Local municipalities and businesses are under attack. Ransomware has grown into a widespread challenge for businesses and organizations of all sizes, from small businesses to major corporations to local municipalities. In the last few years, the city of Baltimore and Baltimore County Public Schools were attacked, and recently, Washington Adventist University, a private four-year college in Takoma Park, confirmed a ransomware attack. Nationally, breaches such as Solar Winds and Colonial Pipeline impacted public infrastructure that could have been catastrophic.
Cyber criminals are sophisticated, coordinated groups that can earn millions of dollars with one ransomware attack — the group that FBI officials have said took down the Colonial Pipeline, DarkSide, raked in $60 million since 2020, according to The Washington Post.
So what can a government organization or employer do with a tight budget to protect themselves against ransomware and other cyberattacks? While organizations need to approach cybersecurity like any other risk management strategy, investment does not have to be costly, and in fact, basic education and training to better understand smart cyber actions can make a difference in protecting data and systems.
Let’s take the mystery and “techiness” out of cybersecurity — ignore bits and bytes, 1s and 0s — and view cyber protection as a form of physical security for a home. Security for a home does not and should not start nor end at the front door. True security relies on a defense starting at the farthest point for your home, which in metaphorical terms is your network. Properly illuminating your home, cutting down bushes by windows and doors, installing a security system and placing an alarm system sign in the front yard, keeping your doors and windows locked when unattended, and having security cameras are all ways to deter and prevent a would-be bad actor from breaking into a home.
Similarly, a business or organization should build in multiple layers of security. These steps may include a risk assessment to understand the total attack surface; a process and procedure for ensuring that all technology assets — operating systems and applications on all laptops and workstations — are properly patched; training employees to know how to identify suspicious emails, and what to do if they click on a suspicious email; and offline back-ups of high-valued assets.
But it shouldn’t be the sole responsibility of businesses or local municipalities and agencies. Until recently, the U.S. government has not done enough to protect our nation’s infrastructure and businesses from the ever-increasing and volatile cyberattacks — just this month, the White House held a meeting of the National Security Council with 30-plus organizations and partners to determine how to slow down and eliminate the current cyber threats. This is a good start but comprehensive legislation and education are needed.
We need legislation requiring companies to report ransomware attacks — this is not an attack or attempt to overlegislate the victims (organizations and companies). But it is an attempt to provide an adequate picture of the magnitude of attacks occurring and to better track the tactics, techniques and procedures (TTPs) and identification of the bad actors, as well as to demonstrate the volume of support needed to prevent cyberattacks from growing. It is estimated that a large number of ransomware attacks go unreported because there are NO requirements to report an attack, unless consumer personal data is involved.
We need education — the term PSA denotes “after-school special,” but in reality it is an effective way to inform the public of a danger and ways to get help should someone fall victim to that danger. The government is failing here. I asked 12 companies I know if they are aware of the process for how to report a ransomware or other cyberattack to the government, and all 12 answered no. While this is a relatively small number, I am confident it is a good representation of businesses across the nation if a national poll were started. We need the government to promote the resources, methods and processes in place for individuals and organizations to know how to alert the appropriate agencies and seek help.
The only way to make significant advances in preventing cyberattacks on our country and infrastructure is with a federal strategy to understand the true volume and depth of attacks, defend against attacks and educate leaders and communities to prevent attacks.