As cybercriminals intensify their attacks against municipalities, cities and towns are scrambling to protect themselves against crashed computer systems, data breaches and ransom demands for records taken hostage.

Against this backdrop, the city of Worcester has aggressively upgraded its cybersecurity efforts over the past year. Among other measures, it has hired a data security specialist and required cybersecurity training for all employees, said City Manager Edward Augustus Jr.

“The prevalence of online crime and data breaches is concerning, especially for municipalities,” he said. “With hacking schemes and technologies advancing everyday, we’ve made it a priority to put a plan in place that ensures the city’s data is as safe as possible.”

Criminals target municipalities for their citizen data, employee information and financial records, and recent cyberattacks against public agencies have forced municipalities to re-evaluate their procedures.

A ransomware attack disrupted Baltimore’s operations for more than a month this past spring and reportedly cost the city $18 million in lost revenue and system repairs. (Baltimore refused to pay a ransom.) In June, the city of Riviera Beach, Fla., had its insurance carrier pay roughly $600,000 to recover encrypted data from criminals.

Because municipal websites promote transparency by necessity, hackers can study those pages and pose as employees or vendors, said Eileen Cazaropoul, Worcester’s chief information officer.

“It’s very scary,” she said. “Cities and towns are prime targets right now. It’s like a treasure trove for cybercriminals.”

An attack on Atlanta in March 2018 that destroyed some city records and temporarily returned workers to pen and paper helped to persuade Worcester to commit funding to security upgrades.

“It kind of opened everyone’s eyes,” Cazaropoul said.

Since last fall, Worcester has tackled the problem from multiple angles. It hired a data security specialist to create a cybersecurity incident response plan, perform risk assessments, identify security best practices, and establish routine safety procedures. Cazaropoul said the city also received a $30,000 state grant, which funded a cybersecurity risk assessment this past June.

The city also hired a full-time cybersecurity awareness trainer and holds hour-long sessions for its 1,600 employees. In addition, the city learned recently that it will receive a state cybersecurity awareness grant, in the form of 1,800 technology licenses for additional online training. The extra 200 licenses will go to the School Department, Cazaropoul said.
The city will also create a web portal with training videos and computer safety procedures.

The city wants its departments to appoint “cyber champions” to distribute computer-safety information and help coworkers identify suspicious emails. Its technical services department circulates warnings about scams and reminds employees never to give out login credentials and personal information.

Worcester also wants to reward employees for doing the right thing, with prizes for reporting suspicious emails and an October lunch for the department with the best cybersecurity performance.

Worcester has company in these efforts. In March, Boston announced the appointment of its first chief information security officer.

As cities strengthen their defenses, however, Cazaropoul expressed concern about smaller communities with fewer resources. She recommends that smaller towns seek grants and free online training resources from sources such as the U.S. Department of Homeland Security.

Though Worcester hasn’t been attacked yet, it can’t afford complacency, she said; anyone can crash a system by having a bad day and clicking on the wrong link.

“It’s not a question of if you get compromised,” she said, “but when, and how well you’re prepared.”

Written by