Earlier this month, the town manager of Arlington, Massachusetts, notified constituents that Arlington fell victim to a classic cybercrime, business email compromise (BEC). Through account compromise of its employees and account spoofing of its vendor, bad actors were able to reroute four monthly electronic funds transfer payments for a high school building project totaling nearly $500,000. The fraud was uncovered when that vendor notified the town that they hadn’t been paid in four months.
In a world of Scattered Spiders and Midnight Blizzards and UNC2452s, why is Arlington’s BEC important? Because it’s happening all the time to towns, municipalities, regional health systems, and small businesses lacking the resources to prepare for such an event. There’s no such thing as “too small” or too “off the radar” for opportunistic cybercriminals. Our 2023 Security Survey found that 63% of security decision-makers in the public sector and 74% of security decision-makers in organizations with 20 to 999 employees reported at least one breach in the last 12 months.
Once aware of the BEC, the town took necessary incident response steps, including notifying law enforcement and its bank, hiring outside counsel, and conducting a forensic investigation, all of which highlighted what it lacked prior to the attack, including:
Employee awareness training. As a result of the attack, Arlington is “[instituting] mandatory cybersecurity training for all staff” through a grant from the state. Awareness training advancing toward human risk management focuses on building a security culture within an organization that encourages employees to pause and ask questions when receiving messages from third parties, management, or even IT staff. The use of urgency, authority, and novelty are hallmarks of social engineering to be met with healthy skepticism but that can only be achieved in cultures that reward employees for vigilance, even if that results in a slight delay of legitimate transactions or tasks.
Wire transfer protocols. The letter stated that the town contracted an auditor to review payment processes and “bolster internal controls with a stricter policy related to wire transfer payments.” No one employee should be responsible for a decision to change the destination of funds. Organizations must put in place multistep verification processes that ensure that several sets of eyes are on messages related to transfers and that legitimate parties on the receiving end of transfers confirm the destination verbally via a number not included in email communication and confirm receipt of payment, among other anti-fraud best practices.
Advanced email security. Interestingly, the town manager’s letter noted that “ […] the IT department had already begun to reconfigure email security settings in November to improve our email security,” indicating that some email security protections were in place but either not advanced enough or configured properly to block phishing messages. The fewer phishing emails delivered to inboxes, the less organizations need to rely on employees to make the right choices in interacting with them. Your enterprise email security solution should also extend protections developed for the email inbox to messaging, collaboration, file sharing, and SaaS applications across multiple devices and throughout the day-to-day workflows of your employees.
Multifactor authentication. In addition to stepping up email security, the town manager stated that multifactor authentication (MFA) would be rolled out to select employees immediately and to all staff in the future as part of a state grant. MFA, especially phishing-resistant MFA, would likely have prevented attackers from accessing and monitoring the email threads related to projects and payments by requiring one or more forms of authentication and delivering the convenience of a passwordless experience and better protection against social engineering attacks.
Detection and response tech. The letter addressed already-in-progress improvements, including the rollout of endpoint detection and response (EDR) “as part of the upcoming fiscal year.” The addition of EDR to the town’s security tech stack will likely thwart other malicious activity, but it, along with its more comprehensive successor, extended detection and response (XDR), requires skilled practitioners to interpret alerts and take appropriate response actions. If your organization lacks practitioners with the right skills to derive value from an EDR or XDR solution, consider managed detection and response, or for less than the cost of hiring skilled talent from the outside, fill skill gaps with a skills and training platform.
What Arlington Got Right: Breach Notification And Communication
The town manager’s notification letter to the community was commendable. It was straightforward and direct, with assurances for concerns that were likely top of mind for residents, like whether resident data was compromised (it was not), whether the town was able to recover any funds (the bank recovered $3,308), and whether the loss negatively impacts the completion of the high school building project (it does not).
The letter also covered expected elements from a clear notification. It outlined what the town could share about what happened, how the town’s IT department responded, and steps that the town will take next. It also included a FAQ covering the impact to the building project and town budget, as well as questions related to security and the incident.
Breaches Break Already-Fragile Town Budgets
The attack and the needed remediation steps in its aftermath add financial pressure to a town already struggling with its budget. Like many municipalities this past year, Arlington faced an unexpected jump in expenses — like rising health insurance costs for town and school employees — and had to vote on a budget override to make up the shortfall without cutting services too deeply.
Budget overrides can be a contentious topic at town meetings — the entire town meeting tradition in New England is fascinating and perhaps the subject of another blog — and Arlington’s vote for a $7 million override back in November came with a commitment to not propose any more budget overrides until FY2027.
Arlington can ill afford a half-million-dollar outlay from a BEC or any other cybersecurity attack. Like with many other towns and municipalities feeling similar pinches, officials must be on high alert for attacks like this that might be a drop in the bucket for an enterprise but debilitating for a small-town budget.
What’s A Cash-Strapped Town (Or SMB) To Do?
The first step is understanding where your town stands in terms of cybersecurity maturity. Massachusetts towns can use the state’s Municipal Cybersecurity Roadmap to get a good picture. Municipalities can then chart their course based on their maturity levels. Don’t wait for an attack to act. Look for free and low-cost federal and state programs that are provided to help towns improve their cyber resilience, such as CISA and FEMA’s State and Local Cybersecurity Grant Program. And for town board members seeking to gain support for the program, the MassCyberCenter provides examples of real stories that have financially impacted towns. Municipalities outside of Massachusetts should see what resources are available from their state government or federal programs.
No matter your organization’s size or sector, there’s more you can do to 1) improve your program’s maturity and 2) emphasize to leadership the critical link between security and revenue as it relates to your key constituencies. Forrester clients can schedule an inquiry or guidance session with us to discuss further.
