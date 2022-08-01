One in four entities experience a data breach, Geoff Jenista, a federal cybersecurity agency leader, told a group of city officials and business leaders in Bettendorf.

The expense and frequency of cyber attacks on businesses, local governments and infrastructure have drastically increased in recent years. The FBI reported that dollars exposed to losses from scams via email, which make up the vast majority of cyber attacks, between 2019 and 2021 increased 65%. According to Verizon's 2022 cybersecurity report, ransomware attacks, in which hackers take data hostage and demand payment, have increased 13%.

In the Quad-Cities, at least three local governments paid out more than $100,000 to email scammers. In all three cases, the criminals emailed local government officials pretending to be legitimate vendors the cities worked with to ask for a bank account change. In all cases, the local governments had insurance to cover the losses.

Jenista, the Cybersecurity Information and Security Agency's chief of cybersecurity for a four-state Midwest region, said the increased cyber threats came more from a greater useage of online accounts that bad actors could try accessing.

"So, it's not that it's increasing, but it's become more readily available to these bad people because now they're not having to bust windows or kick in doors to get in," Jenista said.

Republican U.S. Rep. Mariannette Miller-Meeks, who's staff organized the event, said other local institutions had experienced cyber attacks — including Muscatine County, Mercy Iowa City Hospitals, Musco Lighting and an Ottumwa dental office.

The Cybersecurity Information and Security Agency, formed in 2018 to combat physical and cyber threats to infrastructure in the U.S., recently received a boost of funding from Congress to increase its staff and operations to combat cyber threats to critical infrastructure.

Jenista laid out tips on Monday to avoid those losses in an increasingly connected world.

Called CISA, the agency conducts various types of free security assessments to determine cyber preparedness of local governments and businesses.

Jenista said he'd done roughly 60 assessments for Iowa entities — mostly county governments. He compared cyber criminals to car thiefs — saying if entities lock their doors, it'll be harder for criminals checking doors to steal their things.

Common ways to deter that is enabling multi-factor authentication — which means adding an extra step beyond a password to make it more difficult for someone to hack your account, updating software to patch holes and creating a response plan so organizational leaders know what to do in case of a crisis.

Asked about whether entities go to CISA voluntarily or after a breach, Jenista said many times entities say they can't afford to take precautions until after an expensive breach.

Cyber insurance premiums, too, have been rising.

"Cyber insurance is kind of the wild, wild west," Jenista said.

Jenista said he saw ransomware attacks as the biggest threat to America's infrastructure, such as water supplies and energy grids.

Meat supplier JBS, which has an Ottumwa location, paid $11 million to hackers in a ransomware attack last year despite federal agencies, including the FBI and CISA warning the company not to pay the ransom.

"A good backup system is way cheaper than $4 million dollars," Jenista said. "So if you're willing to spend $4 million on a ransomware event, why not spend $100,000 on a backup solution that you can restore in 30 minutes?"

Phil Kirk, director of CISA's seventh region, said the agency was focused on communicating to the public the threat of cyber attacks.

"We are out talking to the American public and all levels of government and the private sector down to the individual level to explain to people that the threat is real," Kirk said. "And the simple things that they can do to make themselves less likely to become a victim. And then also to encourage, you know, the larger entities, private sector, owners and operators forms of government ... they need to be thinking about and looking at incident response plan."