HD4 - Ransomware Study Report (HJR 64, 2020)

Executive Summary:

Ransomware is a type of malicious software that infects a system or device and denies the owner or administrator access until a ransom is paid. Infections typically occur via phishing emails, poorly-secured network and services or vulnerabilities in infected websites.

Ransomware can be devastating to an organization, and government entities are frequent targets. Recovery after a successful ransomware attack can be a difficult process. The services of a data recovery specialist may be needed. Even when victims pay to recover their files, there is no guarantee that they will recover their files and avoid further problems. Although the financial costs of ransomware are often significant, direct costs alone are not the extent of the risk – loss of data, organizational trust and credibility can occur.

Key takeaways and recommendations

Improve cybersecurity programs to target the reduction of ransomware risk. The data and analysis indicates that work needs to be done both at the state and local levels to reach program maturity levels to avoid and mitigate the effects of infection.

Establish reporting requirements and accountability for the effectiveness of information security programs for all government entities. The data collected shows an extremely concerning lack of maturity in cybersecurity programs in localities and other organizations. The dramatic increase in ransomware infections at the local and school level reflect the large number of insufficient security programs. The analysis of the data indicates that cybersecurity programs and the resources needed to address deficiencies in those programs are not prioritized.

Establish formal security incident reporting requirements for all government entities. In order to understand and identify how to respond to security incidents it is necessary to know that incidents are occurring. Requiring the reporting of security incidents will help to identify what steps are necessary to mitigate cyber threats such as ransomware.

Increase cybersecurity resources (human and financial). Unsurprisingly, the biggest challenge for organizations is funding and personnel for preparedness and response. Introducing options for cost-sharing services and funding to implement security programs is essential. If possible, tying funding to maturity, sustainment of a program, and reporting to an independent party would help the programs progress. For several years now, Commonwealth policymakers have recognized the challenge of growing and developing Virginia’s cybersecurity workforce. This year, the Governor’s introduced budget adds three security positions at VITA to support state cybersecurity, two security incident personnel and a cloud security architect. Efforts to increase the number and capabilities of cybersecurity personnel must continue, and state and local government must be able to hire and retain capable and qualified personnel.

Establish a designated body to handle cybersecurity incident reports for all government entities. When an organization is compromised the Commonwealth is often not informed about the event. This results in the state not being aware of the impact to critical infrastructure, state technology or other connected systems associated with a compromise. Establishing a reporting body will allow stakeholders to have insight about incidents involving government systems and improve the incident response outcome.

Increase cybersecurity training for all personnel. It is essential to establish a culture of cybersecurity and preparedness. Doing so will drive awareness of foundational cybersecurity concepts, common cyber threats, and how to respond appropriately, suspicious activity. Training that is reinforced frequently and engages personnel on an ongoing basis is effective at developing a culture of cybersecurity awareness. For example, a program that simulates phishing and tests employee responses regularly will be more effective than a once-a-year webinar.

Invest in current, manageable cybersecurity technology and practices. Achieving and maintaining current technology is an ongoing challenge for state and local government, but key security measures and technology are critical in preventing and responding to ransomware. Continuous network monitoring, regular vulnerability assessments, tested backups, and good authentication and permissions practices contribute to a strong cybersecurity program. In this complex, interconnected age, cybersecurity cannot be achieved by simply installing anti-malware software.

Improve the sharing of information and resources available to localities. Local governments and school systems need assistance when preparing and responding to ransomware. Providing them information on state, federal and industry resources available can ease the burden and improve security. Educating local governments and school systems will provide knowledge necessary to prevent attacks as well as shorten the time frame for recovery if compromised. State and local governments can make a more secure environment by working together.