The Federal Bureau of Investigation (FBI) has issued recommendations local governments can use to help protect against ransomware attacks.
The FBI notes that ransomware attacks on local governments have disrupted services and pose risks to public safety, as well as financial losses. Incidents reported to the FBI during 2021 indicated that local governments had the second highest number of attacks, behind education.
FBI recommendations for local governments include:
- Create contingency plans: Make a plan in the event of a ransomware attack that makes systems inaccessible. For example, re-routing emergency communications of local dispatch centers, alternative communication mechanisms for residents and personnel (if systems typically rely on electronic communications or VoIP), or alternative methods to conduct administrative services (such as bill pay, reporting on utility issues, etc.).
- Keep all operating systems and software up to date: Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Regularly check for software updates and end of life (EOL) notifications, and prioritize patching known exploited vulnerabilities. In cloud environments, ensure that virtual machines, server-less applications, and third-party libraries are also patched regularly, as doing so is usually the customer's responsibility. Automate software security scanning and testing when possible.
- Implement a user training program: Training programs, such as phishing exercises, help raise awareness among users about the risks of visiting suspicious websites, clicking on suspicious links, and opening suspicious attachments. Reinforce the appropriate user response to phishing and spear phishing emails.
- Require multi-factor authentication (MFA): Use of MFA for as many services as possible - particularly for webmail, VPNs, accounts that access critical systems, and privileged accounts that manage backups.
To see more of the FBI's recommendations please see their Private Industry Notification.