Blog

Best Cybersecurity Practices For Municipalities

What are the best cybersecurity practices for municipalities?

With cyberattacks becoming increasingly sophisticated, proactive cybersecurity investment has never been more critical. This is showcased in the nationwide MNP Digital Municipal Research Report, which benchmarks digital transformation across municipalities. When looking at strategic priorities, both cybersecurity and privacy were identified as a primary focus for municipal organizations over the next three to five years.

The following best practices can help protect a municipality's technology, data, and information from threats.

Technological Advances in Local Governments

Despite limited budgets in terms of cybersecurity investment, more local governments are breaking new ground by deploying technology to better serve their residents. Cloud computing, mobile technology, and the Internet of Things has impacted all industries and government departments.

Such technological advances are transforming the way municipalities provide services and streamline operations. The Government of Canada released the Digital Operations Strategic Plan: 2021 - 2024 to outline the process for how the administration manages technology and technological change in government. The plan sets and provides insights into the government’s departments, agencies, and officials’ digital direction. The document also establishes the integrated approach for the government on digital transformation, service delivery, security, and IT.

Some of the recent improvements in digital transformation have focused on simplifying user experience for access to datasets held across different levels of government. Canadian territories and municipalities have created open data portals to allow users to access the data they need.

Cybersecurity in Municipalities

Massive cybersecurity incidents have been grabbing headlines over the past few years, with large corporations such as British Airways, Marriott, Facebook, Equifax, and eBay falling victim to data breaches affecting millions of people.

While a preponderance of reported cyberattacks involves the private sector, cybercriminals also target the public sector. As municipalities digitize and integrate more services and IoT projects to access and process open and confidential datasets, they have become a high-profile target for cyber crime.

Apart from the benefits offered by technology in local governments, such digital transformation activities introduce vulnerabilities that hackers can exploit to cause a data breach. Most often, governments around the world fail to implement sufficient security controls when connecting to a computer network or the Internet. In effect, lack of adequate security protocols results in weak municipal systems that hackers can easily exploit to take control of systems, knock out public services, and steal confidential information.

The types of threats most frequently impacting the government sector include, but aren't limited to:

1. Ransomware Attacks

The Canadian Centre for Cyber Security issued a countrywide alert about Ryuk ransomware that was affecting multiple organizations, including municipal governments. In another incident, municipal employees in a region between Montreal and Quebec City discovered a warning message on their systems notifying them hackers had locked all their files. Cyber actors demanded $65,000 ransom from the regional county municipality of Mekinac.

Anonymous hackers launched a ransomware attack on Atlanta. The March 2018 incident deactivated online access, encrypted files, and demanded a $50,000 ransom in bitcoin in exchange for the decryption key. Eight thousand municipal employees in the city regained access to systems, but residents could not access some digital services. The city government’s desktops, printers, and hard drives returned to normalcy for the first time in five days, which affected services such as water bill and traffic ticket online payments. An article on the New York Times described the attack as “one of the most sustained and consequential cyberattacks ever mounted against a major American city.”

Today, ransomware-as-a-service campaigns allow malicious cyber actors to deliver massive attacks to municipalities.

2. Unpatched Devices

In recent months, the Canadian Centre for Cyber Security has discovered compromises that took advantage of unpatched devices exposed to the Internet. Victims reported the malicious activities to the Cyber Centre in June and July 2020. Cybercriminals deployed intensive reconnaissance-style scanning of the target system, followed by the compromise of vulnerable and improperly secured servers and network devices.

Regulatory bodies impose heavy fines and penalties on organizations that fail to protect sensitive data. For instance, non-compliance with GDPR can result in fines of up to 4% of a company’s global annual revenue.

The financial consequences of unpatched software vulnerabilities can be staggering. Beyond the immediate costs of responding to a cyber attack, organizations may face long-term financial and reputational damage.

The cost of investigating, containing, and remediating a breach can be substantial. This includes forensic investigations, data recovery, legal fees, and customer notification expenses. Additionally, organizations may need to invest in additional security measures to prevent future incidents.

Furthermore, according to IBM’s Cost of a Data Breach Report 2023, the average cost of a data breach is $4.45 million, with a significant portion of that cost attributed to lost business due to reputational damage.

The reputational damage caused by a breach can be difficult to quantify but is often long-lasting. Municipalities that experience high-profile breaches may struggle in regaining the trust of key partners, stakeholders, and residents at large.

3. Malware

Hackers install malware to compromise networks and infrastructure in municipalities. In some cases, cyber actors remained active on compromised systems for months before the victims detected their activities.

Cybercriminals spread different forms of malware like spyware, worms, watering holes, key loggers, and trojan horses to infect systems and extract confidential information.

In essence, malware is software specially designed to attack, control, and/or damage security and infrastructure systems. It can–and does–impact both programs and specific devices.

The most common types of malware in 2024 and beyond are:

  • Phishing: Phishing most commonly consists of threat actors posing as reputable individuals or businesses in order to influence their target into revealing confidential information.

  • Social engineering: As a unique type of phishing, social engineering harnesses both human error and interactions in order to glean information from their target.

