June 19, 2018

Last Updated on January 13, 2024

For the last 20 months or so, we’ve worked with nearly 200 government municipalities on cyber loss control projects, now largely completed. Data security is a major concern for many municipal governments, so in this post—the fourth in our Cyber Security Foundation for Municipal Government series—we would like to explore the key controls municipalities need to combat malware—especially ransomware—and social engineering attacks.

Local Government is Vulnerable

Let’s start with a wakeup call. Knowing them to be vulnerable, hackers are specifically targeting municipal governments and K-12 schools for ransomware attacks. Consider these statistics:

How to Avoid Attacks

What can you do to keep your municipality safe? While the spectrum and number of attacks is vast, you can dodge almost all of them by doing these four things consistently:

  1. Ensure all systems are patched.  Windows update will handle most things but also be sure to update Chrome, Firefox, Adobe, etc.
  2. Ensure systems are configured optimally Keep antivirus software up-and-running and up-to-date on all your computers. Enable click-to-play plugins in all your users’ web browsers to keep Flash, Java and other plugin content from running automatically as soon as a webpage opens. This makes it easier to block malicious malvertising ads that can scare or dupe users into downloading malware. (It can also improve page load times, reduce CPU usage and conserve download bandwidth.)
  3. Minimize admin level access on desktops.
  4. Have recent backups.  Ransomware is nothing more than a nuisance if you have recent backups.
  5. Have a basic Incident Response Plan.  Ensure users and your IT teams know what to do if and when something goes wrong.
  6. Educate your users so they don’t fall victim to phishing emails! Many such emails have “telltale signs” that can put users on alert, such as:
    • They have to do with money.
    • They make you an offer that’s too good to be true.
    • They bring up “urgent issues” to trick users into making hasty decisions.
    • They request personal information.
    • The “To” line isn’t addressed to the user specifically.
    • There are misspelled words, bad grammar and other mistakes.

The graphic below illustrates what a typical phishing email looks like.
A phishing email screenshot highlighting incorrect from address, improper greeting, urgency, excessive hyperlinks, and a "show me the money" attitude.
To get help dealing with a ransomware or malware attack right now, or for expert advice on next steps to keep your municipality safe from cyber threats, contact Pivot Point Security.
We also invite you to download our free eGuide, “Cybersecurity Foundation for Municipal Governments.”
In our next post, we’ll blog on cyber awareness education: what it is, how it works and why it’s so important for municipal organizations. Until then… stay tuned and stay safe!


Ongoing Series: Cyber Security Foundation for Municipal Governments

We are overviewing this foundational cyber security guidance for municipalities in a series of blog posts. The full list of topics we will be covering includes:

  1. Covering the bases
  2. Password management and access control 
  3. Backup and encryption
  4. Malware and social engineering attacks  (CURRENT POST)
  5. Cyber security awareness education
  6. Contingency planning: Incident response, disaster recovery and business continuity
  7. Vendor risk management
  8. Patching and other “technical controls”