The county has spent about $656,000 as of mid-December to get its system fully operational, with the majority of the money — around $578,000 — going to consultants and computer security companies for server installation, compliance work, travel expenses and other activities, officials said.
Cybersecurity experts said the price tag for fixing the problem will likely increase.
“That sounds a little consultant heavy to me,” Andy Green, a lecturer of information security and assurance at Kennesaw State University, said of Henry’s spending so far. “If the consultants got more than half a million and only $100,000 went to improving their technology then they either spent too much on consultants or they are nowhere near done spending on the technology.”
Brad Johnson, Henry’s assistant county manager, defended using the consultants, saying they were provided by Georgia Technology Authority and approved by pre-arranged state contracts.
“Our team did several things to minimize the consequences of the attack and system shutdown played a major role in it,” Johnson said. “No one can be totally prepared for such an event and we are better prepared today than we were prior to the incident.”
Henry wasattacked in the early morning hours of July 17 and immediately shut down its entire system to protect taxpayer information.
During the three weeks it took to get the network back up and operational, the county returned to using paper for filings such services as building permits and business licenses. The hack also forced county workers to use personal email and made it more difficult to access court records that had been digitized and to process paperwork from the tax assessor’s office.
The attack was one of many that have hit metro Atlanta over the past few years, including a hack of the city of Atlanta’s network in 2018. The attackers demanded $51,000 in bitcoins in exchange for encryption keys to recover Atlanta’s data. Two Iranian men were indicted by the U.S. Department of Justice in October in the Atlanta attack, and others.
A confidential memo obtained by The Atlanta Journal-Constitution and Channel 2 Action News in August 2018 estimated Atlanta had contracted to spend around $6 million to bring its system back but could have to put another $11 million toward the work before the process was complete.
Henry officials have declined to be specific on how they have repaired their system and what software they are using to avoid giving potential hackers information that could lead to another attack.
The county’s expense list describes many of the costs as “phase I” of bringing the system back. The outstanding balance for $78,000 is listed as part of “phase 2.”
Consultants on the work include Georgia Technology Authority, Compliance Point, Fivepoint Solutions and Strategic Tech.
Johnson, the county assistant manager, said Henry has cyber insurance through the Association of County Commissioners of Georgia, but so far that policy has only paid out about $4,000. He did not know when other payments would be made.
David Barton, a managing director of accounting firm UHY Advisors who specializes in technology risk and compliance, said cyber insurance is a growing option for municipalities as the cyber threat has grown. But he cautions leaders not to think of it as allowing them to take their eye off making sure they are protecting themselves.
“Think of it like fire insurance,” he said. “You don’t want to have it and never pay attention to keeping your facility from catching fire. You can’t do it blindly.”
©2019 The Atlanta Journal-Constitution (Atlanta, Ga.). Distributed by Tribune Content Agency, LLC.