  • Drive-by downloads: Websites that host malware exploits can compromise your device or system with just one click.

  • Shared networks: When devices are connected to a shared network, malware-infected devices can spread the damage to other devices on the network.

  • And pop-ups: Both pop-ups and malicious advertisements can contain links or landing pages where malware can infiltrate a device or system instantaneously.

There are currently over 678 million types of malware.

4. Business Email Compromise (BEC)

Hackers impersonate senior personnel, such as mayors in municipalities, and send emails to lover level employees requesting them to transfer money or share credentials. In other cases, criminals spoof supplier emails and request local governments to update banking information before settling pending invoices. In other circumstances, threat actors impersonate employees and email HR departments requesting change in payroll information.

Anyone can be the target of a BEC scam. Businesses, governments, nonprofits, and schools are all targeted, specifically these roles:

1. Executives and leaders, because details about them are often publicly available on the company website, so attackers can pretend to know them

2. Finance employees like controllers and accounts payable staff who have banking details, payment methods, and account numbers

3. HR managers with employee records like social security numbers, tax statements, contact info, and schedules

4. New or entry-level employees who won’t be able to verify an email’s legitimacy with the sender

5. Distributed Denial of Service (DDoS)

Hackers use bots and other malware to lock users out of essential municipal services. A classic distributed denial of service (DDoS) attack disrupts a municipal government’s web services by temporarily blocking citizens’ and employees’ ability to transact online. In most instances, DDoS comes from a large number of infected devices that span multiple organizations.

According to a recent threat analysis report, the global DDoS market is expanding at an alarming rate of 37% to 40%, with industries like retail, healthcare, Internet Service providers (ISPs), finance, gaming, etc., coming under heavy fire.

Amid the surge in attacks, the DDoS protection market attained a valuation of US$ 1.88 billion in 2021; it will likely touch a US$ 5.14 billion valuation by 2027 at a CAGR of 18.21% over the forecast period.

6. Social Engineering and Insider Threats

Threat actors deploy various social engineering tactics such as phishing, eavesdropping, tailgating, spearphishing, baiting, and dumpster diving to trick unsuspecting employees into clicking malicious links, opening files with malware, or share credentials.

These types of cyberattacks have massive impacts on local governments across Canada. Municipalities that have become easy prey for cybercriminals struggle to combat the highly sophisticated and frequent attacks. Meanwhile, reporting processes differ from municipality to municipality, making it a challenge for the public and private sectors to track and resolve the ramifications of a breach.

The Best Cybersecurity Practices for Municipalities to Follow to Mitigate Risk

There are numerous best practices municipalities can follow to mitigate both the risk and the ramifications of a successful breach.

1. Regularly Updating and Patching Systems

The Cyber Centre recommends that municipalities should apply the latest security patches and operating systems updates for devices on their networks immediately. Furthermore, the institutions should upgrade and maintain the latest anti-virus signatures.

Threat actors check on outdated operating systems and other software to identify vulnerabilities they can exploit to gain access to critical systems and information. In effect, municipalities should raise awareness about the importance of installing updates on all devices and software as soon as vendors release security patches. Additionally, local governments should ban the use of software with an end-of-life notification from its vendor.

2. Data Encryption

Local governments should encrypt sensitive government and personal information on all computer systems, drives, cloud servers, and end-user devices. System and network admins should deploy operating systems that offer encryption in addition to third-party cloud-based solutions.

Data encryption is important because it helps protect people's privacy, and secures data from attackers and other cybersecurity threats. Encryption is often mandatory from a regulatory perspective for organizations such as in healthcare, education, finance and banking, and retail.

3. Awareness Training

All too often, cybersecurity strategies focus on preventing external threats from hackers, without addressing internal threats from malicious and non-malicious insiders. Indeed, employees and citizens play a critical role in helping to reduce organizational cyber risks. Several municipal associations, such as the Association of Municipalities of Ontario (AMO) and the Federation of Canadian Municipalities are now taking a proactive role in educating citizens about cyber risks.

Organizations must establish comprehensive cybersecurity awareness training and testing for municipal employees. Such a program equips users with relevant information they need to recognize cyber threats such as malware, phishing scams, and BEC. An effective security awareness training program incorporates procedures and policies to protect an organization by detecting potential threats and mitigating them. Municipalities seeking to ward off hackers while complying with regional laws must invest in employee security awareness training since trained employees are harder to deceive.

4. Installing Security Tools

Municipalities can install security tools such as intrusion detection systems and a firewall that provide detection and protection against malware and phishing attacks by blocking user access to malicious links and attachments. Security appliances add a cost-effective and low-maintenance layer to the organization’s cybersecurity footprint. The tools analyze traffic and block employees from accessing malicious sites.

With this being said, security tools alone cannot ward off sophisticated threats, particularly in our modern threat landscape.

6. Access Control

Municipalities should enforce access controls by minimizing the number of users with administrative privileges. The agencies should restrict employees from installing software on their devices without authorization. Municipalities should establish and enforce a password management policy for employees and residents accessing online services. Users should create unique, hard to guess passwords for each account and device.

