More state and local government employees are aware of ransomware’s threats than ever before, but training to guard against it — as well as funding to respond to cyberattacks — remains unchanged, according to a poll of government workers published Thursday by IBM Security.
The survey comes after a year that saw more than 120 cities, counties, towns and school districts fall prey to viruses that locked up their networks and data by hackers looking for payoffs. In total, 73 percent of 690 public-sector workers polled said they were concerned about ransomware threats to their organizations. But that level of worry is actually an optimistic trend, said Wendi Whitmore, IBM Security’s vice president of threat intelligence.
“It’s one of the top three things organizations are concerned about,” said Whitmore, who credited increased media reporting about ransomware attacks. Those include small incidents that only make local news, and bigger incidents — such as attacks against Baltimore, New Orleans or nearly two dozen communities in Texas — that earned national headlines.
“My parents, who are 80, know what it is,” she said. “If 70 percent of the organizations felt their cities are taking it seriously, that’s good.”
Yet government still lags in training its employees to protect their enterprises against ransomware. Just 38 percent of respondents said they received ransomware prevention training. Three-quarters reported having undergone some level of basic cybersecurity education, but only half described that training as “adequate.”
Although ransomware awareness might be up overall, it hasn’t corresponded with an increase in cybersecurity funding or preparations for dealing with attacks. Just over half of the 102 IT workers — 52 percent — who answered the survey said their budgets for managing cyber incidents had remained stagnant. Governments have also been slow to develop incident response plans tailored specifically to deal with a ransomware attack, but Whitmore said that’s not unique to the public sector.
“I think some of the numbers were low in general when it comes to cybersecurity training,” she said. “But actually having a ransomware playbook and response plan, that’s still a big gap for everyone. We have a board of advisers at IBM Security. We brief them quarterly and many of them are surprised to hear how much ransomware is impacting corporations, because it continues to morph, continues to be dynamic.”
Some state governments have incorporated cyberattacks into their emergency response plans — including Louisiana and Texas — but smaller organizations like cities, counties and especially schools do not have the resources to match that level of preparedness, Whitmore said.
The rate at which schools have been impacted by hackers has also shot up, the IBM survey found. The education sector was the seventh-most frequently targeted industry in 2019, up from ninth place. And the poll revealed much lower rates of ransomware awareness and training among public educators than their peers in other parts of government: Forty-four percent of school employees said they received no basic cybersecurity training, while 70 percent said they lacked adequate training on how to deal with a cyberattack.
Educators also expressed far less confidence in the ability of their employers to stop a cyberattack. While 74 percent of all respondents — including 82 percent of IT professionals — said they trusted their organizations could recognize and prevent an incident — only 54 percent of education employees agreed. That did not give Whitmore much hope, particularly as the spate of ransomware attacks against schools has continued into 2020.
“I imagine that is going to continue to grow,” she said, also conceding that schools are often the most resource-strapped public institutions. “I think it’s up to employees to have the responsibility to have some awareness to protect the environment, and that’s a gap the education system has more than other entities, to speak of resources. If I was to go into that environment and they told me they don’t even have a person responsible for security or the funding, it’s hard to say: ‘Make sure you have an incident-response plan.'”
The survey, which was conducted for IBM by The Harris Poll, also uncovered a few other bright spots. More than two-thirds of IT workers said their organizations keep backups, and vast majorities — including 73 percent of all respondents — said they would rather endure higher recovery costs after a ransomware attack than pay a hacker’s demand. (Some of those price tags have been very steep, such as the $18 million Baltimore expects to spend following an attack last May.)
And 72 percent said the federal government should play a role in helping local governments recover from cyberattacks, a figure that arrives when Congress is considering multiple bills that would offer cybersecurity funding to states and localities.
Still, Whitmore said the ransomware scourge against the public sector is unlikely to abate anytime soon.
“I think it’s going to continue to be an effective tool in a hacker’s toolbox,” she said. “It’s going to hit everyone, but governments are hit harder right now because their attack surfaces are wider, they have less resources and human resource dollars to work with.”