In response to the second significant cyber attack in two-and-a-half years, Howard County is hoping a series of changes will better protect it from malicious strikes that have proved costly for governments across the nation.
The county's information systems director, Jeremy Stevens, outlined recently the financial toll this spring's attack took on the county and described the increased protection now afforded to the government’s online systems, which have so far avoided a disastrous, worse-case scenario.
But the risk remains.
It was April 17 when county officials revealed they were juggling the effects of a malware attack that left employees without Wi-Fi after a virus targeting personal financial information spread throughout the county system and across government buildings.
The malware was identified as TrickBot, which has been described by county officials as “a fast spreading worm that infects PCs looking for banking and online shopping credentials to compromise.”
It was the second attack in recent years and followed an incident in 2016 when Howard County had roughly 76,000 files encrypted by a ransomware strike.
Howard County, however, has now upped its investment into computer security, with a goal of staying enough ahead of the game to protect both taxpayers and county employees.
'A minimal cost'
Stevens, who confirmed that all malware has been removed and all county services are fully operational, said his office spent more than $4,800 in overtime, which he called the “majority of the cost” caused by the attack.
“The entire department worked pretty much non-stop to clean and restore the County systems,” he said in an email, noting that in April alone his staff put in roughly 122 hours of overtime.
Other costs, he noted, included the assistance of third-party vendors who consulted and assisted in cleanup, resulting in $1,730 in payment.
Ultimately the biggest ongoing cost will be the county’s new endpoint security provider, which Stevens said has an additional cost of roughly $20,000 each year.
The agreement, in part, includes software licenses and around-the-clock monitoring and response by a team of IT security professionals that in the event of another attack should limit the county's exposure.
Overall, 83 PCs had portions of their antivirus software disabled in April before IT was able to contain the malware, according to Stevens.
He said there were no breaches into the county’s financial or banking records, nor any breaches into employees’ personal banking or financial information.
One of the first things Stevens’ department did, in fact, was alert Treasurer Wes Reed about the threat, allowing him to monitor county accounts for unauthorized activity.
Reed – who called the timing of the attack during tax season “horrible” – previously said his office’s online payment options were never in jeopardy and remained 100 percent safe for residents.
He said the attack affected “only anything in-house.”
That in-house effect, however, also impacted things at the Howard County Courthouse.
Howard Superior Court 3 Judge Doug Tate said his court was for a couple days unable to input data, leading to overtime and comp time taken by employees required to work around the obstacle of not having access to their regular systems.
The attack, he added, happened while the county was transitioning to the Odyssey case management system, a connected, statewide system that manages criminal and civil cases and has allowed the county’s courts to go paperless.
“So they were also being trained at the same time it was going down, so we kind of got a double hit there,” said Tate.
But it’s important, believes Stevens, to put Howard County’s situation in context compared to what has happened to other governments.
Examples include Riviera Beach in Florida, which paid hundreds of thousands of dollars to regain access to data blocked by a ransomware attack, and LaPorte County, which got hit by a cyberattack that even reached its backup servers.
Similarly, a ransomware attack in Madison County in 2016 cost that government nearly $200,000. The money included a ransom payment and contracts for security upgrades.
“With the recent malware attacks, such as LaPorte County paying a $130,000 ransom, or Riviera Beach paying a $600,000 ransom, I am grateful we were able to respond to the incident with such a minimal cost,” said Stevens about this year’s attack.
“The credit for this belongs with the IT department staff, Ryan McKay, Lloyd Deem, and Dean Whisenant. Without their efforts, the recovery could have cost the county much, much more.”
In hopes of thwarting future attacks Stevens said several changes have been made to reduce the county’s risk profile.
“The most significant change was switching to a different endpoint security solution,” he said.
“By going with an endpoint security as a service model, the county now has all systems monitored 24/7/365 by a team of IT security professionals, with incident response, backed by a $500,000 breach guarantee."
Stevens added: “The service also utilizes a ‘Next Gen’ antivirus engine, using new techniques to stop malware before it can take a foothold.”
He said the county's former security measures "stopped a lot of it getting out of control" but called the new system "the modern way to do things, so to speak."
In addition, he noted, the county is working to install a new backup system that can restore services in hours, instead of days, and internal networking changes to allow production systems to remain online during network shutdowns.
He also said work is being completed on “an improvement to the email filtering system.”
Still, Stevens acknowledged, the best way to stop malware is to make users – in this case, county employees – aware of how not to be susceptible to digital attacks. He said security awareness training is ongoing, showing employees what to look for and how to respond.
That susceptibility was on display in the 2016 ransomware attack, which was caused when two emails, disguised as the same FedEx message, were opened opened by county employees two days apart, one in a work email, the other a personal account.
The emails told recipients that a package was undeliverable and provided an attachment for an invoice or certificate. Encryption of county files began once the attachment was clicked.
TrickBot, meanwhile, is traditionally spread by a hyperlink inside a Microsoft Word attachment; the identity of the “first click” that led to April's situation is “still being investigated,” remarked Stevens.
“If I could offer a simple tip for anyone wanting to protect their own computers, it’s this; If you ‘Don’t know, don’t click,’” he said.
“If you aren’t 100% sure that an email is legitimate, delete it. An email from someone you know, but looks weird? Call them and ask if they sent it. The worst thing you could do is click and find out.”
But the question remains: Why didn’t Howard County have this level of security before the April attack?
Stevens gave two reasons: new technology and new threats.
“Endpoint security as a service is relatively new, and we learn more as we talk with experts and security professionals in response to the malware incident. Every day hackers are coming up with new and creative ways to get around the best systems out there,” he said.
“We do our best to stay ahead. We have to be right 100% of the time, they only have to be right once. So as technology shifts, we must shift with it. Modern problems require modern solutions.”