Since threat actors can crack passwords through the dictionary and brute force attacks, local governments should implement multi factor authentication (MFA) where possible, especially on all internet-facing remote access systems. MFA is a security control that requires additional information besides username and password.

7. Continuous Penetration Testing

A common recommendation for the frequency of pentesting can range from continuous to every 6 months and even once a year. The most important factor in deciding how often to test is not the industry you are in or the size of your organization, but the rate of change within your environment. A cloud-based organization that relies on multiple SaaS providers and changes infrastructure frequently will need to test more often than a traditional organization with a static network.

Continuous penetration testing replicates continuous attacks on your web applications and IT infrastructure. Threat actors regularly target enterprises to uncover and exploit new vulnerabilities. By performing continuous penetration tests, vulnerabilities can be detected and remedied more proactively than point-in-time security assessments.

Continuous pentest begins with a baseline penetration test of the environment. While it resembles a traditional approach at this stage, it evolves into a mature and highly available security solution by incorporating an automated security monitoring tool to give insights into developing attack surfaces in specific aspects of your environment.

Enterprises can command an on-demand penetration test to validate risks or test for new vulnerabilities resulting from a change in environment, such as vulnerable container images.

It is critical to note that continuous pentesting does not imply that a red team or testing team probes into your environment regularly. Such an exercise is neither cost-effective nor practical.

Continuous pentest improves agility by harnessing the capability of automated security monitoring solutions, the results of which can trigger on-demand pentests when risky changes occur in your IT environment.

8. Cybersecurity Policies and Procedures

Municipal governments should develop and document cybersecurity policies and procedures for all employees and citizens to follow. The government agency should share the documents with all covered entities that access municipal systems and networks.

Developing adequate policies and procedures requires proactive planning, risk assessment, and roles definition. An integral approach involves following industry best practices and regulations such as the NIST Cybersecurity Framework (CSF) and ISO 27001 when developing cybersecurity policies.

9. Systems and Data Backups

Municipalities should put in place controls and solutions that execute daily backups of critical systems to an offline and offsite data centre. The organizations should practice periodical backups to ensure the integrity of existing processes and information.

An updated backup helps organizations avoid data loss if a catastrophic event such as fire, theft, server crash, or ransomware occurs.

10. Vendor Risk Management

Municipalities often outsource functions to third-party service providers. Some of the subcontracted activities include credit card processing, payroll services, and IT support. Improving cybersecurity posture in local governments requires adequate due diligence and risk assessment on all suppliers and contractors that have access to information and interact with municipal networks.

Part of vendor risk management should entail contractual obligations on suppliers, requiring security documentation and on-time patching of vulnerabilities.

11. Partnering with Qualified Ethical Hackers

Working alongside a team of cybersecurity professionals offers the tools and expertise needed to perform real-time analysis of immediate threats and implement controls to mitigate external and internal risks.

In 2024 alone, 40% of Canadian organizations have faced over 250 security-related threats, 73% claim that it takes over a week to recover from a cyberattack, and 62% say gaps in their in-house IT team's security skills reduce their ability to prevent cyber-related incidents. These statistics point to a rising trend where organizations of all sizes (and across all industries) are suffering avoidable financial losses as the result of preventable cyber breaches.

By investing in a quality cybersecurity team, you ensure that:

  • Cyber insurance requirements are not just met but surpassed

  • Threats are prevented before they occur, saving millions in financial and reputation-related damages

  • Quick engagement starts with steady communication is guaranteed

  • No outsourcing is being paid for: instead, highly specialized ethical hackers are providing the most thorough pentest for your organization

  • There are no false positives found

Here at Packetlabs Ltd., we take cybersecurity beyond the checkbox. Packetlabs is a SOC 2 Type II accredited cybersecurity firm specializing in penetration testing services. To strengthen your security posture, we offer solutions such as penetration testing, adversary simulation, application security and other security assessments.

On top of employing only OSCP-minimum certified ethical hackers, the Packetlabs difference boils down to our 95% manual penetration testing. Instead of outsourcing our work or relying on automated VA scans, we guarantee zero false positives via our in-depth approach and passion for innovation: our security testing methodology is derived from the SANS Pentest Methodology, the MITRE ATT&CK framework for enterprises, and NIST SP800-115 to ensure compliance with the majority of common regulatory requirements. Our comprehensive methodology has been broken up based on which areas can be tested with automation and those which require extensive manual testing.

Conclusion

For municipalities, cyberattacks can halt operations, put residents’ information at risk, and compromise critical infrastructures such as water, transport, and waste management. The problem is now at the forefront as municipal governments across Canada and the world are falling victim to frequent and sophisticated cybersecurity incidents.

While there is no one-size-fits-all solution to cyber threats, there are best cybersecurity practices for municipalities that can make the difference between early detection and significant operational, reputational, and financial damages.

Get Your Sample Report

With Ethical Hacking Expertise

Featured Posts

See All

October 24 - Blog

Packetlabs at SecTor 2024

Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.

September 27 - Blog

What is InfoStealer Malware and How Does It Work?

InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.

September 26 - Blog

Blackwood APT Uses AiTM Attacks to Target Software Updates

Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.