The answer may be too simple. Municipalities are an obvious target, full of competing priorities, and short on resources.
Municipalities must maintain vital services – health, education, and utilities to keep our communities operating, to keep local economies humming, and our constituents safe. When essential services fail, our lives grind to a halt, and the media kicks in — placing pressure on our elected officials to reward the bad guys.
The New Hampshire Municipal Association may say it best:
“By law, the government must be transparent. While the open government has made access to public records and information easier for citizens, it has also made it easier for cybercriminals to exploit public systems that contain sensitive information. Because local governments maintain sensitive personally identifiable information, they have a fiduciary duty to safeguard that information.”
The same report found the average breach costs municipalities between $665,000 and $40.53 million. Ransomware remains the most common attack because of the financial benefit and the low cost to the attacker. The average ransom demanded by cybercriminals from 2013-2020 was $835,758.33. Accurate statistics on actual amounts paid remains a bit allusive, but we know it is significant.
Emergency Services and Utilities. What if your 911 system was taken offline or you were denied access to your land mobile radio (LMR)? Emergency services could not respond. That is the truly scary stuff.
What if public services like electricity and sanitation were not available because the systems were offline. The average downtime from common cyber-attacks is is 9.6 days
Fortunately for you, CISA (CISA) has the Emergency Services Sector Cybersecurity Initiative.
A select experience.
Talon Cyber Tec LLC assessed the risk of a medium sized municipality. During the assessment we learned law enforcement, city council, and private citizen information was comingled. Numerous vulnerabilities existed from poor cyber hygiene. A single incident could simultaneously disrupt law enforcement, disclose private citizen information, and limit the municipalities ability to respond. Working with the municipality we were able to implement a defense in depth strategy, along with cost effective improvements that dramatically raised the cyber maturity. Basic architectural changes, strongly limited the blast radius.
What five things can my municipality do today?
The worse kept secret in Cyber Security is most breaches (some say 98%) would have been prevented through well-known mechanisms.
1. Ensure you are running current versions of software and patches are applied regularly.
2. Use Multi-Factor Authentication (MFA).
3. Back-Up daily and Test Your back-ups.
4. Manage user access controls and privileges (e.g., passwords changed regularly)
5. Awareness Training.
If you do nothing else, pay attention to that last one. Almost all breaches require a valid user to do something they should not. Making matters worse, it takes practically no work on your part and has the highest Return on Investment (ROI). Surveys have found about 60% of municipalities have little or no meaningful cybersecurity training programs.
What resources are available?
There are some excellent publicly available resources available.
- Cybersecurity and Infrastructure Security Agency (CISA)
- Center for Information Security (CIS), Local Government Information Sharing and Analysis Center (ISAC)
- CISA, Stop Ransomware
Municipalities are not only resource constrained but they also have a large breadth of essential services to protect. Fortunately, you have a robust set of resources at your disposal from the federal government. Unfortunately, in can be overwhelming to navigate and even harder to prioritize. Feel free to reach out for a free consultation.
 Barracuda Networks, https://www.barracuda.com/
 “The Economic Impact of Cyber Attacks on Municipalities,” KnowB4, https://www.knowbe4.com/
 Coveware Q2 Ransomware Marketplace Report