How Municipalities Avoid Ransomware

The dark side of technology—namely ransomware attacks—is now infiltrating self-insured municipalities.

In today’s insurance marketplace, the benefits of technology cannot be overstated; however, the dark side of technology—namely ransomware attacks—is now infiltrating self-insured municipalities. Ransomware attacks occur when criminals find a way into the organization, encrypt as much data as possible and then extort money from you to get your own data back. If the ransom is not paid, the criminals may delete your data altogether. There have been more than 170 ransomware attacks on U.S. state and local governments since November 2013, notes the technology security company Recorded Future. The costs to remedy these attacks are growing, and the belief that “it won’t happen to us” needs to be discarded. In March 2018, the city of Atlanta had more than a third of its systems paralyzed by a ransomware attack. Recovery took more than a year, with costs estimated at $17 million. Baltimore, after refusing to pay an $80,000 ransom at the advice of law enforcement, recently approved $10 million in emergency funding to recover from a similar attack that immobilized some of the city’s systems, and services such as water billing are still offline, according to reports. Smaller cities, such as Lake City, FL, are also not immune: Recently, city administrators paid hackers a ransom of 42 bitcoins, or roughly $426,000. See also: The Growing Problem of Ransomware   Self-insured groups and public entities such as municipalities are among groups that particularly vulnerable, because they:
  • Operate within a significant regulatory environment;
  • Have data that others could steal and monetize (personally identifiable information such as Social Security numbers, HIPAA-related information and credit card numbers;
  • Have data that is critical and necessary to conduct business.
For captive insurers, property and casualty and workers’ comp carriers, lapses in cybersecurity can even affect mergers and acquisitions. According to security firm Forescout Technologies Inc., 53% of more than 2,700 global businesses surveyed report a critical cybersecurity issue putting an M&A deal in jeopardy. “Unfortunately, it happens again and again to municipal systems that don’t have all the latest software, the latest protections or the highest-paid IT staffs,” Lee McKnight, an associate professor at Syracuse University’s School of Information Studies and an expert on cybersecurity, told USA Today. I believe McKnight’s comment minimizes the essence of how self-insured groups and public entities such as municipalities actually work, because it’s not all about the latest software or highest-paid IT staffers. And protecting your organization from a ransomware attack does not necessarily require expensive next-generation firewalls, intrusion prevention systems or “security as a service” systems. What it does require is common-sense due diligence, a clear line of responsibility for technology systems, a plan that holds all partners and vendors to the same security requirements, a secure cloud platform and, should the worst possible case occur, an incident response system. Even with those elements in place, it’s still important to assess your actual risk against a ransomware attack. Actual risk includes more than just data housed on a server; it includes reputational/brand risk and the impact of losing trust from partners/vendors and members/customers as a result of an attack. To assess your relative risk to a ransomware attack, consider your organization’s size, the number of cities and counties with which you do business and the cybersecurity measures your currently employ. Assess your own risk tolerance—the potential damage to your organization that hackers could inflict… and assess the cybersecurity countermeasures you currently have in place. When viewing your organization’s vulnerabilities in this way, it becomes clear that inaction is no longer an adequate response. See also: Ransomware Threat Growing for Phones   By creating a culture of alert self-monitoring, a plan that makes employee safety training and security safeguards a priority and a strategy that involves all stakeholders, including technology solution providers, you diminish your chances of being vulnerable to a ransomware attack.

Jim Leftwich

Profile picture for user JimLeftwich

Jim Leftwich

Jim Leftwich has more than 30 years of leadership experience in risk management and insurance. In 2010, he founded CHSI Technologies, which offers SaaS enterprise management software for small insurance operations and government risk pools.


Read More