineering and MSc Electrical Engineering degrees, both through the University of Witwatersrand.