Nearly a month after a cyber attack on Drakenstein Municipality (DM) its email systems are finally up and running this week, since Wednesday (7 September).
A trusted inside source in the DM updated Paarl Post on Tuesday that some systems work while others do not.
“Throughout the crisis, the impression we got from IT was that the department couldn’t care less,” the source revealed. “Then, we were unable even to scan documents, and the internet was down which, for people like me who conduct research, is a critical problem.”
On 25 August, however, DM announced its systems had been restored and it was ready to restart the network following the attack, which was confirmed on Thursday 11 August.
According to the Director of Corporate Services, Seraj Johaar, the municipality had been subject to a ransomware attack. Malicious software encrypted data on its systems and a number of its computers and laptops.
As previously reported, he said the municipality was able to secure its data speedily thanks to its practice of backing up systems twice daily.
“Its back-up or disaster-recovery process as well as the risk-mitigation measures the municipality has in place have ensured there was no loss of critical data. Therefore we did not have to pay any ransom money.”
Meanwhile, the Post sought the advice of an expert combining technology management and the law among his qualifications and experience as an IT Manager in a large organisation. He was asked how a big organisation like DM ought to respond to such disasters, and whether they did what was necessary to respond proactively and recover.
Wishing to remain anonymous, he said it should be standard practice for every organisation to have a Business Continuity Plan (BCP) to be able to respond to disasters of any nature in an effective and efficient manner.
“In the case of the municipality, a very recent Business Continuity Management Policy (BCMP) dated October 2021 is offered to the public with elements such as a BCP, procedures, exercising and testing, and operational planning and control.”
But aside from an Information and Communication Technology Continuity Strategy (ICTCS) reviewed by DM in March 2020, the expert noted there is no evidence to prove there was actual implementation of these elements provided for by DM’s stated policy.
He said its ICTCS cannot be regarded as an operational plan to combat the effects of a disaster like the cyber attack, and also they do not seem to have a BCP.
“In the absence of such a plan ICT continuity planning can only fall back on a very crude prioritisation of business requirements into core and peripheral business information systems. Among the core systems is, in fact, email systems to be recovered and put back in service, for the latest, after four working days.”
It should not come as a surprise that in the absence of evidence of proper plans, combined with no implementation, exercising and testing of such plans, some core systems such as email have not been recommissioned within the intended four working days.
He explained that, given the make-up of DM’s business continuity management, the challenge to be fully back online may be worsened by a shortage or lack of expertise as well as other resources, especially when recovering from such an attack requires 24-hour shifts from ICT personnel.
“Under such circumstances, and given the progress already made it should not be uncommon to have a disruption of two weeks or even longer before full recovery.”The protection of personal data
Section 19 of the Protection of Personal Information Act no 4 of 2013 (Popia) binds information-based organisations like DM to take reasonable cyber-security measures to protect their customers and service providers’ personal information.
“While DM claims no data was lost or compromised, should any debtor or any other party whose personal information is processed by the municipality find their personal information was compromised in the recent cyber attack, they may be able to claim damages from the municipality for their losses.”
The expert added Section 22 of the Act requires the municipality to notify certain parties, chiefly the Information Regulator and affected individuals as soon as is reasonably possible once it suspects personal information has been accessed or acquired by an unauthorised entity.
“The best way to deal with such an attack is to follow the law and the relevant Business Continuity Plan combined with its practical guidelines.
More importantly, he noted, the BCP must be reviewed and action points informing decision makers of the successes and failures in the process of managing the disaster must be formulated.
“The relevant authorities should be informed so they can respond by launching an investigation and assessing whether the law was broken and if so, by whom and to what effect. Private parties must be informed, so they can implement responses to protect their privacy, person and assets against the consequences of the security breach.”
DM’s Communication Team reflected on their handle of the disaster: “A success was that the back-up of data is working and was secure in that while data was encrypted and unusable [during the attack] all data was secure, valid and up to date. A lesson learnt is that staff awareness requires more intensive effort and the back-up environment should mirror the production environment to keep down time to an absolute minimal.”
