Cybercriminals are holding governments hostage more frequently, expanding their attack base, and asking for more money, according to "Ransoming Government: What state and local government can do to break free from ransomware attacks," a new report released today by Deloitte's Center for Government Insights. The study explores the rising trend in ransomware attacks on state and local governments. It also discusses the dilemma of paying or not paying criminals, with the risk of losing access to critical data or the ability to provide services. Government organizations can take simple steps to secure information technology infrastructure and improve resilience.

"State and local governments should live and plan with the reality that their critical systems and data will be attacked," said Srini Subramanian, principal, Deloitte & Touche LLP, and cyber state and higher education sector leader. "Even with cyber-insurance and preventive measures in place, the growing frequency and sophistication of attacks calls for government entities to perform cyber health checks and revisit resilience strategies. The effort more than pays off. Governments can be better positioned to defend against catastrophic events that are expensive to recover from and could impact public safety and trust."

In 2019 alone, governments reported 163 ransomware attacks with more than $1.8 million dollars in ransoms paid and tens of millions of dollars spent on recovery costs, a nearly 150% increase in reported attacks from 2018. According to the report, refusing to pay ransom demands may be the principled option, but it also may be far more expensive. For example, the city of Baltimore refused a $76,000 ransom demand, only to suffer over $18 million in recovery costs and lost revenues.

Sensing the vulnerability of state and local governments, criminal enterprises are demanding nearly 10 times what they demand from commercial entities. To combat this growing risk, the report outlines several key considerations for organizations to move forward in this new reality.

Smarter systems architecture – Many state and local governments have deferred IT modernization, which leaves governments with increasingly vulnerable networks and systems.

More prepared workforce – Governments should look to creative human capital approaches to train, retain and share more qualified cyber talent as well as private-public-higher education partnerships to effectively tackle cyber security.

Better cyber hygiene – Attention to details such as timely software patches and updates, regular system back-ups and regular training for all staff can help to reduce risk. Organizations also should look to compartmentalize data and develop air-gapped system back-ups to limit the scale of a breach.

Cyber insurance usage scenarios – The use of cyber insurance can be an effective strategy for governments to contain the cost of attacks. However, those that use cyber insurance to fund ransom payments may unwittingly increase the incentives for criminals by increasing the likelihood of a big payday. Build scenarios for when to leverage cyber insurance.

Practiced response – Governments should practice responding to cyber incidents with wargames and simulations, involving business and program leaders so they understand the threats and their roles in response and recovery.

"Connected devices, digital systems and integrated data mean governments have the opportunity to serve people and communities like never before," said Deborah Golden, principal, Deloitte & Touche LLP, and cyber risk services leader. "It also means there is a large surface for cyber criminals to attack local governments and hold sensitive citizen data hostage. Government officials need to understand the risk involved if their systems and data were suddenly gone or rendered useless."