Former Stratford mayor warns municipalities at recent OSUM conference
According to one expert in the field, it isn’t a matter of if a municipality will be hit by a cyber attack. It’s when.
Dan Mathieson served as the mayor of Stratford for 20 years and spent 27 years in municipal politics. That city suffered an attack in 2019, one that crippled its IT systems and cost taxpayers $75,000 to fix.
Mathieson was named a special advisor on cybersecurity and municipal engagement at Toronto Metropolitan University (TMU) in 2023 and works closely with the school’s Rogers Cybersecure Catalyst.
Mathieson said once Stratford’s IT system was healed, he decided to dive into the field to learn more about it by talking to organizations specializing in the field, including the Canadian Institute for Cybersecurity.
“In doing so, I met Dr. Mohammed Lachemi, president of TMU. He was starting to work on municipal engagement…and I told him one of the things he was missing was one of the biggest threats municipalities have and that’s in cybersecurity.”
Municipalities are putting more services online and providing increased databases in the interest of transparency, but with it comes increased risk.
“That risk has to be managed as it has the ability to cripple municipalities. It led to, ok, let’s start to build some awareness around that and really why I have been going to some conferences to advance the awareness side of things.”
Mathieson explained the vast majority of municipalities say they are not prepared in the event of a cyber or malware attack.
“I will go on the record. A lot of councillors may not have realized the amount of risk that’s out there, and it’s not a slight to staff, there’s only so much money to be spent by local government, and cybersecurity ranks below homelessness, housing, transportation, clean water, sewers and recreation facilities.”
Mathieson said one of his goals is to get municipalities to collaborate on the subject, something that could save precious tax dollars.
“Maybe there is an opportunity for a group of them to share services and information to help reduce the risk while making their money go further as opposed to being, it’s all of us on our own type of thing.”
He is suggesting something along the lines of a regional security operation centre where dedicated staff can keep a close eye on things.
“Perhaps we split the cost of two IT professionals and all our servers go through that and those people live and breathe that all day long. Their job is to keep all the network pieces safe. Stratford has a very strong IT department but they have multiple things each day they need to worry about. They need someone whose sole focus is on IT security.”
Improving cybersecurity comes at a cost, and presently, there are no funding streams available from any level of Mathieson is optimistic that change could be coming.
“I think there has been some traction at the provincial and federal level. You’re starting to hear of more municipalities doing annual emergency exercises as they have been simulating cyber attacks. Whether it’s on communication systems or ones that run water and wastewater facilities, they are talking about what they would do if it were to happen.”
Two representatives approached the former Stratford mayor following his recent presentation at the Ontario Small Urban Municipalities Conference in Collingwood to say they were in the midst of an attack but haven’t made it public.
“They were working through it with their insurer or police, and it’s because they’re trying to make sure they don’t share too much information that could give the attackers more ideas. Just like we need professionals focused on security every day, there are criminals focused on how they can exploit municipalities and other government entities every day.”
TMU has compiled a checklist for municipalities to utilize free of charge to see just how prepared they are. It has been put together by top students who are simulating attacks.
“Some checklist examples are what’s the backup for when your email system goes down, or when someone takes over your website. How are you going to communicate? What do you do for records retention if they take over your computer system?”
Mathieson said the goal of the checklist is to get municipalities thinking. Hamilton was also hit with a major cyber attack recently and according to the Spectator newspaper, that city spent nearly $10 million to regain control of its systems.
“Hamilton’s IT budget increase this year was just over $30 million. What I say to members of council is it’s not what the initial cost is, it’s the cost to recover, to rebuild, and then operate going forward. They need to know all three of those aspects.”
The former Stratford mayor suggested local government remember the Japanese phrase, Kaizen, which is essentially continuous quality improvement.
“You don’t do this by checking something off the list and say, alright, we have it looked after. It is a continual, organic piece that needs to be looked at on an ongoing basis because everything changes in systems. How many times do people get an update for their phone or computer? Every time there is an update, a new vulnerability comes with it.”
