I do a lot of work for municipalities – cities, towns, and county governments – and I’ve concluded one thing: I don’t envy those in charge of their IT and security. Apparently, municipal hacking is all the rage. At least that’s what the media is currently portraying. For example, it’s on the front page of today’s New York Times:
The hacking of cities was featured in the Wall Street Journal not long ago:
Hackers Won’t Let Up in Their Attack on U.S. Cities
How about the absurdity of Rivera Beach, FL paying a $600,000 ransom!? Not unlike the incident that crippled my metro hometown, the City of Atlanta, last year.
A simple Google search of “cities getting hacked” yields tons of similar stories…
These headlines beg the question of why all of this happening to municipalities – seemingly all of a sudden. Are they that much of a target? Do they have that many vulnerabilities? Can their security be so weak that the criminals know that’s where the payoff will be? Yes, yes, and yes. But why is it we’re just now hearing about it? Well, first off, it’s somewhat of a new and unique story. That sells ad space and is good for many involved on the other side of the equation. Still, these breaches are no different than what’s happening to corporations and other types of organizations (11.6 billion records exposed since 2005!…and that’s only the tip of the iceberg given what’s not discovered and what’s not reported).
To understand why municipalities are getting hit so hard is actually not that complicated…It’s more of a “people” problem than anything else. It’s what the late Jim Rohn once said:
“Failure is not a single cataclysmic event. You don’t fail overnight. Instead, failure is a few errors in judgment, repeated every day.”
To explain further, I want to point you to a new article of mine that was just published in the August 2019 edition of the Arkansas Municipal League’s City & Town magazine…just click the link below and go to page 22 of the PDF.
Here’s another piece I wrote 6 years ago that delves into this topic, including common vulnerabilities I see when performing vulnerability and penetration testing and overall security assessments for local government agencies:
Don’t be fooled…whether you work for a municipality or you’re a citizen concerned about the privacy and security of your personal information, there’s always an explanation why these cities keep getting hacked. It’s not some magical formula for a threat that’s unique to these targets…even if the headlines make it seem that way. It’s always the good, old-fashioned security basics that everyone keeps missing – even the big corporations and federal government agencies we assume are resilient to such attacks.
Municipal leaders: Pay attention. Address these essentials now or be doomed forever to suffer this fate.
“A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.
His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”