Research from Deloitte has found governments are being held hostage by cyber attacks more frequently, with criminals expanding their attack base and asking for more money.
Governments in 2019 reported 163 ransomware attacks and paid over $1.8 million in ransoms, with tens of millions of dollars spent on recovery costs. This was nearly a 150% increase in reported attacks from 2018.
According to the report, refusing to pay ransom demands may be the principled option, but it also can be far more expensive.
For example, the city of Baltimore refused a $76,000 ransom demand, only to suffer over $18 million in recovery costs and lost revenues.
“State and local governments should live and plan with the reality that their critical systems and data will be attacked,” said Srini Subramanian, principal, Deloitte & Touche LLP, and cyber state and higher education sector leader.
“Even with cyber-insurance and preventive measures in place, the growing frequency and sophistication of attacks calls for government entities to perform cyber health checks and revisit resilience strategies.
“The effort more than pays off. Governments can be better positioned to defend against catastrophic events that are expensive to recover from and could impact public safety and trust.”
Deloitte says criminals can sense the vulnerability of state and local governments and are demanding nearly 10 times what they demand from commercial entities.
To combat this growing risk, the report outlines several key considerations for organizations including smarter systems architecture, a more prepared workforce, and better cyber hygiene.
“Connected devices, digital systems and integrated data mean governments have the opportunity to serve people and communities like never before,” said Deborah Golden, principal, Deloitte & Touche LLP, and cyber risk services leader.
“It also means there is a large surface for cyber criminals to attack local governments and hold sensitive citizen data hostage. Government officials need to understand the risk involved if their systems and data were suddenly gone or rendered useless.”