With ransomware commonly entering state and local IT networks through phishing emails, employees must learn to spot social engineering scams, a new report says.
The most common way ransomware gets into local networks is through low-tech phishing emails, so social engineering awareness training is essential, a recent report said.
As many smaller municipalities hold citizens’ personal information and are not equipped to counter sophisticated attacks, they continue to be ideal soft targets for malicious criminals, security awareness training provider KnowBe4 wrote in the latest edition of its report on the economic impact of cyberattacks on municipalities. Of the 2021 publicized ransomware attacks, nearly half targeted the government, education and health care industry.
On top of the massive financial burdens caused by ransomware, the company found that phishing attacks frequently result in exposure of sensitive data and information, denial of access to public services and lost credibility among citizens and stakeholders.
Ransomware approximately costs the U.S. economy $20 billion per year, and once an attack occurs, escaping fiscal damages is virtually impossible. Municipalities have two options: either pay the ransom or bear the recovery costs. Since organizations are advised not to give in to ransom demands, this choice is difficult, as the cost of recovery often vastly outweighs hacker demands.
When a human error led to Atlanta being hit by ransomware in 2018, attackers demanded $55,000 in bitcoin. The city refused to pay, and the estimated recovery costs were said to be about $17 million. Similar scenarios played out in Baltimore, Denver and New Orleans.
Ransomware that locks residents and staff out of devices or blocks access to files until the ransom is met is also extremely disruptive. Coveware reports that in Q3 of 2021, ransomware victims faced 22 days of business interruption on average. When their systems are locked, cities can lose access to public safety agencies, information services, public utilities and more.
Underfunding is a major culprit in insufficient cybersecurity, but security awareness training is imperative, the report said. Many attacks are the result of phishing emails, and without initiatives to improve awareness and identification of these threats, state and local government employees remain vulnerable.
"Without proper security awareness training and education along with necessary funding to combat such social engineering threats, municipalities are left defenseless against cyberattacks that could be prevented,” KnowBe4 CEO Stu Sjouwerman said. “In recent years, many healthcare, law enforcement, higher education institutions and other critical services have had to literally pay the price, sometimes in the millions, to overcome ransomware attacks.”
NEXT STORY: Cyber competition builds skills, teamwork