As many workplaces throughout the nation have shifted to video conferencing and online communications as a means to resume operations, the threat of a cyber attack increases.
According to a report recently published by the 2019-20 Santa Barbara County Grand Jury, Santa Barbara County as a whole is “woefully ill-prepared” to combat a cyber attack, which could cripple county services and its data systems and cost millions of dollars to repair and recover.
The Grand Jury issued its report April 20. The municipalities named include Santa Barbara County, the eight incorporated cities and other special districts within the county. Cyber attacks could include corruption or theft of data, denial of service, or even a complete destruction of critical data. In addition, attacks could include “subverting critical operations, such as water systems, electrical grids, and communication systems, and thus threaten public safety,” the report states.
The Grand Jury reviewed a number of news reports on cyber attacks that have occurred throughout the nation, including a ransomware attack in March 2018 that affected 424 software programs in the city of Atlanta, which refused to pay the ransom of $51,000 and cost the city $21 million to recover its systems. It also included an August 2019 attack that resulted in $4.2 million being stolen from the Oklahoma Law Enforcement Retirement System after an employee’s account was compromised. Locally, the report noted a January 20020 ransomware attack involving the Carpinteria Unified School District, which temporarily shut down the district’s networked computers and created $90,000 in damage.
In its report, the Grand Jury noted interviewing two experts on cybersecurity, a Certified Informations Systems Security Professional and a credentialed Independent Information Security Analyst. In addition, the Grand Jury attended an all-day Cybersecurity Summit at UCSB to go along with its other research of news reports and professional articles.
The Grand Jury conducted surveys that were emailed to local administrators and IT department heads, covering topics such as the nature of their systems, how they are administered, whether there is a written cyber security plan, as well as questions on system audits and cyber insurance.
“The responses to the Grand Jury’s survey showed most entities were deficient in one or more critical areas,” the report states. “Many of those surveyed reported that they had no cyber security plan, had never performed a security audit and carried no cyber insurance.
“Clearly, many public entities within Santa Barbara County are not fully prepared to withstand a cyberattack.”
The Grand Jury determined that cyber attacks and related threats are an “ongoing reality” and that all public entities within the county should take “prompt and aggressive steps to prevent significant disruption from these attacks,” the report reads.
As a result, the Grand Jury issued eight findings and 12 recommendations to prevent attacks. The recommendations included that each entity: designate an individual to be accountable and responsible to oversee cyber security; complete a full inventory of their data, electronic and communication systems and determine the related security risks; establish a written security plan; take substantial steps to protect data from internal or external attacks or threats; install, maintain and update all antivirus software and train employees and test the their cyber security awareness; implement a full backup and recovery plan and test that plan; secure adequate cyber insurance; and those who cannot allocate funds for cyber security development to develop a work group to establish best practices and share costs for education, expertise and insurance.
A request for response was sent to the following entities, which were asked to respond in 90 days: Santa Barbara County Board of Supervisors; city of Buellton; city of Carpinteria; city of Goleta; city of Guadalupe; city of Lompoc; city of Santa Barbara; city of Santa Maria; and city of Solvang.
“When cyber-attacks are successful, the costs to respond and recover can be in the millions of dollars,” the report read. “While some local public entities are taking steps to protect themselves from these risks, many are not adequately prepared.”