Municipalities, often underprepared and overmatched by highly sophisticated phishing schemes crafted to injure a wide swath of services, have become an enticing soft target for malware thieves, a new white paper analysis from KnowBe4, a cybersecurity awareness training specialist, said.
An increasing battery of ransomware attacks span “foundational departments” within the community, including education, law enforcement and healthcare, KnowBe4 said, citing data from a variety of sources, in its position paper, The Economic Impact of Cyber Attacks on Municipalities. The research concludes that strong defenses are built not only on funding, initiatives and legislation but also on the cyber education and training of key local government figures and staffers.
“We’ve found that municipalities are struggling to keep up with the barrage of frequent cyber attacks and although significant, the impact goes beyond financial implications,” Stu Sjouwerman, KnowBe4 chief executive said. “Critical services such as healthcare and law enforcement would be put in a very difficult situation if their services went down for any period of time, which is why it’s so important to train all employees, especially those working in municipalities, to help prevent cyber attacks.”
Three top findings from the report include:
- Ransomware attacks are costly for state and local government entities. From 2017-2020, the estimated reported ransom paid per event in municipalities was $125,697.
- Ransomware attacks can cause significant downtime and denial of critical community services, such as healthcare and law enforcement. One analysis pegged the average downtime from a ransomware attack at 9.6 days.
- Attacks on local government have risen significantly. Between 2018 and 2019 known attacks on local governments rose 58.5%.
Adding to the severity of the problem is a lack of awareness by local city officials and staffers of the need for cybersecurity infrastructure, KnowBe4 said, pointing to data showing 48 percent of elected councilors and/or commissioners are either slightly aware or do not know the extent of the need for such measures in the community. And, in another cited study, some 53 percent of local government institutions do not track cyber attacks hitting their networks.
“The lack of funding for cybersecurity initiatives is detrimental. The need for legislation is important, but the need for training is crucial,” the report said. “Legislation is simply not enough; it acts as a superficial and temporary fix to a long-term, persistent problem. Without initiatives like cybersecurity awareness training, our representatives, state, and local employees are vulnerable to social engineering attacks. This is a matter of state and national security, one that should not be overlooked or ignored.”