Sunday , September 20 2020
Home / Security / Deloitte: 8 things municipal governments can do about ransomware

Deloitte researchers explain why state and local governments are favored for ransomware attacks and how they can protect themselves with limited resources.

Deloitte: 8 things municipal governments can do about ransomware



The IT systems of the City of Durham and Durham County in North Carolina have been shuttered since a successful ransomware attack struck the municipalities on the evening of March 6. Although details are still sketchy, the North Carolina Bureau of Investigation indicated the attackers used Russian-made malware known as Ryuk.

[ Read our blue team’s guide for ransomware prevention, protection and recovery. | Get the latest from CSO by signing up for our newsletters. ]

Durham joins a growing list of local governments grappling with the latest security scourge sweeping the country: ransomware attacks against poorly fortified local government systems that are ill-prepared to recover from these assaults. Municipal governments like Durham are attractive targets for ransomware attackers as more governments are being held hostage more frequently and for more money, according to a new report released today by Deloitte’s Center for Government Insights that examines trends in ransomware attacks on state and local governments.

According to the report, in 2019 governments reported 163 ransomware attacks, a nearly 150% increase from 2018, with more than $1.8 million in ransoms paid and tens of millions of dollars spent on recovery costs. Tight budgets, a growing attack surface and inadequate cybersecurity talent are the top reasons that cities struggle with the attacks, the report said.

The wider attack surface is emerging as cities deploy more computers and connect their networks to a wider array of services, from traffic light systems to ambulances to garbage trucks, according to Deloitte. At the same time, tight fiscal budgets constrain cities modernization efforts, including the adoption of new cybersecurity tools. Finally, local governments struggle to attract the cybersecurity talent they need, the report says. A biannual NASCIO/Deloitte cybersecurity survey found a lack of budget to be the top concern of state-level CISOs every year since 2010, the report notes.

“Local and state governments have consistently not invested in cyber because they don’t have the funding,” Srini Subramanian, principal, Deloitte & Touche and cyber state and higher education sector leader, tells CSO. “The second is the proliferation of services that they need to offer to their citizens in an online and internet based medium. Third is that the state and locals really don’t have a chance to keep up bringing cyber talent.”

Another factor driving the rise in the number of municipal ransomware attacks is the growing prevalence of cybersecurity insurance among state and local governments. “We believe that part of the problem, the reason why there is so much more payment of ransom [by local governments] is potentially because of the cyber insurance. The cyber insurers figure that paying ransom is probably the quick way for the services to come back online and possibly a more cost-effective way of dealing with an attack,” Subramanian says, giving attackers a greater financial incentive to hit cities.

The costs of refusing to pay the ransom are typically high even if, as the report notes, refusing to pay the attackers is the “more principled” option. The city of Baltimore refused to pay ransomware attackers the $76,000 they demanded after a ransomware attack in May 2019. That decision ended up costing the city an estimated $18.2 million in restoration costs and lost revenues.

Insurers, too, are pushing policies on municipalities because as a product cybersecurity insurance is currently quite profitable. For every dollar in premiums collected from policyholders, insurers paid out roughly 35 cents in claims, making cyber insurance nearly twice as profitable as other types of insurance, the Deloitte report states.

Subramanian believes local governments will stop paying ransom because they will get wise to the need for maintaining robust backups and backups that are either offsite or air-gapped away from the main municipal networks. “So if they can have a solid and a robust backup and restore mechanics and they have confidence in it, then most of the local government are going to come back and say, ‘well, you know what, we’re not going to pay the ransom and we are going to restore from our backups.’”

Success is possible if local governments focus on backup and restoration resiliency following ransomware attacks, the Deloitte report suggests. “Training and resources—and a bit of luck—can thwart hackers who have been hobbling US cities and counties.”

The Deloitte report offers this advice to municipalities worried about ransomware attacks:

One last piece of advice is to not assume that if you get hit by ransomware once that it won’t happen again. A trend that the Deloitte researchers expect to emerge is that municipalities that got hit once with ransomware are likely to see their attackers make a return visit. “Even if they are successful in recovering operations after being ransomed, it’s only a matter of time before they’re going to be hit again,” Subramanian says.

“We are still in early stages of this life cycle that we haven’t seen the same municipal governments get hit multiple times yet,” he says. That’s why Deloitte is pushing its clients to develop confidence in their ability to survive another ransomware attack. “We are telling them to focus on that resilience in the immediate term, which involves the ability to backup and restore and keep the backup secure from ransomware type attacks.”

More on ransomware:

This story, “Deloitte: 8 things municipal governments can do about ransomware” was originally published by


Copyright © 2020 IDG Communications, Inc.

This Article was first published on

About IT News Ug

Check Also

IT snapshot: Ethnic diversity in the tech industry

As Black Lives Matter marches take place across the world, where do the U.S., U.K. and other major Western countries stand in their IT diversity?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.