Crypto-ransomware attacks—software that encrypts a victim’s data and then offers to sell the victim the decryption key—are costing police departments, educational systems, and critical municipal infrastructure time and money.

In the June Public Management (PM) magazine article “Growing Impact of Cybercrime in Local Government,” author Gerald Cliff of the National White Collar Crime Center (NW#C) provides examples of how attacks have affected local governments. He outlines these basic steps that can serve as the starting point for reducing an organization’s exposure to risk:

• Establish detailed policies that apply to Internet use. Encrypt emails and other content containing sensitive or confidential data. Enforce rules regarding access to personal social media accounts. Direct the IT coordinator to be responsible for the monitoring of all communications for malware. Control the use of personally owned devices that are able to access corporate resources.
• Implement best practices for user behavior. Employees must select passwords that match the sensitivity and risk associated with their data assets. Employee passwords not only must meet certain criteria pertaining to strength, but must also be changed on a regular basis. IT departments should be required to keep software and operating systems up-to-date to minimize malware problems. Employees should receive thorough training about phishing and other security risks, and they should be tested periodically to determine if their anti-phishing training has been effective. Employees whose duties involve off-site Internet access, should be trained in best practices when connecting remotely, including the dangers of public Wi-Fi hotspots.
• Maintain a timely and complete backup of your critical systems.
• Regularly practice restoring your system from those backups.

The Intelligence National Security alliance (INSA 2013) practice recommends that a risk-reduction program include an insider threat component that includes, among others, organization-wide participation. an insider threat incident-response plan; protection of employees’ civil liberties and rights, and insider threat training and awareness.

A NW3C whitepaper, Cyberintrusions and Data Breaches, has more information on how to limit exposure to the threat of cybercrime. Results from ICMA’s 2016 cybersecurity survey are available here.