Saskatchewan has 296 rural municipalities, but the potential cybersecurity threats they face are endless.
The RM of Silverwood proposed a resolution at last week’s Saskatchewan Association of Rural Municipalities (SARM) convention to have SARM to inquire into hiring IT personnel to reduce the risk. It passed, but the question of what comes next remains.
“Whether municipalities are going to start to be a bigger target or not, or maybe we’re small fish out there for these hackers, that I can’t say for sure,” said Jennalee Buetler, chief administrative officer for the RM of Silverwood.
“Taking precautionary steps and trying to get protocols in place, we just thought would be a good idea.”
The City of Saskatoon’s loss of $1 million to a fraudster in the summer of 2021 was an example of how easy it can be for criminals to take advantage of weaknesses.
“It is a big concern,” said SARM president Ray Orb.
The demand for a resolution comes after a calendar year in which SARM was unable to find favourable renewal terms for cyber liability coverage, with higher premiums and less coverage offered by a pre-existing provider. Part of the reason for the high rates is the RM’s lack of protocols to prevent crime.
Cyber insurance coverage can include expenses for computer and electronic data restoration, e-commerce extortion and crisis management, according to the Insurance Bureau of Canada.
Silverwood is one example of an RM that did not go through with the coverage this year.
“They said we are at high risk, because we don’t have enough internal protocols, IT on staff and education towards all the different kinds of threats. The coverage came back so high and with such large deductibles that it wasn’t really worth going through with it,” Buetler said.
The staffing problem within RM offices persists. Offices with only a handful of employees can’t realistically take on cybersecurity issues.
“RM administrators have so many tasks that they have to do, it’s virtually impossible for them to do them on their own with the way they’re staffed,” said Colin Warnecke, manager of risk management at SARM.
“I don’t know too many organizations where you’re the accountant, the HR manager, the marketing individual, and the IT individual. Who could handle all of that? They really have to look at having some outside assistance in doing that — but that comes with a cost.”
The price depends on the solution. Warnecke said right now, a lot of the focus is on educating RM; SARM currently offers a $25 cyber training program for its members.
He would like RM administrators to implement good controls, preferably with IT professionals, to better protect themselves, including adding multi-factor authentication and backup systems, he said.
Silverwood suggested hiring an IT specialist, but whether one hiring would be a realistic solution to oversee the nearly 300 RMs within the province is debatable.
Brennan Schmidt, a Regina-based cybersecurity expert, said he would advocate for an economies of scale model that would put a consistent set of standards in place, but on a broader scale to save taxpayer money.
“If you can have a water agreement or a fire truck agreement in place for sharing between municipalities, I think it’s a really good time to start having the conversation as to what that may look like in the digital age,” Schmidt said, noting that as demand for broadband internet access increases, so do the potential risks.
“If anything, by advocating for broadband, you are creating a couple problems. No. 1, you’re getting folks who may not have adopted technology to fast track on the technology track. And No. 2, you have this whole issue of now municipalities are going to have to start keeping pace with the demands that people expect.”
Orb noted that the potential for increased susceptibility with the advancement of internet technology is a concern, but said SARM has been working over the last year with SaskTel and smaller internet service providers, on proper connectivity and cybersecurity.
Schmidt’s advice for RM taxpayers is to identify the safeguards for data recovery and whether insurance is in place.
Schmidt believes a government standard is required for RMs.
“If the government can put forth legislation that stipulates that you must have a budget that is released at this time and you can’t … borrow against money that you don’t have, etc. I would say they should definitely have some sort of standards in terms of cybersecurity, because if we don’t have that, I think that it’s just going to be a disaster for the tax base.”
SLGA target of Christmas Day cyber attack
City of Saskatoon loses $1 million to fraudster posing as executive
City of Saskatoon looks for cybersecurity expert
The news seems to be flying at us faster all the time. From COVID-19 updates to politics and crime and everything in between, it can be hard to keep up. With that in mind, the Saskatoon StarPhoenix has created an Afternoon Headlines newsletter that can be delivered daily to your inbox to help make sure you are up to date with the most vital news of the day. Click here to subscribe.