Cybersecurity a priority for all governments
The number of cyberattacks in the news seems likely to grow as we begin 2019.
The end of 2018 saw the theft of more than 500 million personal records from Marriott-owned Starwood, one of the single largest breaches of consumer data in history.
But such attacks are not confined to the private sector. This past September, the small regional county municipality of Mékinac, west of Quebec City, lost access to its servers as a result of a ransomware attack, which saw the municipality pay $30,000 in Bitcoin in order to restore access. Despite the payment, the region’s servers were disabled for more than two weeks. Several Ontario municipalities also were victims of similar attacks in 2017.
As citizens, we surrender a treasure trove of personal data to various government bodies, from social insurance numbers to our financial records to confidential property information. We expect they are doing everything in their power to protect it from theft or misuse. But municipalities are particularly vulnerable to cyberattacks, as they often lack the resources needed to defend and respond to them.
Since the Mékinac attack, no public statement on the subject has been released by the Quebec provincial government.
Cybersecurity was not mentioned in the fall economic statement. Yet, since December 2017, the provincial government has pushed forward the Quebec digital strategy, which promises to improve the quality of life for all Quebecers through digital technology. This also includes ensuring all public records are online.
As a part of the broader digital strategy, we need to talk more about digital safety. Local governments should take Mékinac as an opportunity to shape the dialogue with the province on what is needed to help public sector bodies better protect citizens’ digital property.
There are steps that municipalities can take to spend taxpayer money more wisely.
Strengthen your best firewall, your employees: Within the public sector, there are hundreds to thousands of potentially vulnerable employees. There are also numerous departments that coexist on a shared network. Municipalities, as well as other levels of governments, need to be aware of these weaknesses. Education is critical and like fire safety, it should be seen as a mandatory training component for all public entities.
Be prepared to respond early and quickly: The fact that Mékinac employees were locked out of their servers for two weeks, despite paying ransom, demonstrates the costs of not being prepared. Hackers often access systems or servers months or even years before theft or ransom occurs. Identifying this initial threat from the very beginning is important. Municipalities must be ready and able to respond to attacks, from fixing system damage, to restoring operations, to rebuilding data files. Luckily, technology exists today that is affordable and can enhance threat monitoring capabilities and restoration for municipalities. However, an upfront investment will need to be made.
Municipalities also will need to consider how they will respond to the legal requirements of a cyberattack (mere hours after Marriott Starwood announced that its database had been breached, the company was hit with a class action lawsuit). With the stakes getting higher and cyberattacks getting bigger and more frequent every year, municipalities must take control of their own safety. However, they can’t do it alone. It is time for municipalities to start a conversation with the province (where the province takes the lead) on how to protect our public bodies and to make cybersecurity one of their new year’s resolutions for 2019.