Understanding & Preventing Ransomware Attacks Against Public Safety (Part 2))
Richard Spiers, CPCU, ARM, ARe, AIC
Consultant, Spiers Consulting, LLC
This blog is a continuation of Understanding & Preventing Ransomware Attacks Against Public Safety (Part 1)
Criminal Justice Implications
In addition to the life-threatening consequences of ransomware attacks on 911 dispatch centers, public utilities and detention facilities, such attacks have specific implications for law enforcement.
Police department computer systems contain plenty of important and personal information, from sexual abuse and violent crime reports to 911 call records, case files of ongoing investigations and personnel records. When these records are compromised, potential consequences include:
- Altering of files. If your agency has been hacked, defense attorneys can raise questions about whether digital file evidence has been altered by the hackers. Experts note this could have a potentially devastating impact on a municipality’s criminal justice system.
- Accusations that agencies deliberately let the files be lost. If the agency won’t pay the ransom, hackers often delete the files. This can make the agency vulnerable to plaintiff attorneys who argue the agency deliberately didn’t pay the ransom in order to destroy records it didn’t want to share—files that contained potentially damaging or contradictory information.
- Lost evidence. If evidence from open cases is lost or altered, cases can fall apart, allowing criminals to go free.
What You Can Do
Ransomware is a perfect example of what risk management expert Gordon Graham calls “external international misconduct”—or put simply, bad behavior by bad people. He notes these are some of the most difficult risks to guard against. But that doesn’t mean we should just give up. There are several steps you can take to safeguard your agency or municipality against ransomware attacks.
First, seek good system experts to help you upgrade your file storage security and find stronger ways to back up your files. Secure backups with an easy recovery system can eliminate the need to pay ransom if you are attacked. Experts recommend daily backups to minimize the amount of data lost.
Second, train your staff—everyone!—on the importance of cybersecurity. Everyone with access to your email system should understand the consequences of falling prey to a phishing attack and should be able to identify suspicious emails. Many organizations routinely test employees by sending fake messages to see whether employees fall for them. You IT department should also consider online courses, such as the course offered through Lexipol that meets the new Texas requirement for cybersecurity training. You can also obtain assistance from the Department of Homeland Security Cybersecurity and Infrastructure Security Agency, which offers cyber training to state and local governments and will conduct tests on municipal systems to determine how secure they are.
Third, think through situations now so you’re better prepared if one does occur. What amount of ransom would your agency or municipality be comfortable paying—if any? How would you message the payment to your community? Check out this free communications coordination and response checklist from Harvard’s Kennedy School of Government. It was developed to address attacks on elections, but many of the steps apply to public safety agencies.
And don’t expect the FBI to make recommendations on whether you should pay a ransom demand. They will tell you what your options are but will leave it up to you to make a decision to access your backup systems, contact a security expert or make the payment.
Fourth, make sure your organization’s policies on information security are up to date and personnel are trained on them. For law enforcement agencies, this includes your digital evidence policy.
A Final Word
With myriad risks facing public safety agencies and local governments, it can be tempting to take a “it can’t happen here” approach to ransomware attacks. The idea that a couple of rogue individuals thousands of miles away can bring a city to its knees is somewhat difficult to fathom when dealing with the day-to-day challenges of staffing, personnel issues, media scrutiny and budget pressure. But ransomware is a real threat, and we need to understand it, acknowledge it and prepare for it. Our mission compels us.
Reference
Liska A and Gallo T. Ransomware, Defending Against Digital Extortion. Shroff/O’Reilly: Sebastopol, CA, 2016.
*The views and opinions expressed in the Public Risk Management Association (PRIMA) blogs are those of each respective author. The views and opinions do not necessarily reflect the official policy or position of PRIMA.*
By: Richard Spiers, CPCU, ARM, ARe, AIC
Consultant, Spiers Consulting, LLC
Richard has been in the insurance industry since 1980 and was a claim executive in the reinsurance and excess marketplace since 1985. He was with Genesis Management and Insurance Services for over 20 twenty years. He is currently doing claim consulting work. Richard has extensive experience handling the wide array of claims faced by public entities, K-12 school districts and the higher education sector. Based in Chicago, he has also worked for Transamerica Insurance Group, Northbrook Excess and Surplus Insurance, CNA and Allstate Reinsurance. He is a graduate of Northern Illinois University, a member of the Society of CPCU, and holds associate designations in risk management, claims, and reinsurance. Richard has been developing and presenting insurance industry-related training sessions to a variety of client and industry groups for over 25 years.
