A San Mateo County civil grand jury’s report prompted agencies across the county, including the city of Half Moon Bay, to protect their information technology systems against attacks.
The grand jury warned local agencies against the threat of ransomware, a specific kind of cyber attack that locks up a system until the victim pays a ransom. Such online attacks affected at least 10 agencies in San Mateo County, according to a 2019 county superior court survey. Elsewhere, the consequences have been severe — ransomware in Atlanta and Baltimore cost the cities over $17 million.
In response to the county’s request, the city reported having already taken some of the grand jury’s recommendations with plans to implement additional best practices in the coming months.
To date, the city has not experienced a hack attempt or any other serious compromise to its system, said Bryan Lopez, senior management analyst with the city’s administrative services department. Lopez said he was already in the process of improving the city’s information systems before the report. But the report served as a helpful confirmation that the city’s plans aligned with what larger agencies were doing.
“When it comes to the city, we’re obviously a smaller city so we don’t have a lot of things that are so proprietary that we have to worry so much,” he said. “But the risk is still there.”
Lopez said the protected data includes confidential legal documents and employees’ personal information.
City employees do encounter spam and some phishing emails, but Lopez said these are threats that can be addressed with effective filters and training.
A bulk of the improvements took place between February and September 2020, which was before the court came out with its list of recommendations on Oct. 7. Some of the changes were seemingly mundane, but important, including requiring stricter passwords and adding two-step authentication, which sends a passcode to a secondary device as a barrier against hackers who do successfully acquire someone’s login information.
Other changes involved switching to a safer email system and upgrading the city’s servers so that less time goes by between a system going down — potentially from a cyber attack or a power outage — and returning online.
Should it face a serious attack, like ransomware, Lopez said the city has a way to disconnect from its servers and turn to backup servers. That would disable any city business for a few hours.
“It wouldn’t grind the city to a halt, but it would be inconvenient,” said Lopez.
The grand jury report included a recommendation that agencies model their security plans after a template provided by the Federal Communications Commission, which Lopez said his office will consider implementing this year.