The municipality of WestLake-Gladstone in Manitoba suffered a loss of over $450,000 as a result of a series of cyberattacks in December 2019 after one of its employees opened a malicious link in a phoney email.
Saint John, New Brunswick spent $2.9 million in November 2020 updating its website after scammers gained access to the network of the municipality.
In January 2021, numerous gigabytes of private information were stolen and ransomed in Durham Region, Ontario.
Wasaga Beach, Ont., Midland, Ont., Stratford, and other communities have all been the target of cyberattacks in the previous four years, to name a few. Scams and fraud increased by 130% between 2020 and 2021, costing Canadians an estimated $379 million, according to the Canadian Anti-Fraud Centre (CAFC).
“Municipalities are a very good target for bad guys,” says Ali Ghorbani, a cyber security professor at the University of New Brunswick and the director of the Canadian Institute for Cyber Security.
As per Ghorbani, municipalities are appealing since they deal with financial resources that are far larger than those of an individual and frequently top millions of dollars. Through services like bylaw, permitting, and others, they also store the private information of residents. Ransomware is the most typical form of assault, according to Ghorbani. Through social engineering, which entails tricking someone into doing something or sharing sensitive information, fraudsters can enter a municipality's network.
Scams involving phishing come into this category. An email will be sent to a municipality employee from what appears to be a reliable source. There will be a link in the email. The municipal network is infected with ransomware when the employee clicks the link.
"They’re establishing admin access to the infrastructure, and then they take over the data and encrypt it so no one else can open it,” Ghorbani says.
The fraudsters then demand payment from the municipality in exchange for their promise to divulge the sensitive information. The stakes are larger, yet it's the same tactic that fraudsters use to target specific people. Through a phishing scheme, criminals in WestLake-Gladstone gained access to the municipal system and began draining bank accounts, transferring the money to Bitcoin, and making it vanish. In Saint John, scammers shut down all online services and demanded $17 million in Bitcoin to unfreeze the network. The municipality's usage of the Accellion File Transfer Appliance software, a product that sparked a massive wave of cyberattacks around the world, enabled fraudsters access to Durham Region.
These municipalities would have each had a set of cyber security guidelines, however they were unsuccessful. There are no general cyber security regulations that municipalities must abide by in Canada. The Association of Municipalities Ontario (AMO) provides guidance and highlights important security considerations in its cyber security toolkit. The level of protection, however, is up to the municipality.
For rural municipalities, this may provide difficulties. An urban area like Toronto will have a far larger budget than a municipality like WestLake-Gladstone, therefore it will have more money to spend on cyber security. Tech talent also has a tendency to migrate to positions in large cities, requiring rural governments to increase wages in order to recruit professionals. Ghorbani asserts that those fields need IT expertise.
However, this does not imply that rural administrations should not be safeguarded. Ghorbani proposes splitting the cost of hiring a cyber security expert with other nearby municipalities for municipalities with limited budgets wishing to strengthen their online defenses. To hire a specialist to remodel their IT department and ensure their infrastructure is up to date for several months, two or three neighboring municipalities may pool their resources.
Education is yet another important barrier. According to Ghorbani, municipal employees and residents can benefit much from training. They have then instructed staff to operate their system correctly. Ghorbani suggests posting education advice on the town's website and holding workshops on safety every few months to inform workers and residents.
Ghorbani stated, “Municipalities shouldn’t have the mindset that they’re small, so they’re not going to spend money on doing anything because they may not be a target. They miss the point that bad guys don’t really care. They take whatever they can. In fact, a smaller fish is more attractive to them because it’s less publicity than attacking a big fish.”