Cracks in the Castle Walls: Cybersecurity a Growing Concern for Municipalities
Data Backup, Employee Training are Key to Protection
By Meagan M. Wellbrock, CPA
In old ways and new, cybercriminals are on the hunt with a mission of wreaking havoc in your personal and professional life. Municipalities are not immune to the threat. Recently, 22 small towns in Texas fell victim to a coordinated cyberattack. Computer systems in these communities were hacked, seized, and held for ransom. The result? Day-to-day tasks either came to a screeching halt or the municipal agencies had to take a step back in time from electronic means of doing business to pencil and paper.
What is Ransomware?
This type of cyberattack has been around for a while and is often referred to as ransomware. According to the Cybersecurity and Infrastructure Security Agent (CISA), “Ransomware is a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website.”
In other words, cybercriminals plant malicious programs that can infect computers by prompting you or someone in your organization to click on a link which then allows the ransomware to attach itself to the computer and infect your server. At that point, your data is encrypted – or locked up – and the only way to get it decrypted is to pay the ransom demanded by the cybercriminals.
Even when victimized organizations pay the ransom, there is no guarantee that the cybercriminals will decrypt the data. Remember the old saying about “honor among thieves?” There is none.
The threat of a cyberattack within local government entities is both very possible and extremely challenging. So far, we’ve seen attacks in forty municipalities this past year including Baltimore, Atlanta, Albany, and Laredo. Lake City, Florida paid the $460,000 ransom demand in the cryptocurrency Bitcoin because officials believed reconstructing its system infrastructure would cost more than the ransom. Either way, you have to pay to resolve the issue (by hiring a vendor or by paying the ransom) and deal with the public relations nightmare afterward.
Some organizations back up their data frequently enough that if it were held for ransom, they could decline to pay and simply recover the data from the most recent backup. But that requires an investment in backup systems.
Keys to the Castle: Audit Report Transparency
This type of attack may be moving downstream to smaller municipalities. One of the towns impacted by the recent attack, Wilmer, Texas, has a population of about 5,000. Cities, counties, states, townships, school districts, and other municipalities must be on alert to this growing threat.
Ironically, the requirements of public record laws can make some municipalities more tempting targets for cybercriminals. For example, the audit report issued after your municipality’s required audit is public record and can yield information about your municipality’s cash balance. Cybercriminals who obtain your audit report can learn the exact amount of taxpayer money you have on-hand and could use this as a factor in determining whether to hit your municipality. Municipalities also have records containing sensitive personal information about taxpayers and constituents that cybercriminals would love to access.
How to Protect Your Municipality – and Taxpayers
Though audits and audit reports are mandatory, let’s discuss some steps you can take to help protect your taxpayers.
- Invest in IT infrastructure. During your next budgeting process, make sure cybersecurity is incorporated. Budgets are tight, but cybersecurity is too important to be swept under the rug.
- Back up your data. Perform backups frequently so your data can be restored once the issue is resolved. Also, consider secure ways to move some data to the cloud for safe access and easy recovery.
- Remain up to date with computer system patches. “Patching” means to update your system to fix known bugs and security vulnerabilities. This must be done at least monthly. It’s not a “set it and forget it” thing.
- Provide cybersecurity training to all municipal employees. Every employee with an email account provides a potential entry to your system for a cybercriminal. Train employees in good password practices, how to recognize “phishing” emails, and the dangers of clicking on popups and online ads, among other issues. Cyberattacks nearly always start by clicking something you shouldn’t.
- Double-check the from, to, date, and subject sections in emails you receive. Is the email from someone you ordinarily communicate with? Is the request out of the ordinary? Are you cc’d on something strange or included with a mix of people you don’t know? Is there an attachment you weren’t expecting? If any of these categories seem out of the ordinary, the email could be malicious.
- Look into cyber insurance. Though cyber insurance is becoming an in-demand product, municipal governments may have difficulty funding it.
Are there cracks in the castle walls?
Cybersecurity represents a growing area of risk for municipal governments as well as private businesses. Proper planning, training, and preparation are key to defending your municipality’s integrity, safeguarding your constituents’ data and taxpayer dollars and keeping cybercriminals at bay.
Meagan Wellbrock, CPA, Partner, leads Adams, Brown, Beran & Ball, Chtd.’s Audit & Attestation (A&A) Service Line. In addition to extensive research and analysis on emerging technologies in the A&A space, Meagan has over 10 years of public accounting experience. She is also Lean Six Sigma Green Belt certified. Meagan was awarded the prestigious AICPA/KSCPA Woman to Watch Emerging Leader Award in 2015 and graduated from both the AICPA Leadership Academy and the KSCPA “20 up to 40” leadership program. For more information, visit www.abbb.com or contact her at email@example.com.