Back to overview
24. March 2021

Holding Local Government for Ransom: The Risk of Cyberattacks

City, county, and state government ransomware attacks have increased due to the terrifying vulnerability of those institutions. A recent study said nearly two-thirds of attacks are directed at governments.

City, county, and state government ransomware attacks have increased due to the terrifying vulnerability of those institutions. A recent study said nearly two-thirds of attacks are directed at governments and their agencies or departments.

It’s a cause for alarm to us all. These organizations provide public services to millions of Americans, from police/fire to electricity to birth certificates and marriage licenses. Victims range from small (Keene, Texas; population 6,100) to large (Baltimore, Maryland; population 2.8 million), but there are two things they tend to have in common – low budgets and overworked IT personnel.

Small governments are especially defenseless since they have limited resources and IT infrastructures that are rarely the latest and greatest. Compounding the problem is their budget process. It is difficult for cash-strapped local governments to allocate funding to a perceived future threat when there are real-world needs right now. Finance committees may recognize the importance of cybersecurity but routinely postpone funding requests to the next budget cycle because, fingers crossed, everything is currently fine.

However, it’s hard not to see the life-and-death nature of city services being hamstrung by a cyberattack. Emergency dispatchers in Riviera Beach, Florida had to use pen and paper when handling 911 calls because their systems were not up and running weeks after ransomware struck. Albany, New York’s police department was “crippled” after an attack.

Even the loss of less critical services can bring a city or county to its knees. It may be unable to access payment processing for utilities, licenses, or to collect taxes, fees, and fines, rendering them unable to support and maintain the city or pay staff (though no one would mind if their traffic tickets were magically erased).

Lost revenue is only one cost–attackers love hitting local governments because they pay up. They give in to the ransom demand thinking they’ll get their data back, which isn’t always the case. The cybercriminal may not honor his end of the bargain (imagine that) or, as was the case in Garfield County, Utah, the damage is so extensive that systems are impacted for weeks or longer whether or not a ransom is paid.

With all due respect to budget committees, treasurers, and local elected officials, a lack of forward thinking can cost your government a hundred times more than the cost of protecting the data adequately in the first place. Baltimore estimates it will lose more than $18 million due to lost and delayed income plus the cost of getting systems up and running. The relatively low cost to the Georgia State Department of Agriculture was around a quarter of a million.

If a budget-strapped government can’t afford to protect data, it certainly can’t afford to recover from an attack.

What’s the solution? At Aparavi we are (obviously) fans of the “pay-as-you-go” model of Software-as-a-Service. Instead of a large up-front investment, SaaS users pay monthly, based on consumption – just like city residents pay for their water and power.

SaaS-based products can be far more cost-effective, and still deliver enterprise-level encryption for security. Aparavi creates protected copies of the data, and moves it to the destination of choice, such as cloud storage. We allow customers to select any location based on retention objectives and/or budget, whether that’s cloud or on-premise hardware targets.

Aparavi is another way we offer intelligent protection that helps conserve costs. Much of an organization’s data being backed up today is “ROT” (Redundant, Obsolete, or Trivial) data that has no perceived value and is relatively unlikely to be accessed or needed again. ROT data does not need to be stored in an airtight manner, whereas critical data that poses a higher risk based on its contents or usefulness should be maintained under stricter policies. Aparavi includes classification features to evaluate the data and metadata, and classify it according to importance or contents. The user can then choose the proper protection and security levels and storage destinations.

For example, data that includes Personally Identifiable Information such as Social Security numbers poses an extreme risk, and possible penalties, if it’s compromised or breached. Aparavi can add a classification tag like “PII” to the file’s metadata, move the data to encrypted at-rest storage, then replicate or make immutable copies to a second off-site location that is not accessible to the agency’s primary systems. On the other hand, ROT data can be sent to an inexpensive cloud archive tier, available for half a penny per gigabyte per month. (Aparavi enables very granular restores in case a file needs to be recovered.)

More than 200 state and local governments have reported attacks in recent years – and attacks in 2019 are already outpacing 2018. There is simply no justification for failing to protect data, especially when Aparavi provides simple, affordable ways to prevent ransomware attacks.