Preventing ransomware attacks with zero trust
- By Morten Brøgger
- Sep 30, 2019
So far this year, over 50 cities have been struck by ransomware attacks that down their systems for days or even weeks as leaders decided whether to pay the attackers or rebuild their systems. As services were suspended and critical functions slowed to a halt, many town halls yielded to the hackers demands.
State and local governments are ripe targets for all types of cyberattacks. A survey by the International City/County Management Association (ICMA) found that just 34% of cybersecurity professionals said the average staff member was “moderately aware” of cybersecurity best practices. Allentown, Pa., for example, was hit by malware after one employee took a work laptop on vacation. The laptop missed a security upgrade designed to block phishing malware and became infected when the employee clicked on a malicious email. When the staff member returned to work, the virus spread and shut down the entire city.
Small and mid-sized cities have emerged as a particularly enticing target for hackers; they are simultaneously more likely to pay a ransom and less likely to have a large IT department with the resources to stop an attack. As a result, the ICMA found that 60% of U.S. cities have been subject to daily cyberattacks in 2019.
For smaller cities and municipalities, the risks are compounded by an aging digital infrastructure that is often cobbled together over the years, and these legacy systems are now being targeted by sophisticated malicious actors from around the world.
Many organizations, fearful of becoming the next victim, are purchasing cyber insurance policies to cover potential losses. Unfortunately, those policies often make municipalities more enticing targets as many insurance companies prefer to pay ransoms rather than covering costly system rebuilds.
Reducing ransomware risks
Despite these challenges, local governments can start minimizing their risk with a zero-trust framework, which assumes that anything inside or outside of a corporate network -- including data, devices, systems and users -- is a security risk and must be checked and verified before being granted access. For cities, zero trust has an advantage over other security measures because it doesn’t require pricey tech upgrades that may be outside budget constraints. It acknowledges the inherent risks posed by human error -- and offers a specific and fixed solution.
The first step to adopting zero trust is auditing all IT systems, determining what devices are connected, who has access and what security protocols are in place. For cities, where operational silos can be particularly severe, this means understanding the security practices across every department. Once a baseline of current products and practices is established, a zero-trust framework can be implemented.
Because it assumes a worst-case scenario, zero trust also encourages the adoption of comprehensive contingency planning. If a city suffers a ransomware attack, it must not only have a plan for continuing essential operations, but also strategies for internal communications so employees do not turn to less secure channels -- such as personal email -- to stay informed, thereby exacerbating the risk.
Zero trust is particularly suited to the challenges of local governments because it addresses cyber risk within a broad framework that ensures all actors within a system -- IT departments, administrators and non-technical employees -- understand and engage with cyber issues. This approach not only helps mitigate risk, but it also ensures that the entire local government infrastructure is invested in a stringent policy to prevent a successful attack.
A people-centered approach
As the Allentown case illustrates, just one errant employee can cause a systemwide failure. To begin implementing a zero-trust framework, agencies must teach every person with access to government systems – including contractors -- basic security practices. Mandating base-level practices such as regular password changes and prompt software updates will ensure that low-level vulnerabilities are minimal. Additional critical cybersecurity education should include training employees to recognize phishing emails, which are the root cause of 91% of ransomware attacks.
With bring-your-own-device policies now ingrained in many agency workplaces, employees and contractors must understand how to protect these devices and the network. An employee connecting a smart speaker to the Wi-Fi network, for example, should make sure that the device is password protected and doesn’t store any information in HTML.
Finally, local administrators -- such as the city council -- should be fully aware of the risks presented by poor cyber hygiene. A thorough audit of existing digital infrastructure will not only help town hall understand the status quo, but also reassure those responsible for budgeting of the wisdom of cybersecurity investment, especially if protections have been long underfunded in an attempt to control costs. Laying the foundation for a cyber risk management program will ensure that every dollar is used effectively. Zero trust provides the best framework to inform, prepare and lessen the risks associated with ransomware, insider threats and sophisticated cyberattacks.
Morten Brøgger is CEO of Wire, which provides an enterprise-grade, end-to-end encrypted collaboration platform.