Last year, municipalities across the country experienced an increase in ransomware, a type of malicious software designed to block access to a computer system until a sum of money is paid.

In 2019, the U.S. was hit by ransomware attacks that impacted at least 966 government agencies, educational organizations and health care providers, Emsisoft Malware Lab reported, at a potential cost in excess of $7.5 billion.

At least one in six communities in Massachusetts has been infected by ransomware, according to a survey conducted last year by Boston’s NBC 10, with more than 260 cities and towns responding. At least 10 of these municipalities made cash payments, many in the form of bitcoin, an encrypted, digital currency that is almost impossible to trace. The ransom payments ranged from $300 to more than $11,000.

CSO Magazine reported in March that 94% of malware is being delivered via email, phishing attacks account for more than 80% of reported security incidents, and 60% of breaches involve vulnerabilities for which a patch was available but not applied.

Cybersecurity resources and planning
Lack of funds or resources are often given as reasons that cities and towns are not prepared for cyberattacks, but many security measures can be implemented easily at minimal cost. Many resources are available for free to assist municipalities in their cybersecurity efforts.

The Baker-Polito administration has focused on filling the funding gap and the informational resource deficit for municipal cybersecurity since 2017, when the governor filed legislation to establish the Executive Office of Technology Services and Security. In April of last year, Gov. Charlie Baker filed a bond bill that dedicated $140 million to cybersecurity across the state.

Massachusetts is also one of seven states that is receiving cybersecurity assistance from the National Governors Association to bolster the security of critical infrastructure, among other objectives.

The Cybersecurity and Infrastructure Security Agency, Multi-State Information Sharing and Analysis Center, National Governors Association and the National Association of State Chief Information Officers have called for all levels of government to focus on the following three areas:
1. Back up your systems daily.
2. Reinforce basic cybersecurity awareness and education.
3. Revisit and refine cyber incident response plans.

Strong defense with cyber response plan
The MassCyberCenter, a division of the Massachusetts Technology Collaborative, partnered with the Massachusetts Municipal Association to send out a survey last October asking the state’s 351 cities and towns if they have a cyberattack incident response plan in place. Only 76 municipalities responded, and, of those, only eight reported having a plan in place.

This year, the MassCyberCenter is creating training materials regarding municipal cyber incident response plan development and will host workshops across the state for municipalities to build cohesive cyber incident response plans.

One of the first steps toward improving cybersecurity and developing an incident response plan is to identify areas of vulnerability. Municipalities are advised to conduct a comprehensive risk assessment across all departments, identifying potential risks, exposures and areas for improvement in order to have a complete picture of any potential security gaps.

An incident response plan should address issues like cybercrime, data loss and service outages, among other impacts that can threaten to disrupt daily municipal operations. Information on developing these plans can be found on websites of the MassCyberCenter and the Cybersecurity and Infrastructure Security Agency.

The U.S. Department of Homeland Security also offers a digital toolkit for small businesses, educators, and governments on how to strengthen their security efforts.

Education and awareness
Employees are often a weak link in the defense against cyber incidents and are a frequent target of phishing emails, which are designed to get them to release sensitive information or click on a malicious link. With regular training on cybersecurity best practices and potential scams, however, employees can also be the first line of defense against such intrusions.

MassCyberCenter Director Stephanie Helm offers the following guidance for municipal leaders:
• Clearly articulate the importance of maintaining cybersecurity best practices during remote operations.
• Keep in contact with employees to ascertain how things are going from a technical perspective.
• Encourage “see something, say something” to promote cybersecurity vigilance.
• Engage your IT team early to support hardware, software and licensing requirements.
• Remind users that public records requirements are still valid for municipal business done remotely.

The MassCyberCenter’s employee guidelines include the use of government-issued devices that are compliant with municipal IT systems and applications, and avoiding the use of personal email accounts, instant messaging or texts to conduct municipal business.

It is also important for employees to use strong password management, avoid clicking on suspicious links, and be alert for social engineering scams.

Additional resources
Municipal leaders are advised to speak with their insurer about additional resources and services to help manage cyber risks. MIIA offers CyberNET protection that includes access to expert cyber risk advisors, 15 online training courses available 24/7, sample cyber risk policies and procedures, and guidance with sample contract provisions that can be added to vendor agreements to reduce cyber risk exposure.

For more information on MIIA’s cybersecurity training, visit

Written by Lin Chabra, MIIA Member Training Manager.