Why Agencies Are Behind on Ransomware Defenses
The emerging ransomware epidemic in cities highlights the need for local agencies to better prepare for cyberattacks just as frequently as they prepare for natural disasters, Wendi Whitmore, vice president of threat intelligence at IBM Security, said in a statement.
“The data in this new study suggests local and state employees recognize the threat but demonstrate over confidence in their ability to react to and manage it,” she said. “Meanwhile, cities and states across the country remain a ripe target for cybercriminals”
IBM Security is encouraging U.S. cities to strengthen their preparedness through collaboration and threat sharing, creating and implementing incident response plans, and regularly testing their preparedness via threat simulations.
Gary Newgaard, vice president of public sector at Pure Storage, says that most states have task forces set up to respond to ransomware attacks, which include plans to activate relationships with the Department of Homeland Security and deploying National Guard forces.
“The crisis stems from the fact that everyone is focused on backing up data,” Newgaard says. “The backup is good and should be part of everybody’s normal course of action. What they haven’t thought of, and where the ransomware comes into play, is how much does it take and how long does it take to restore. If the backup is compromised, you are really toast.”
Another issue is that state and local governments are still running aging data centers and data storage systems that were deployed before the age of ransomware. And it is not as easy to move off of legacy systems as one might think, Newgaard says.
Additionally, most state and local governments are facing uncertainty around budgets, especially in an election year.
“Many governments struggle to keep pace with the rapid pace of technology refresh cycles. Tight budgets limit the amount of modernization that can take place, and even if budget is available, the tech refresh process itself can strain government IT departments,” Deloitte notes in a March report on ransomware. “Private sector networks are often designed with enough redundancy to support taking portions offline for tech refresh without suffering a loss in capability, but state and local government network operations teams rarely have that luxury. Taking a system offline to replace or upgrade it generally means some service is unavailable to citizens, making modernization a tough tradeoff for government leaders.”
The challenges are not just technological, Deloitte notes; agencies face issues with ransomware due to a lack of cybersecurity staff. “New systems do not come online and legacy systems do not get patched without trained staff to do the work,” Deloitte reports. “Attracting and keeping the right number of trained technology staff, and cybersecurity staff specifically, is perhaps the greatest challenge for many governments.”
How to Effectively Combat Ransomware
No system can ever be made fully secure, but how an agency manages its data can mitigate the consequences of any ransomware attack, according to the Deloitte report.
“Developing a system architecture where the most critical data is compartmentalized can make it more difficult for hackers to encrypt enough critical information to create leverage and demand a ransom,” the report notes. “This compartmentalization is as much about function as physical connectivity. Disabling extraneous services on connected devices and putting in place policies that prohibit checking email or playing games on critical hardware can be important defensive measures.”
Newgaard notes that not every IT staff member can or should have access to the same amount of data through his or her credentials. The company advocates deleting the compromised data in the event of ransomware, initiating the backup to start new and then recovering to get services back online.
Meanwhile, cybersecurity talent is in high demand, so governments “must be creative about ways to attract and retain that talent, including sharing talent via rotational assignments within government, improving pay and benefits packages, or looking to the gig economy,” the Deloitte report notes.
For example, Michigan’s Cyber Civilian Corps not only offers new ways to hire IT security staff members, its CISO as a Service offering also helps to make talent available to smaller governments that otherwise could not afford it.
Most government agencies are either required or through good management have disaster recovery scenarios set up, Newgaard notes. In the past, that meant putting a copy of data somewhere where it could be recovered, either offsite or in the cloud.
“Those systems are really good at backing up, but are not good at restoring,” he says. Agency IT leaders need to ask themselves, “What is your backups strategy?” But, more important, “What is your recovery strategy?”