Mr. Fouse is a Partner and Lead Strategist with Pinkston, a Washington, D.C.-based strategic communications firm.
The coronavirus pandemic took almost everyone by surprise. But while both the public and private sectors have been focused on containing the virus, cybercriminals have been using it as an opportunity to exploit long-standing weaknesses in cybersecurity infrastructure.
Not long after the outbreak first took hold, dozens of hospitals, medical labs and health care organizations in the U.S. and abroad were the victims of ransomware attacks. At around the same time, the FBI’s Internet Crime Complaint Center began receiving 3,000 to 4,000 daily cybersecurity complaints — a more than threefold increase from the 1,000 daily complaints it was receiving prior to the pandemic.
And today, with more Americans working from home, cybersecurity risks are at an all-time high. A slew of recent phishing attacks appeared to specifically target remote workers, preying upon the COVID-19 moment to steal, hack and install malware. Google revealed in mid-April that it had identified “18 million daily malware and phishing emails related to COVID-19.”
The truth is that many of us weren’t prepared for this kind of cybercrime before the pandemic, and we aren’t now.
In a report released on March 11, the U.S. Cyberspace Solarium Commission (CSC) revealed the full extent of America’s cybersecurity vulnerabilities. According to the CSC, the costs of cybercrime are only increasing, and a concerted cyberattack on America’s infrastructure could be devastating.
One particularly alarming threat looms large: the threat of ransomware platform takeover at the governmental level. Cybercriminals are more than willing to use malicious ransomware software to capture governmental IT networks and hold them hostage.
Before the pandemic, attacks like these were already increasing in prevalence and impact. A 2016 survey by the International City/County Management Association and the University of Maryland, Baltimore County, found that 26% of the local governments surveyed reported cyberattacks as occurring at least as often as once per hour. In 2019, cybercriminals used ransomware to attack 113 state and municipal governments and agencies.
Even small towns are at risk. Over the course of just a few months last summer, 22 towns in rural Texas fell prey to a single ransomware assault.
Hackers appear to preferentially target these public or public-facing entities because they have a lower risk tolerance and are often especially vulnerable to attacks and likely to pay the ransom. And with most local and municipal governments currently occupied with the coronavirus, they’re likely more vulnerable now than ever.
How can state and municipal governments and agencies get ahead of the problem?
The first step is obvious. The FBI recommends as a minimum that they keep all their systems up-to-date and employ airtight cybersecurity protocols.
What is often not as obvious is the role strategic communications can play in effectively preparing for and managing cybersecurity risks.
Cybersecurity requires proactive, offensive planning on all fronts. That means state and municipal governments need to put the best communications practices in place, both to maintain information flow before a cyberattack and to deploy the right crisis communications strategy for handling the aftereffects of an attack.
I think the 2019 ransomware attack on Baltimore is an excellent example of a situation that perhaps could have been avoided through better communications practices. Two elements of this situation stand out to me:
First, Ars Technica reports that several sources said the initial breach was the result of a phishing attack on a city employee. There is no perfect way to prevent employees from engaging in risky digital behaviors, but this is a common entry point for attackers, and a breach of this sort to me suggests poor communication of security expectations, implications and potential repercussions.
Second, city officials seemed to struggle to meaningfully communicate the extent of the damage and put into place a viable plan of action after the cyberattack. The administration was subsequently accused of “not maintaining adequate lines of communication during and after the crisis.”
Action during a crisis is difficult because the “noise” level increases dramatically, so having a plan in place, not just for technical solutions but communication, is critical. Without it, recovery efforts and public confidence are hindered.
Here are some key communication takeaways for state and municipal governments and agencies to consider.
1. If you’re planning to do a system upgrade, take the time to convey executive-level buy-in and get the support of organizational stakeholders. This is change-management management. Organizationwide system upgrades can be slowed, halted or stopped altogether if you don’t effectively engage and communicate with key people.
2. Make sure you clearly communicate the what and why of safety protocols. A common internal communications mistake is telling people what safety protocols to follow (such as, “Don’t click on links in emails from unknown senders”) but failing to give sufficient explanation about what can happen if they don’t. Understanding that 90% of data breaches are due to human mistakes helps, but knowing that one employee error can cost hundreds of thousands of dollars, put jobs at risk, expose private customer data and more can help employees connect the dots between cause and effect.
3. Have a communication crisis plan in place before a crisis hits. You can’t predict every possible scenario, but you can have a framework in place and a team that’s prepared to engage. This will guide you and help ensure that your communicating and problem-solving efforts are more proactive and effective.
In a crisis situation, prepared and practiced communications protocols are indispensable. In the private sector, effective communications are key both to recovery and to preserving brand reputation. In the public sector, crisis communications serve a similar purpose of speeding recuperation and preserving public trust and confidence.
Healthy, effective internal communications provide a vital line both to prevent and defend against damage from a cyberattack. The best cybersecurity plan should take communications into account. Today, the stakes are too high to do otherwise, especially when so many lives depend on state and local governments meeting the unprecedented challenges of a post-pandemic world.
Is your business effected by a COVID-19 / Coronavirus related Cyber Crime?
If a cyber crime or cyber attack happens to you, you need to respond quickly. Cyber crime in its several formats such as online identity theft, financial fraud, stalking, bullying, hacking, e-mail fraud, email spoofing, invoice fraud, email scams, banking scam, CEO fraud. Cyber fraud can lead to major disruption and financial disasters. Contact Digitpol’s hotlines or respond to us online.
Digitpol is available 24/7.
UK +44 20 8089 9944