Cyberattacks pose growing threat
Chris White, the Beacon city administrator, is concerned enough about a cyberattack that he would prefer the city not be mentioned in a story about the threat.
For good reason, municipalities are reluctant to present themselves as a target, discuss their security measures or share how they responded to being held hostage by hackers or having data stolen.
The City of Newburgh learned in June how disruptive an attack can be. A “network security incident” disabled its ability to process payments for parking tickets, property taxes and services such as sewer and water.
Earlier this month, the Goshen school district in Orange County said it had been victimized by a ransomware attack, in which hackers hijack systems and demand payment to restore access. The district said the attack disabled computer, email and phone systems.
Every local government and school district, especially smaller ones without the staff and resources to adequately protect themselves, faces this potential for havoc. Along with demands for ransom, hackers could steal sensitive information about residents that is collected by every county, town and village.
Earlier this year, the security company Sophos released the results of a survey of 5,000 IT leaders in 14 countries for its annual report, The State of Ransomware in Critical Infrastructure. The survey included 300 school districts and 270 local or state governments; 80 percent of the schools and 69 percent of the municipalities said they had been hit by ransomware demands in the past year. Of those, 62 percent of the schools and 54 percent of the governments paid. Of those who provided numbers, schools reported paying an average of $7.5 million and governments $5.3 million to recover their data.
The FBI’s Internet Crime Complaint Center last year received nearly 27,000 complaints about cybercrimes in New York state, including online scams and data breaches, an 8 percent increase over 2022. Losses were estimated at $750 million.
The most common scam reported nationally are “phishing” emails, which hackers design to resemble official correspondence in an effort to get the recipient to enter log-in information or click links or open attachments that install malicious software that can take control of a computer.
These emails are the source of more than 90 percent of cyberattacks, according to the state Department of Homeland Security and Emergency Services (DHSES). More than 75 percent of organizations say they have been the target of phishing, and more than half of all emails are malicious, according to DHSES.
“It is a threat that keeps evolving and growing,” said Steve Oscarlece, the acting commissioner for the Dutchess County Office of Central and Information Services (OCIS). “There can be significant financial costs, as well as to their reputations, and the interruption of services.”
In June, more than 200 people representing over 100 organizations attended an annual cybersecurity summit that Dutchess and Marist College began holding in 2022. The panel discussions included representatives from the federal Cybersecurity and Infrastructure Security Agency and DHSES, which has an Office of Counter Terrorism and a Cyber Incident Response Team.
Attendees also witnessed a mock cyberattack staged by the Office of Counter Terrorism to illustrate how municipalities and organizations can respond.
Artificial intelligence tools like ChatGPT have made phishing attempts harder to identify because they eliminate telltale signs of fraud such as misspellings or grammar errors. “It’s made it easier for them to craft emails that look legitimate and are more likely to fool the recipient,” said Jacob Morrison, the deputy commissioner for OCIS.
At the same time, Morrison said, artificial intelligence is being used by organizations to bolster their defenses and by cybersecurity companies to improve the ability of software to detect attacks.
Other countermeasures include educating employees on identifying suspicious emails, keeping software up to date and ensuring data is encrypted so that, even if files are stolen, the thieves will be unable to access the information.
Email accounts that remain active after employees or other users have left organizations create vulnerabilities. Recent audits of the Beacon and Garrison school district IT systems by the state Comptroller’s Office each found unneeded active accounts that could be exploited by hackers. Both districts said the issue had been addressed.
“Education is the key by conducting regular training sessions using mock phishing attacks and teaching employees how to detect a fake email and, most importantly, avoid clicking on phishing links,” said Sue Downes, a longtime cybersecurity consultant who lives in Philipstown.
Protect Yourself
- Install security software, such as that offered by avg.com, to your computer. Its free version has basic functions and can be upgraded for a fee. Also enable “two-factor authentication” whenever it’s offered (i.e., you will need to request a code by text or email to log in to an account).
- Be cautious about any email that asks you to click on a link to update or verify information. By hovering your mouse over the link, you can see the address it will send you to. Better yet, go directly to the source. For instance, if an email arrives that appears to be from your bank, go to the bank’s website to log in, or call.
- Be especially cautious about emails that claim to have invoices or important documents attached. Antivirus software will usually flag these messages as suspicious or prevent malware from being installed but a better strategy is to go directly to the source if you have doubts.
- Back up your computer regularly so that it can easily be restored if damaged or seized by hackers. You can also encrypt your hard drive with programs such as BitLocker or FileVault to shield it from outsiders.
Newburgh, whose attack is the subject of a criminal investigation, reopened its offices a week after the incident. It offered residents a grace period to pay their bills without late fees.
In a statement on July 10, City Manager Todd Venning said security countermeasures that had been in place “allowed the city to quickly respond to and investigate this attack.” The investigation did not find evidence “that sensitive personal information for our residents or employees was impacted,” he said.
In Goshen, the school district was still addressing the attack as of July 18 and, in the meantime, had created temporary phone numbers for its agencies.
“It will never end, and we do our best to stay ahead of the bad actors,” said Steve Oscarlece at OCIS.