Mar 23 2020

Ransomware Awareness Is Up, But Training Still Lags, Study Finds

Government agencies need to invest in modernized systems, better recovery plans and more cybersecurity talent.

Ransomware attacks are increasing in both prevalence and cost. According to a recent report from Kaspersky Lab, “Story of the year 2019: Cities under ransomware siege,” 174 municipal organizations were infected with ransomware last year, roughly a 60 percent increase from the number of cities and towns that reported falling victim to attacks one year earlier. 

So far, total damage from ransomware in 2019 amounts to $11.5 billion, and the tally is still being counted, according to a report from cybersecurity firm Deep Instinct

Despite increased awareness of ransomware and the threat such attacks pose to state and local government agencies, there is still a disconnect on the amount of training and preparation agencies are taking part in to guard against attacks. 

According to a February Harris Poll sponsored by IBM Security, 73 percent of government employees surveyed are concerned about ransomware threats to cities across the country, and more employees fear cyberattacks to their communities than natural disasters and terrorist attacks. The poll found that one in six respondents said their department was impacted by a ransomware attack. 

Despite the growth of these attacks, half of the employees surveyed have not seen any change in preparedness from their employers, with only 38 percent receiving general ransomware prevention training. Further, budgets for managing cyberattacks have remained stagnant, according to 52 percent of state and local government IT and security professionals polled.

Why is there such a seeming disconnect between the level of awareness around the threat ransomware poses and the level of preparation needed to defend against it? 

Why Agencies Are Behind on Ransomware Defenses

The emerging ransomware epidemic in cities highlights the need for local agencies to better prepare for cyberattacks just as frequently as they prepare for natural disasters, Wendi Whitmore, vice president of threat intelligence at IBM Security, said in a statement.

“The data in this new study suggests local and state employees recognize the threat but demonstrate over confidence in their ability to react to and manage it,” she said. “Meanwhile, cities and states across the country remain a ripe target for cybercriminals”

IBM Security is encouraging U.S. cities to strengthen their preparedness through collaboration and threat sharing, creating and implementing incident response plans, and regularly testing their preparedness via threat simulations.

Gary Newgaard, vice president of public sector at Pure Storage, says that most states have task forces set up to respond to ransomware attacks, which include plans to activate relationships with the Department of Homeland Security and deploying National Guard forces. 

“The crisis stems from the fact that everyone is focused on backing up data,” Newgaard says. “The backup is good and should be part of everybody’s normal course of action. What they haven’t thought of, and where the ransomware comes into play, is how much does it take and how long does it take to restore. If the backup is compromised, you are really toast.” 

Another issue is that state and local governments are still running aging data centers and data storage systems that were deployed before the age of ransomware. And it is not as easy to move off of legacy systems as one might think, Newgaard says. 

Additionally, most state and local governments are facing uncertainty around budgets, especially in an election year.

“Many governments struggle to keep pace with the rapid pace of technology refresh cycles. Tight budgets limit the amount of modernization that can take place, and even if budget is available, the tech refresh process itself can strain government IT departments,” Deloitte notes in a March report on ransomware. “Private sector networks are often designed with enough redundancy to support taking portions offline for tech refresh without suffering a loss in capability, but state and local government network operations teams rarely have that luxury. Taking a system offline to replace or upgrade it generally means some service is unavailable to citizens, making modernization a tough tradeoff for government leaders.”

The challenges are not just technological, Deloitte notes; agencies face issues with ransomware due to a lack of cybersecurity staff. “New systems do not come online and legacy systems do not get patched without trained staff to do the work,” Deloitte reports. “Attracting and keeping the right number of trained technology staff, and cybersecurity staff specifically, is perhaps the greatest challenge for many governments.”

MORE FROM STATETECH: Discover why New York state may ban ransomware payments. 

How to Effectively Combat Ransomware

No system can ever be made fully secure, but how an agency manages its data can mitigate the consequences of any ransomware attack, according to the Deloitte report. 

“Developing a system architecture where the most critical data is compartmentalized can make it more difficult for hackers to encrypt enough critical information to create leverage and demand a ransom,” the report notes. “This compartmentalization is as much about function as physical connectivity. Disabling extraneous services on connected devices and putting in place policies that prohibit checking email or playing games on critical hardware can be important defensive measures.”

Newgaard notes that not every IT staff member can or should have access to the same amount of data through his or her credentials. The company advocates deleting the compromised data in the event of ransomware, initiating the backup to start new and then recovering to get services back online. 

Meanwhile, cybersecurity talent is in high demand, so governments “must be creative about ways to attract and retain that talent, including sharing talent via rotational assignments within government, improving pay and benefits packages, or looking to the gig economy,” the Deloitte report notes. 

For example, Michigan’s Cyber Civilian Corps not only offers new ways to hire IT security staff members, its CISO as a Service offering also helps to make talent available to smaller governments that otherwise could not afford it.

Most government agencies are either required or through good management have disaster recovery scenarios set up, Newgaard notes. In the past, that meant putting a copy of data somewhere where it could be recovered, either offsite or in the cloud.

“Those systems are really good at backing up, but are not good at restoring,” he says. Agency IT leaders need to ask themselves, “What is your backups strategy?” But, more important, “What is your recovery strategy?”

archy13/Getty Images