Severe winter weather, tornadoes and thunderstorms, landslides and flooding — most of the hazards that Buncombe and Madison county officials regard as high risk come from the natural world. But there’s one exception to that rule, as listed in the Regional Hazard Mitigation Plan adopted by the two Western North Carolina governments earlier this year: cyberattacks.
Once viewed as a problem primarily affecting national governments, global banks or multinational businesses, cyberattacks — defined by IBM as the use of computers to steal, expose, alter or destroy data — have started to hit closer to home. A March 2020 attack in Durham temporarily disabled community access to police, fire and other public services, while an August 2020 attack shut down classes at Haywood County Schools.
BlueVoyant, a New York-based cybersecurity firm, claimed in an August 2020 report that cyberattacks on state and local governments had increased almost 50% since 2017, adding that the true number was likely much higher because many instances are unreported. Most involved ransomware, malicious software that locks an organization’s data and threatens to delete or release the information unless the target pays up.
“It’s the No. 1 existential threat facing our country today,” says Adam Bricker of cyberattacks. Bricker is the executive director of the Carolina Cyber Center, a cybersecurity training program based at Montreat College. “Billions of dollars in cash and intellectual property are lost each year, and it’s the problem that keeps our military awake at night,” he says.
Dealing with cyberattacks is something local government takes extremely seriously, according to Kathy Brady, Buncombe County’s director of information technology. Three years ago, the county created a separate security and standards division within its IT department to mitigate the growing cyber risk. As of this year, the division is funded for six full-time positions, with an annual budget of more than $780,000.
“We focus very heavily on security issues,” says Brady. “We use tools for detection, prevention and recovery. Cybersecurity is the responsibility of every employee, so we provide security training on a regular basis to county employees.”
Although some attacks have become more sophisticated, says Buncombe security analyst David Anderson, the biggest danger lies in malicious attachments to everyday employee email. He says the county has simulated attacks on its own employees to identify issues and raise awareness about what to look out for.
“We have made some big strides in educating users about the types of attachments and emails that are concerning,” Anderson says. “They are getting it, but if we’re not doing that on a regular basis and keeping the communication going, it won’t matter.”
Cybersecurity training for all county employees now extends far beyond what Brady calls the typical “once-a-year refresher course.” Simulated phishing attempts routinely test staff’s ability to detect suspicious email, and quarterly phishing statistics are provided to all employees so they are aware of potential risks. Continuing education sessions are also available for staff to learn the ever-evolving best practices in cybersecurity, she adds.
No direct, significant cyberattacks have yet targeted Buncombe County government, Brady says, but she acknowledges that phishing attempts are constant. In August alone, she says, county systems flagged 18,000 emails as suspicious. She’s also concerned about any attack that might disrupt local infrastructure, referencing the Colonial Pipeline cyberattack that severely disrupted fuel distribution across the Southeast in May.
“We have to be prepared for any type of attack. It could be a cyberattack or a natural disaster,” Brady says. “We have to be able to return services. Public safety is our No. 1 concern.”
Defending the data
Attacks are also becoming more common among local businesses. A 2019 report by the Ponemon Institute, a independent cybersecurity research firm, found that 66% of small to medium-sized businesses had experienced a cyberattack in the last 12 months, with 45% of those businesses saying their security measures were ineffective at mitigating attacks.
In the most high-profile recent WNC happening, Asheville-based Allergy Partners was the victim of an eight-day attack in which the business was asked to pay a $1.75 million ransom for its data. In the business’s May 17 notification to patients, Allergy Partners states the attack involved “an unauthorized person” who “deployed malware and acquired copies of some of the information on our systems.”
The information acquired in these documents, according to Allergy Partners, could include “name, address, date of birth, health insurance information, driver’s license number, Social Security number, financial account numbers and/or clinical, diagnosis and/or treatment information.” The notice says a review of the incident is ongoing.
Bricker with Montreat’s CCC says that most cyberattacks aren’t targeted toward a specific business; instead, the majority of criminals “spray and pray,” sending mass emails in an effort to trick someone into downloading a malicious attachment or revealing login information. He adds that WNC may be particularly vulnerable to such an approach due to a lack of cybersecurity awareness and education: “We’re in a cyber naked area. Many don’t pay attention to risks, don’t know who to trust, and it’s easy to get overwhelmed,” he says.
Mike Lovoy owns Advantage Civil Engineering in Asheville and co-owns Asheville Hemp Farms with his wife, Kim. He says those businesses take multiple security steps to protect data but acknowledges there’s more to learn.
Although he knows of a peer company that was shut down for two weeks last year due to a cyberattack, losing access to its files and a lot of money, “I haven’t thought about it actually happening to me,” Lovoy says. “I’m not as familiar with the threats but I know they are out there and can be serious.”
Financial consequences and increasingly frequent attacks paint a dire picture, but local professionals agree that basic, low- or no-cost “cyber hygiene” is the best way to prevent most attacks. Besides regularly updating software on all internet-connected devices, Bricker recommends implementing a password manager, which automates the use of complex and unique passwords, and multifactor authentication, which requires users to enter both a password and a one-time code sent via email or text message.
Those seeking more advanced cybersecurity advice can take advantage of the CCC’s programs. The center offers both in-person and virtual training academies and will soon be launching cybersecurity consulting services for organizations.
“We can provide low-cost cybersecurity assessments, and they will end up with something like a credit score. Clients can see where they rate, then we can work with clients to lay out an action plan built on incrementally improving their security standing,” says Bricker. “We are also launching managed detection and response services, where we can help companies look for threats.”
“This is a business problem, not a technology problem,” Bricker adds. “If we lived along the coast, we would take steps to prepare for hurricanes.”