In recent years, small towns and municipalities have been increasingly targeted by cybercriminals, not only just for monetary profit, but also to disrupt infrastructure and even threaten citizens. Most recently, we saw a hacker try to compromise internal systems to effectively poison the entire town’s water supply in Oldsmar, Florida. While ultimately unsuccessful, this incident highlighted how damages could not only be reputational or monetary, but life-threatening.
The data shows that in 2020, almost half of all global ransomware attacks were targeted towards municipalities. During that time, nearly two dozen rural municipalities in Texas were extorted in the largest coordinated ransomware attack aimed at public governance bodies. In January 2020, a ransomware attack in Tillamook county, Oregon brought government computer systems down for a week. Then in May, the city of Florence, Alabama fell victim to a cyberattack that cost the city nearly $300,000 and the compromise of personal information of city employees and its customers.
Campaigns against small victims are usually highly targeted; attackers first discover weaknesses in IT infrastructure, operational processes and personnel and later exploit them to deploy malware, usually tailoring methodology and demands to each victim. Whether officials decide to pay or not, damages can be devastating, and full recovery may take weeks or even months.
The main reason small towns are attractive targets for cybercriminals is because they do not think they are. They often do not believe they will be targeted, and as a result, don’t dedicated their limited IT resources to bolstering cybersecurity standards and practices. This creates an exemplary subjective security paradox – a target that thinks itself less attractive means it will have weaker security measures, which then makes it more attractive. Because of the nature of government work, it is also quite common for these towns to have outdated technology stacks that make for easily exploitable holes. Unlike the private sector that can dedicate entire teams to cybersecurity measures, smaller municipalities generally have a lack of resources to dedicate technology challenges they do not perceive as direct threats. This creates a perfect storm that makes them an ideal target for bad actors.
Source: CPO Magazine