Cybersecurity breaches are always bad, but without a management system they can turn into a catastrophe.
Take the plight of Lake City, Florida. It’s a small city about an hour away from Jacksonville, but it has big problems.
The city’s government was the victim of a ransomware attack in June and paid the crooks $460,000 to restore access to its systems.
That’s not unusual. More than 55 municipalities in the U.S. have been held hostage by ransomware attacks this year, including several in large cities like Baltimore, Albany, and Atlanta, 22 towns across Texas, police departments, and even school districts. Wolcott, Connecticut has been hit with ransomware attacks twice!
Many of them, like Lake City, paid large sums to the criminals, until a spate of attacks led to an emergency meeting in which mayors around the country agreed to stop paying ransoms. It was a humbling moment for those involved, as they learned that ransom payments, rather than solving the problem, had encouraged attacks on their colleagues and neighbors.
But who could have predicted this surge in attacks?
Employees at Lake City, apparently. Allegations have surfaced that the city’s senior officials were made aware years ago of the vulnerabilities exposed in the attack, but not only did the city fail to address the issue, it also fired the employee who identified the threat – blaming him for failing to prevent the attack.
Let’s take a look at how Lake City got into this situation and how implementing ISO 27001, the international standard for information security, could have prevented it.
Same old story
In many ways, the story of Lake City is typical. The attack occurred after employees in the city’s clerk’s office, water plant, and airport fell victim to a spear phishing attack.
This is a common method of ransomware delivery, consisting of well-crafted, targeted emails that trick employees into clicking a malicious link or downloading an infected attachment.
There was plenty to convince recipients that the emails were legitimate. They were personalized and referenced other employees by name – plus they weren’t flagged by the organizations’ spam filters.
But when employees clicked the link in the email, it unleashed the Ryuk ransomware strain on their organization’s systems.
This type of ransomware is used by the criminal gang Grim Spider and has more than $3.7 million
Lake City’s contribution was $460,000, which, fortunately for Lake City’s taxpayers, will mostly be paid for by insurance.
Sadly, the damages for Lake City don’t end there. Like many hack victims, the government tried to pass the blame, firing IT director Brian Hawkins for his inability to prevent the attack.
Hawkins contends that the city is responsible and is suing for damages. He claims to have recommended the use of a more secure Cloud backup system two years before the attack, but the city said it was too expensive.
Instead, it opted for a cheaper on-site backup system, which was compromised by the ransomware attack.
So what should Lake City have done?
Many firms and government entities look at information security solely as a tech problem, when it’s just as much a management one.
Had Lake City implemented ISO 27001, it would have had a documented a risk assessment process.
Everyone involved would have understood the consequences of a ransomware attack, and the city’s leaders would have had a better understanding of what was at stake and who was responsible.
They would also have had a clear incident response procedure that would have allowed them to react quickly to the situation and limit the damage.
If IT director Brian Hawkins is right, the city ignored advice and simply hoped that a cheaper alternative would be sufficient. But it wasn’t. Management were unprepared and ignored the advice of the person in the best position to know the solutions.
They never formally analyzed the problem. They never documented the process or the solutions or adequately prepared for an almost inevitable attack.
What ISO 27001 can do for you
ISO 27001 isn’t just a way to prove you’ve jumped through the requisite documentation hoops.
Rather, it instills a learning technique across all levels of your business. It helps staff better understand their information security requirements, and management make the right decisions based on empirical evidence.
The Standard can be adapted to any organization. You can find out more about the ways it can help yours with our ISO 27001 Expertise Bundle. This collection of four essential guides contains advice on:
- How ISO 27001 can help you identify risks your organization faces
- The business benefits of adopting the Standard’s requirements
- Persuading your board to invest in information security
- How to get started with implementing ISO 27001