Get City Services Back Online With a Solid IT Incidence Response Plan

By Deborah Lynn Blumberg

Local governments have become a prime target for hackers since cities provide crucial services that residents often can’t go without. Security incidents can result in millions of dollars in financial losses, exposure of sensitive resident and employee data, and widespread, long-lasting loss of services.

“It’s more likely you’re going to have something happen than not,” says Amy Timmons, senior vice president and senior consultant at benefits and human resources consultant Segal, in its Administration and Technology Consulting Practice. “Phishing attempts are getting more and more creative and realistic.”

“Our interconnected world has seen an increase in threat actors, and the sooner you’re able to identify the attack, the more things you can do about it.” –  Rohit Tandon, Chief Information Security Officer, State of Minnesota

Cities, however, can protect themselves with a sound IT incident response plan or document that specifies how to respond to a cyber incident. It’s a tool all cities today must have, says Rohit Tandon, chief information security officer for the state of Minnesota.

“Cities are providing services to residents, and most of those services are critical in nature,” he says. “You have an incident response plan because, as a city, you really want to make sure in the event that services are interrupted, you have the ability to respond and quickly restore them. It’s about business continuity.”

Rising threats

In its The State of Ransomware 2022 report, Sophos found in a survey of global IT professionals that 66% of organizations were hit by ransomware in 2021, up from 37% in 2020. Ransom payments rose, too, with 11% paying ransoms of over $1 million, versus 4% the prior year.

Cyberattacks have taken down school systems and law enforcement departments, and with the war in Russia, concerns are growing that Russian cyberhackers could shut off electricity or other utilities to residents.

From 2017 to 2020, municipalities paid an average of $125,697 per ransom event, according to integrated security awareness training and simulated phishing platform KnowBe4. Money spent might include ransom payments and fees to vendors to restore services. The average downtime for municipalities after an attack is nearly 10 days.

“Our interconnected world has seen an increase in threat actors,” says Tandon, “and the sooner you’re able to identify the attack, the more things you can do about it.”

The most common types of cyberattacks for cities, according to League of Minnesota Cities Chief Information Officer Melissa Reeder, are wire fraud and ransomware attacks, or installing malware onto city computers that locks users out of their devices or blocks access to data until a ransom is paid. Hackers gain access through phishing attempts, or by tricking employees into revealing confidential information online.

For example, a hacker might hear at a city public meeting the names of contractors working on a large municipal project. Then, they’ll impersonate someone from the company through email, asking a city employee to wire money or click on a link.

A well-thought-out plan

One of the best ways to prepare for what could be an inevitable cyberattack is to have a well-thought-out IT incident response plan.

It doesn’t have to be a long document, says Reeder. A plan that’s just a few pages will suffice, she says, as long as it’s thorough, taking into account all city services and systems.

Adds Timmons, “It can be something relatively short and sweet, but more than just a few bullet points. The plan should detail people, property, and processes.”

Tandon says a response plan has multiple components. It’s not just detecting and being aware that it’s happening. “There needs to be preparation,” he says, “to train your team and get them geared up on the tools and procedures they need.”

To develop a plan, consult the following tips:

• Form an IT incident response team. Clearly define the city leaders you want to have on your IT incident response team and make sure everyone is on board. These leaders might include the mayor and city administrator, IT leaders, legal counsel, the communications team, and human resources. As you develop your plan, assign each team member specific roles and responsibilities and schedule regular meetings. “You don’t want to be unsure in the middle of the crisis,” says Tandon.
• Take inventory of your technology. Often, cities have been hit with a cyberattack or cyberbreach scramble because they don’t have a full accounting of their technology and equipment. This is a mistake, says Reeder. Instead, make a thorough list of all the city’s technology and how it links up. “Do we have Dells or Macs; how is everything connected?” she says. Have the correct phone number for your internet provider readily accessible and put it in your IT incident plan.
• Shore up your systems. “You want your systems to be as simple as possible with the smallest footprint,” says Reeder. If your IT team is swamped, consider bringing in an expert to identify system vulnerabilities and analyze risk before you finalize your plan. You may find you need to invest in new technology or tools, including a better back-up system. Monitor network traffic, consider implementing multi-factor authentication to increase security, conduct vulnerability scans, and install anti-malware software.
• Prioritize city system and services. Identify your most critical systems — those that must be restored immediately — ones that can wait a few days, and those that can wait even longer. “Prioritize functions so you have a plan of attack,” says Timmons. Adds Tandon: “If you can prioritize those elements that are more critical and life dependent, you can order your recovery and give clarity on what’s coming up when.”
• Line up your experts and vendors. Get recommendations now for the vendors you may need to get your systems restored in the case of a cyberattack. Have vendors approved and onboarded so they’re ready to go. “You need to have some relationship now,” Timmons says. “If you try to find someone after something happens, it will take you twice as long to find them and cost you twice as much. You’ll have a hard time finding someone to come to your rescue.” Also, know exactly where you’ll buy new equipment following a ransomware attack if needed.
• Know the exact steps you’ll take. Make a detailed list of the immediate steps you’ll take once you learn the city has been hacked. Who’s your first call; what’s their direct phone number? Who is responsible for making that phone call, and then who do they call next?
• Run a tabletop exercise to test your plan. Some cities do a mock, tabletop exercise to test their IT incident plan, while others work with vendors to make the drill more life-like. Test your plan at least annually, Timmons says. “It’s like a fire drill,” she says. It’s something you need to be able to pull out and execute.” Tandon says, “You practice, practice, practice, so on game day you go with your muscle memory.” If your test shows you’re not achieving the desired results, be ready to adjust your plan.
• Educate employees with regular trainings. Parallel to your IT incident response plan, you should also conduct frequent cybersecurity awareness training with city employees, including how to identify and avoid phishing attempts. “The most common way hackers get into a system is careless users,” Timmons says. “They click on something they’re not supposed to.” Hold regular online trainings, like the KnowBe4 Security Awareness Training, which includes simulated phishing attacks.
• Regularly update and revise your plan. Your IT incident response plan should be a living document. Update it if you add computers or put in new systems. If you had a cyberattack, make changes based on lessons learned. “Your plan should be tweaked anytime you have major change in function or in your physical environment,” Timmons says.

Finally, be mindful of where your plan lives. Your plan is no use if it’s stored on a computer that’s been locked by cyberattackers. Consider printing copies of the plan or storing it in a way that accessing it isn’t dependent only on city systems.

In a recent study Segal did for LMCIT, data showed Minnesota cities lag behind in being prepared. “We learned that so few cities have an incident response plan and it’s such an important piece,” says Reeder.

LMCIT plans to hire a cybersecurity expert to help members with their cyber needs and assist with coaching and training. Tandon says the more education and preparation, the better.

“It’s really just a part of your operational responsibility,” he says.

Deborah Lynn Blumberg is a freelance writer.