In March, the city of Atlanta, Georgia, was given an ultimatum – pay unknown hackers $51,000 or lose access to all internal files. There are a couple of lessons to learn from this unfortunate situation. Hackers look for networks with critical, time-sensitive data and they love to attack cities.
The city of Atlanta did what most cities would do…they chose not to pay the ransom. However, the city ended up paying about four times as much to restore its systems. Ransomware attacks are multi-million-dollar crimes and they are becoming more common every day.
Ransomware infects more than 100,000 computers each day. The Federal Bureau of Investigation reports 3,000 ransomware reports last year and says that individuals may have paid out as much as $24 million to hackers. The official reports normally involve ransomware attacks on large organizations or public entities. Payments for ransomware attacks are reaching $1 billion – yet, many companies and organizations remain completely vulnerable.
Most governmental entities have taken major precautions but many remain vulnerable because of a lack of funds. Public entities usually have a policy not to pay ransoms but, as in Atlanta’s situation, officials realize that the fix may be considerably higher than the ransom request. A few years ago, hackers lowered their ransom requests hoping that would escalate payments. Many do pay the ransom but at least one in every five times, those who pay the ransom don’t get their files back.
Because government now puts more data on the same network, ransomware attacks are more frightening and usually more costly. Everything that touches citizens can be impacted by a cyberattack – traffic lights, online payment systems, air traffic at airports, security systems, emergency response, cameras, education and health care. Getting hacked is one of the greatest fears for public officials.
While most IT personnel say they can detect a ransomware attack, only 28 percent say they have the ability to prevent one. Hackers prefer to victimize organizations with an abundance of critical, time-sensitive data. That’s because these are the most vulnerable targets and the most likely to pay quickly.
In January, a SamSam attack hit Hancock Health, locking the hospital’s computers that contained patient data. Hackers gained access to the system by using a vendor’s username and password. Given the time-sensitive nature of the information, the hospital system felt it had no option other than to pay the ransom, and it did – about $55,000.
A misconfigured web server led to a SamSam attack on the Erie County medical center. The ransom request was $44,000 and a decision was made not to pay. That decision cost the medical center 227 times more than the requested ransom. Internal audits and emergency procurements cost the medical center $10 million to get back online and the whole process took about six weeks.
The now infamous Colorado attack on the state’s Department of Transportation (CDOT) took 2,000 employees offline for over a week. Attackers demanded about $325,217. CDOT officials publicly said they did not pay the ransom but officials have not reported how much it cost the agency to get back online or how the attack occurred.
In December 2017, attackers locked down Mecklenburg County, North Carolina’s, computer system demanding $23,000. The county refused to pay and was left without access to its computers for over two weeks, causing issues for their property tax deadline. Now the county’s IT department says it needs $2 million to update its cybersecurity policy, monitoring response and network policies.
Incidents like this are all too common. Paying a ransom request only encourages more hackers to get into the game. Not paying, however, almost always costs many times more.
What can be done? Some large companies hire a software firm to test their own employees to catch any who might click on a suspicious link, open an unfamiliar document or click on an unfamiliar web site. That’s too costly for most, so here are a few basic instructions – and these rules should apply to organizations of all sizes:
- Ongoing employee communication is critically important. Schedule security awareness campaigns. Employees must be aware of what can happen if they are careless. Most hackers are aided by human error, weak network rules or users who don’t consistently obey the rules.
- Training of all users should be ongoing and the training should include helping all users know how to recognize suspicious emails links or web sites.
- Use anti-virus software on all computers.
- Get a network audit, develop a cybersecurity plan and keep all security software very current.
- Appoint a security team to oversee internal policies, recommend additional training and to be responsible for updates to cybersecurity efforts.
- Backup all data regularly – daily is best.
- Spend what you must to prevent cyberattacks – otherwise don’t be surprised if you pay much more if hackers find you.
Let’s don’t let the hackers profit at the expense of taxpayers. Let’s encourage public officials to spend whatever it costs to protect public data and government networks. Upfront costs are much less than the costs to recover from cyber breaches.