“There are only two types of companies: Those that have been hacked, and those that will be.”, 

Robert Mueller, FBI Director, 2012

Executive Summary

In 2018, many municipalities in North America fell victim to cyber-attacks, and in particular ransomware. This study reviews two municipalities, Atlanta, Georgia, and Wasaga Beach, ON whom both were impacted as a result of a malicious attack on their networks.

Atlanta

Atlanta (pop. 486 000) was hit in March 2018 with a cyber-attack through ransomware. A ransom of $51 000USD was demanded but not paid. Over the next few days, critical systems and activities were taken offline as city staff struggled to regain access to systems. Impact included:

·       Public Wi-Fi disabled

·       30 mission critical applications disabled

·       8 000 employees were unable to access their email or networks for days

·       Citizens were unable to pay fines or parking tickets

·       Forms had to be completed by hand as systems restored

·       Many official documents were not recoverable

Final tally was close to $10 Million, including costs for additional contractors, system upgrades, new technology and computer replacement.

Wasaga Beach

Wasaga Beach (pop. 21 000) was hit in April 2018 with a similar type of ransomware attack. Initial demand for close to $150000 was reduced to  $35 000 and paid by the municipality. Despite this, the town was impacted for weeks even with recovery efforts. 

Impacts included:

• Government data inaccessible for weeks
• Systems had to be re-imaged and rebuilt
• Payroll systems hampered

Final tally close to $252 000, including $50 000 for consulting,  $160 000 for lost productivity and overtime, system upgrades, new technology and computer replacement. Some costs carried into 2019 Budget Year.

How to be Prepared in Your Municipality

While Atlanta and Wasaga Beach are different sizes, they both suffered similar negative impacts due to a malicious attack, and having inadequate preparation for the type of attack that hit each separately.

Being prepared begins with a proper security risk assessment and review of the security practices and processes currently in place. Assessments should typically review such areas as:

• Technology in place for security controls
• Policies and standards related to Information Security
• Training and awareness in place with staff
• Incident Response plans
• Disaster Recovery Plans 

Municipalities should also consider:

• Training for IT staff on cybersecurity
• Cyber Insurance
• Testing and training of staff on cybersecurity issues
• Use of third parties with cyber specialization to complement skillset of internal team.

Conclusion

Cyber Attacks can be indiscriminate and attack all levels of companies including municipalities large and small. However they can also target municipalities, due to limited IT budgets, strained technical resources and small if any dedicated security personnel.

Municipalities should take proactive measures to prepare for cyber-attacks and reduce the impact and likelihood of financial costs and loss of services.

“The effectiveness of one’s security program belongs to those who see the possibilities
before they become obvious.”, Michael Castro, 2018

RiskAware is a boutique Cybersecurity firm, specializing in Security Governance and Strategy, assisting organizations of all sizes with security and risk advisory services and security-on-demand capabilities.

RiskAware can be contacted at [email protected] or visited at www.riskaware.ca