On September 8, 2022, a ransomware gang (reportedly ALPHV or BlackCat) seized the IT services of Suffolk County, NY, knocking out email and websites including the title searches needed for real estate sales. The attackers even disconnected the 911 system, forcing the county to turn to the NYPD to field emergency calls. The county warned residents to check their credit reports, as PII has been accessed. According to county officials, the attackers had been inside systems since the previous December, exploiting an unpatched Log4j vulnerability.
RiskLens is the leader in quantitative analysis of cyber risk.
Estimate of Probable Costs for Suffolk County from the Ransomware Attack
Using the RiskLens My Cyber Risk Benchmark tool, we can estimate the probable effect (in annualized dollar amounts) of a ransomware incident on a government agency of Suffolk Country’s size:
- $4.7M for Primary Response Costs (incident management)
- $338.3K for Lost Revenue
- $13.3K Secondary Fines & Judgments (levied by government regulators, for instance)
- $5.0M Total
Local Governments Cyber Incidents Count
According to the 2022 Verizon DBIR, the public administration sector was hit with 2,792 cyber incidents in 2021, including 537 data breaches. That placed this industry at number three for total incidents, also number three for data breaches, out of 21 surveyed.
Most Probable Cyber Risks by Incident Frequency and Loss for Government
The RiskLens data science team estimates risk for companies in an industry category based on the cyber events history plus a wide range of parameters such as revenue (or government budget), number of employees and number of database records.
In RiskLens modeling, a ransomware event for a government agency of Suffolk County’s size comes in relatively low at a 14.5% probability in a year, but that’s relative to the very high probabilities for other forms of attack, as shown in the chart below. Public administration is the most likely to be targeted and the least well-protected among industry types.
Here's how the government sector compares to others for ransomware attacks, far out ahead for likelihood in a year.
Database Size and Security Posture Make a Difference
Adjusting the parameters on the My Cyber Risk Benchmark tool gives clues on how to reduce cyber loss exposure.
For instance, reducing the number of records in a database, but leaving the other settings the same for a public agency of Suffolk County’s characteristics shows this $1.3M improvement for a ransomware event
- 1M-10M Records = $2.5M Loss
- 100K-1M Records = $1.2M Loss
To rate security posture, the Benchmark tool incorporates grading by Security Scorecard. Here’s how the annual probabilities of a ransomware attack go up for a government organization comparable to Suffolk County as security grades go down, suggesting the value of controls investments. (Security Scorecard rated Suffolk County at “D”).
- A rating = 6%
- D rating = 14.5%