Well, I don’t think we have to take up time convincing anyone that cybercrime is increasing and municipalities are attractive targets (after healthcare and education, local government is the most frequent target for cybercriminals, according to KnowBe4.com). What is mind-boggling is that the threats have morphed from being attributable to a lone computer genius in a back room somewhere into international gangs with names like Clop, Cuba, Royal, REvil, Evil Corp, and DarkSide. I mean, when all of this started, who would have thought that someone in a U.S. town or school office could be targeted by a Russian gang in cyberspace?! Well, they can.

All of this has spurred a more coordinated and collaborative approach to addressing cybersecurity at the federal, state, and local government levels, alongside private enterprise. At the end of last year, the 2023 omnibus spending agreement included $2.9 billion for the Cybersecurity and Infrastructure Security Agency (CISA), as well as $1.6 billion for the National Institute of Standards and Technology (NIST). What’s more, the federal Joint Ransomware Task Force (JRTF) was formed to combat the growing and ongoing threat of ransomware attacks.

We entered 2023 with $35.2 million in new funding to support New York’s statewide cybersecurity and use of shared services to identify potential security gaps (that’s in addition to the $61.9 million allocated for cybersecurity in the 2023 state budget). The State Division of Homeland Security and Emergency Services began creating a first-of-a-kind specialized industrial control system (ICS) assessment team to boost the security and resilience of critical infrastructure and manufacturing systems against cyberattacks.

With small businesses and municipalities at a disadvantage when it comes to standing up to cyber criminals, in March, the White House introduced the National Cybersecurity Strategy with an emphasis on the importance of industry and government cooperation. It notes:

“Malicious cyber activity has evolved from nuisance defacement to espionage and intellectual property theft, to damaging attacks against critical infrastructure, to ransomware attacks and cyber-enabled influence campaigns designed to undermine public trust in the foundation of our democracy.

Once available only to a small number of well-resourced countries, offensive hacking tools, and services, including foreign commercial spyware, are now widely accessible. These tools and services empower countries that previously lacked the ability to harm U.S. interests in cyberspace and enable a growing threat from organized criminal syndicates…Together, industry and government must drive effective and equitable collaboration to correct market failures, minimize the harms from cyber incidents to society’s most vulnerable, and defend our shared digital ecosystem.”

I’d say perhaps the author was watching a little too much Star Wars or Star Trek when that was written but, unfortunately, the situation really is that dire. Just consider what happened in Dallas, Oregon, and Oakland earlier this year.

IBM Security’s 2023 Cost of a Data Breach Report analyzed 552 data breaches across 17 industries and 16 countries and found phishing remains the top form of cybercrime, occurring 16% of the time. Compromised credentials came in a close second at 15% and cloud misconfiguration led to 11% of breaches. Data stored in public, private, or hybrid cloud environments were connected to 82% of breaches. Each public sector breach costs an average of $2.6 million. (Teale, Chris. “Public Sector Slow to Respond to Cyberattacks, Report Finds.” July 25, 2023. Route-fifty.com.)

According to Route-fifty.com, “IBM found that 19% of public sector agencies make ‘extensive use’ of security driven by artificial intelligence and automation, which can reduce staff workload, increase efficiency and save money. The company found that the approaches could save organizations in the public or private sectors around $1.7 million in data breach costs and 108 days in time identifying and containing a breach.’

“In addition to investing in automated security tools, IBM urged organizations across all sectors to build security into every stage of software development and deployment, modernize their data protection practices across the hybrid cloud, and understand their attack surface so they can be better prepared.”

All of this feels like we’re moving in the right direction. Still, just last week, Smartcitiesdive.com shared a warning from NY state officials that cyber threats to critical infrastructure are growing. So, this story will definitely be continued. In the meantime, an abundance of resources is available to support and guide New York municipalities’ cybersecurity efforts:

• Stop Ransomware Guide discusses how to prevent, protect, and respond to a ransomware attack.
• Cybersecurity Best Practices for Smart Cities highlights proactive opportunities to mitigate potential threats.
• Other CISA resources: 2023-2025 Strategic Plan, Shields Up Guidance For Organizations, and list of free tools and services.
• New York Joint Security Operations Center and Endpoint Detection and Response (EDR) Shared Services.
• New York Office of Information Technology Services Breach Notification and Incident Reporting.

While you focus your resources and time on cybersecurity, you can trust RBT CPAs to handle your accounting, audit, tax, and advisory service needs. To learn more, give us a call today.

RBT CPAs does not outsource work to any other country. All of our work is prepared in the U.S.A.