If you spend enough time in any industry you start to notice patterns.
I spend a lot of time in the cybersecurity industry, and I've noticed a pattern lately. Cities and municipalities are getting killed with ransomware.
This year alone has been a bloodbath. LaPorte County, Indiana, got taken for $130,000. Jackson County, Georgia, coughed up a $400,000 ransom. Officials in Baltimore took a different tack. They refused to pay the $76,000 to unlock their systems. To date, it's estimated the city has spent $18 million restoring their computer networks.
Of course, the mayors in these cities have seen this pattern too. That's why at their yearly conference, which represents over 1,400 mayors from U.S. cities with over 30,000 people, they adopted a resolution not to give in to ransomware demands. Apparently they haven't heard about Baltimore.
Do you know what resolution wasn't adopted at that conference? An agreement to follow best security practices to make sure they aren't victims of ransomware in the first place.
The cause of most ransomware
Yes, there are insider threats. Yes, there is vulnerable software. No, that's not the cause of most cyber attacks that lead to ransomware.
We know that somewhere between 91% and 93% of all cyberattacks start with a phishing email. And 97% of all phishing emails deliver ransomware. In other words, just before you get hit by a ransomware attack, someone in your organization clicked on something they shouldn't have. If you can figure out a way to stop phishing, most of your problems go away.
The sophisticated nature of phishing attacks
When you spend a lot of time in the cybersecurity industry, you also gain an appreciation for how clever hackers are. I've seen a lot of sophisticated phishing exploits, and my favorite is the one I call "invisible links."
Targeting mobile devices, this technique incorporates an invisible link (using the opacity setting in CSS). The link is instead replaced by a “bothersome” graphic element that’s made to look like a small hair or a speck of dust. This tricks the user into wiping the hair or dust off the screen which activates the link and launches a connection back to a rogue website. Or worse, it releases some form of malware.
How cities and municipalities can protect themselves from ransomware
Many of the cities that get hit with ransomware are small, with small IT staffs and limited budgets. So any solution to the ransomware problem must be affordable and easy to deploy. Below, I discuss three easy and affordable steps every city and municipality should take, immediately, to defend themselves from ransomware. These steps can also be used by small business owners looking to protect themselves against ransomware issues.
1. Employee security awareness training
Employees need security awareness training. There are four different types of training available, with the most effective being a simulated attack with real-time feedback. With this method of training, simulated phishing emails are randomly sent to employees. If they fall for the phish and click on a link, they are immediately alerted to the fact. The education happens at the exact moment of failure, which is thought to be the best time for education reinforcement.
Employee security awareness training is essential, but it's not sufficient. Why? Because we know from research that after one year of continuous employee training, the best possible result is 98% effectiveness. And while 98% may sound good, in a city with thousands of emails a day, that's dozens (or hundreds) of clicks on malicious links a day.
So, why bother training employees at all? Because it raises their overall level of suspicion. As silly as it sounds, when it comes to cybersecurity in general and emails in particular, suspicious employees are good employees. You want your employees on high alert at all times, and awareness training helps facilitate that.
How much does awareness training cost? Anywhere from free to a couple of bucks per employee per year – well within the budget of any city, municipality or business.
2. Cloud-based, anti-phishing software
No matter how suspicious employees are, eventually some malicious link somewhere is going to get clicked. What's the best way for cities to protect themselves against that? Cloud-based, anti-phishing software.
There are firewalls, there is antivirus software, but cloud-based solutions are better, because all of the protection happens off-site before the email ever crosses the network perimeter – that gives it the opportunity to keep dangerous emails out of inboxes altogether.
Cloud-based, anti-phishing software works simply by changing a DNS entry – which takes about 10 minutes – and rerouting all the emails to the anti-phishing software provider. Once there, the anti-phishing software does two things. First, it immediately scans the email for malicious content. It doesn't just scan attachments, it actually follows the embedded links to their destination to see if that website is malicious. If it is, it quarantines the email so the recipient never sees it; otherwise, it forwards it.
The other thing anti-phishing software does, which is really clever, is to rewrite all the embedded links in every email to point to itself rather than the ultimate destination. Why does it do that? Because the most sophisticated phishing emails are not threatening when they are first received, and they only turn threatening sometime later. This is known as a delayed phishing attack.
When an email is first sent, if it appears safe, it gets forwarded to the recipients inbox. But what if the recipient clicks on the link in the email a couple of hours (or days) later after the website has turned malicious? By rewriting the links and pointing them to themselves, the anti-phishing software can check the link in real-time, whenever it's clicked, every time it's clicked. If the link is good, the recipient is forwarded to the website. If it's not, it's blocked. This technique stops a lot of phishing attacks.
How much does cloud-based, anti-phishing software cost? I found the average price to be about 30 cents per employee, per month. Did you think Baltimore wished they had spent that?
3. Data backup
I'm writing this from a desktop computer in my office. For about five bucks a month, I have every one of the files on my computer backed up to the cloud in near real time. If I were to fall victim to ransomware asking to unlock my computer for $10,000, do you know what I'd do? I'd go get a $1,000 computer, reinstall all my software and download all my files from the cloud. I'd be back up and running in a day.
In cybersecurity, a best practice is something called defense in depth. It simply means to put up as many barriers as you can to protect yourself. If employee training is the first barrier and anti-phishing software is the second barrier, then the third barrier has to be data backup.
No matter how good a city's defenses, there's always a chance they'll become the victim of ransomware, because hackers are just too damn clever. But there's no reason that the city's data should ever have to be at risk. Back up your data in the cloud. And make sure the provider you choose backs up their datacenter (most do).
How much does data backup cost? It depends on how much data and the feature set, but figure no more than a couple bucks a month for each employee.
Bottom line
If you’re a city or municipality, phishing emails are hitting your employees' inboxes every day, and many of them have a ransomware payload. Don't wait to get hit before you take action. Train your employees, invest in anti-phishing software and backup your data. They're all a lot cheaper than paying the ransom.