The Growing Threat of Ransomware Attacks on the Public Sector

A sharp rise in public sector ransomware attacks across the U.S. has drawn considerable attention in recent years – and for good reason. Such attacks can cripple a public entity’s ability to conduct important operations or provide needed services to the community. They can also have a huge financial toll.

“Ransomware is not a new problem, but it’s presenting a bigger challenge for public entities,” said Kirstin Simonson, Cyber Lead for Technology and Public Sector at Travelers. “Ransoms are trending significantly higher, often in the six-to-eight-figure range, and the costs to remediate the issue can be substantial.”

While ransomware, a malicious software that locks up computer data until a ransom is paid, has been a threat for years, newer variants are able to infect entire networks and cause considerable damage. They often command exponentially higher ransoms as a result. No public entity, no matter how large, small or remote, is immune.

Here are some measures you can take to help protect your data and ensure an effective response in the event of a ransomware attack at your public entity:

Back Up Data

A primary step is to back up critical data on a regular basis. Backed-up files can be quickly recovered, which can help to restore operations in the event of an attack. Be sure the backed-up data is stored on a separate offline device that is completely severed from the working network. Otherwise, it’s likely to be ransomed along with your primary data.

“If the backups are also unavailable due to the attack, recovering quickly will be more complicated,” Simonson said. “You may need to rebuild using older data or other sources to recover.”

Segment Network Access

Splitting your network into smaller segments is another way to protect critical data. This is typically done by business function or data type, so you can grant employees access to just the data they need to do their jobs. If an employee should fall for a ransomware attack, segmentation can help to prevent the virus from spreading throughout your network and operations. Access to the most critical data should be limited to a small number of employees.

Use Multifactor Authentication

Multifactor authentication (MFA) adds another level of protection to your network data. This is a method of verifying an employee’s identity with two or more pieces of proof. The authentication factors typically correlate to a device (e.g., an authenticator app on a smartphone), biometrics (e.g., a fingerprint) or information (e.g., a PIN).

Even if a cyber attacker has obtained a user ID and password, MFA decreases the risk that an attacker can gain access by requiring an additional means of validation. For example, they would need to steal both an employee’s password, as well as their phone, to be able to log in to your systems.

Monitor Network Vulnerability

It’s important to continuously monitor your network to identify and mitigate security vulnerabilities. Begin with a complete assessment of the network; identify all systems that aren’t fully patched and take corrective action. This includes operating systems and software, as well as older legacy systems that your municipality may depend upon.

“Not managing legacy systems could open the door wider for cyber crime,” Simonson said. “Municipalities may not be aware of the patches they might need to make.”

If security updates are no longer feasible, you can reduce the legacy system’s exposure by placing it within its own network segment, making it inaccessible from the internet and restricting employee access.

Your monitoring should also include the systems that remote employees use to gain access to the network. Microsoft’s Remote Desktop Protocol (RDP), for example, can act as an open door for cyber criminals if not properly configured and secured.

Train Employees

Ransomware attacks can often be traced back to an employee who unknowingly clicks on a phishing email or malicious link. To minimize the risk of human error, offer continuous, ongoing training on how to recognize cyber threats. Stress to your employees the importance of examining links and attachments to make sure they are from a reliable source. Also, warn them of the dangers of sharing company or personal information in response to an email, letter or phone call, and set up protocols for reporting suspicious activity to a designated manager.

Develop an Incident Response Plan

Avoid scrambling to figure out a plan after a ransomware attack occurs. Having an incident response plan (IRP) in place in advance is key to a swift, systematic response to help contain the damage and minimize costs. To ensure that your plan will fulfill its intended purpose, test your IRP and put it into practice before an incident occurs. You should also continuously update it as you become aware of new risks and vulnerabilities.

Engage the Pros

If an incident occurs, the first step a public entity should take is to engage legal and computer forensics experts, ideally those identified in your IRP or recommended by your insurance carrier. These professionals can assist with investigating the extent of the infiltration, removing the cause, restoring your network and determining whether or not to pay the ransom. You may also have an obligation to notify others of the incident if their information was potentially compromised as a result of the breach.

Purchase Cyber Insurance

Cyber insurance can be essential in helping cities and counties recover after a ransomware attack. Travelers can help provide resources to manage your exposure, pre-breach, during the breach and after the breach.

Learn more about how Travelers helps to protect cities and counties from ransomware attacks, and contact your independent agent to discuss your specific needs