Should cities pay cybercriminals?

Cities that refuse to pay cybercriminals a ransom can often end up paying more in recovery costs and lost revenue, says a new report by Deloitte’s Center for Government Insights.

It cites the City of Baltimore which refused a US$76,000 ransom demand, only to suffer over US$18 million in recovery costs and lost revenues.

In 2019 alone, governments reported 163 ransomware attacks with more than US$1.8 million in ransoms paid and tens of millions of dollars spent on recovery costs, a nearly 150 percent increase in reported attacks from 2018.

According to the report, Ransoming Government: What state and local government can do to break free from ransomware attacks, refusing to pay ransom demands may be the principled option, but it also may be far more expensive.

Srini Subramanian, Principal, Deloitte & Touche LLP, said that cities should live and plan with the reality that their critical systems and data will be attacked.

“Even with cyber-insurance and preventive measures in place, the growing frequency and sophistication of attacks calls for government entities to perform cyber health checks and revisit resilience strategies,” he said. “The effort more than pays off. Governments can be better positioned to defend against catastrophic events that are expensive to recover from and could impact public safety and trust.”

The study explores the rising trend in ransomware attacks on state and local governments and explores the dilemma of paying or not paying criminals, with the risk of losing access to critical data or the ability to provide services.

It advises government organisations to take simple steps to secure information technology infrastructure and improve resilience.

These include:

• Smarter systems architecture – Many state and local governments have deferred IT modernisation, which leaves them vulnerable.
• More prepared workforce – Governments should look to creative human capital approaches to train, retain and share more qualified cyber talent.
• Better cyber hygiene – Attention to details such as timely software patches and updates, regular system back-ups and regular training for all staff can help to reduce risk.
• Cyber insurance usage scenarios – The use of cyber insurance can be an effective strategy however, those that use cyber insurance to fund ransom payments may unwittingly increase incentives for criminals.
• Practised response – Governments should practice responding to cyber incidents with war games and simulations, involving business and programme leaders.