Police department computers contain large amounts of sensitive data about their communities, the citizens in those communities and the men and women who work for those departments. Protecting that information is the job of law enforcement IT. Police IT departments aren't always up to the task.
Many law enforcement IT departments are undermanned. About half of all local police departments have fewer than 10 people in their IT departments, according to the Bureau of Justice Statistics. Moreover, information security remains a low priority for many police departments. According to the latest information available from the International Association of Chiefs of Police and the Canadian Association of Chiefs of Police, only half of police departments have policies to minimize the risk of cyberattacks.
With numbers like that, the rash of attacks on police departments in recent times should not surprise anyone. In Tewksbury, Mass., for example, a ransomware attack took that police department's network offline for five days. And even with the help of the FBI and U.S. Department of Homeland Security, Tewksbury had to pay the ransom to get its systems back online.
Situations like that can be avoided with good system hygiene, like having a disaster recovery system in place. Such a system would have allowed the Tewksbury police's IT department to restore its data from a clean backup and ignore the demands of the cyber-extortionists. Unfortunately, backups are often ignored until catastrophe strikes. In Lincoln County, Maine, for instance, the sheriff's office had a backup system in place, but it was poorly maintained so when the office's systems were infected with ransomware, it found its backups corrupted and it, too, had to pay a ransom to get them back.
Law enforcement IT departments don't always follow the basics. "The biggest problem is that these attacks can be easy to mitigate with the most basic security controls, often with technology that city governments and the agencies already have, it just needs to be implemented," Ken Westin, a senior security analyst at Tripwire, told Dark Reading.
Among the basics often ignored by law enforcement IT is a policy on strong passwords. As it turns out, cops aren't much different than consumers when it comes to giving cyber crooks an easy path to their accounts and their department's networks with a simple password. "Change your password to something a moron couldn't guess in three tries," law enforcement veteran Tim Dees recommended at PoliceOne.com.
"Avoid anything tied to a personal detail someone else would know — badge number, date of birth, anniversary, dog's name, etc.," he added.
Another basic that can keep a network secure is to timely patch all systems and programs. Many patches released by software makers address security problems so the longer a patch remains on a to-do list, the longer the window of attack remains open for a hacker. Of course, if a law enforcement IT department is understaffed, patching may fall by the wayside. The situation will be worse in departments with software versions no longer maintained by their makers. Believe it or not, some departments are still using Microsoft DOS as their operating systems!
Most cyber criminals today don't depend on elaborate hacks to break into computer systems. They depend on social engineering. Many breaches of law enforcement systems can be traced to an email and a click on an infected link. A continuous training program to keep officers and staff aware of the latest cyber crime innovations can have a security payoff higher than the introduction of fancy, state-of-the-art detection systems. Sadly, with today's tight law enforcement budgets, employee training is usually one of the first items to get the ax.