Canadian municipalities have become attractive targets for ransomware. They are government-funded, they often lack proper security capabilities, and they are easily convinced to pay up because the alternative is much more costly.
The City of Stratford, Ontario, learned it the hard way. In April 2019, cybercriminals hijacked part of the city’s computer servers, locking out several municipal employees. The attackers held hostage sensitive data and were demanding money in return for the release of that information.
They were demanding 10 Bitcoins, which were each valued at $7,509 at the time. Even after the opening of an investigation by local and provincial police and attempts at negotiations, the city ended up paying $75,091 in total. It is still unknown if the police have made any arrests in connection with the case.
According to research from antivirus software provider Kaspersky, Stratford is one of the 174 North American municipalities that suffered ransomware attacks in 2019. This represents a 60 per cent increase over the previous year.
“We learned an awful lot about the vulnerabilities of our system, the software that we deploy and the hardware we give our staff,” said Dan Mathieson, mayor of Stratford and one of the panellists at ITWC’s MapleSEC virtual conference.
According to Abe Abernethy, regional director at the Municipal Information Systems Association (MISA), many municipalities remain unprepared for today’s cyber threats, with inconsistent software updates and weak IT departments.
Ransomware as a singular threat moved on to the agenda of municipal issues when it started costing money, Abernethy explained during the MapleSEC conference.
“IT was always a budget line,” Mathieson added. “As long as the emails came in and the systems ran, everyone was happy. Now, after having a cyberattack, you realize that your IT is as vulnerable as to any other service you provide and that you can’t just leave it to a group of five or six staff members to manage. You need to have the best products because the hackers are out there using the best practices to get in.”
Mathieson thinks cities must regularly invest to ensure that their security software and penetration test are up to date. Government entities should also provide cybersecurity training to promote good IT habits and educate employees about threats like phishing scams.
“It’s essential to stress the value in good training,” Abernethy said, noting that engaging, in-person training sessions are much more effective. “I’ve been guilty of implementing solutions that were like, go watch online videos for 20 minutes once every three months… I don’t think it works,” he admitted.
According to Mathieson, municipalities suffering ransomware attacks must be transparent and let people know what happened, especially if the incident has possibly compromised citizens’ data. “I try to do as many of these conversations as possible, raising awareness. We’ve gained lots of information out of these discussions. And I don’t think there’s a shame in admitting that you’ve had an attack.”
For John Millar, president at Digital Boundary Group, awareness at an organizational level is critical in preventing ransomware. “We’ve got to continue to get in there with the awareness of not only the issue but also explain what happened when people were effectively breached,” he said.
Mathieson agreed. “Cybersecurity education needs to be as fundamental, as regular and as vigorous as any of the other training we do going forward. I think that’s what’s going to keep us all safe, and that’s what’s going to define what the workforce of the future is for the government.”