Our state government created a Cybersecurity Task Force during the 2019 Legislative Session lead by Lt. Gov. Jeanette Núñez. The task force hopes to provide some insight into the risks associated with cybercrime.
They also wish to define what the risks are to our state and how we can improve cybersecurity and their first meeting was last week.
I can save the group a year of meetings. Here is my analysis.
The threat landscape is very, very bad.
We are all at risk and all of us can be doing a lot more to improve on the protective measures currently in place in the private and public sectors.
If you think about it, it only takes one person in your organization to cause you a serious problem. One person.
We have seen a massive uptick in cities being attacked by ransomware and the surge in the dollar amount of the ransom demand from thousands to hundreds of thousands, some a million-plus. This Naples Daily News piece outlines the seven Florida municipalities that have been hit in the past year.
I spoke about the Tallahassee incident to the Tallahassee Democrat earlier in the year and USA TODAY picked up the story and ran it nationwide.
“Usually the way they get in is through email,” I wrote. “Those happen all the time. If you’re not trained to be on the lookout for something, about how that may look or feel or the implications, it can bring your city to a crawl.”
I like that quote as email is the most common threat entry point.
The idea of “social engineering” one email to that one person in your organization that might be the “sucker” is their goal.
So, to review the types of threats that might come in via email.
— Ransomware that could be disguised as a UPS, iTunes or Bank of America email asking you to “click” to verify info of some kind. Once you click all your files are frozen, and you have to pay the ransom via bitcoin to get them back.
— A phishing ask for “gift cards” from Target or Amazon supposedly from your supervisor or boss. They find you online and mimic your organizational hierarchy to try and fool you. You would be shocked how often people fall for this.
— You click a link in an email, and it appears nothing has happened, while behind the scenes insidious key tracking software is installed just waiting for you to go somewhere secure online and scoop up your passwords.
Other threats are still rampant, there are programs trying to crack your passwords right now and trying to log in to your bank. Using brute force attacks to guess your credentials using automated tools. You can learn more here.
Despite all the training and tips available people also still fall for the phone call that comes in, “HHHEEEEY, its Carl from IT. Can you give me your password so I can run updates …”
First, don’t trust anyone named Carl. Second, it is not a best practice to give your password to anyone. Most IT professionals will, in fact, ask you to enter your password when working with you as that is an industry best practice vs. asking for it.
There are advanced threat protection tools on the market that can actually block some forms of ransomware when clicked. Also, there is training that covers every one of these scenarios.
The thing that some individuals struggle with is the personal accountability of technology.
You must take responsibility to not be that one person that brings the whole place down by falling for a con or clicking a link; also have robust passwords (and different passwords for different sites). Don’t click on things you should not. Don’t go to shady websites (ransomware is hidden there too) and if you see something suspicious, report it.
Further, ramp up your security protocols, add two-factor authentication and run some phishing tests.
Be prepared as the hackers are not going away any time soon.
Thanks to the task force and everyone reading this — for your commitment to protecting our state — as there is a lot of work to be done.
Plus, unlike a lot of battles in our state and nation, we are clearly all in this fight together.
Blake Dowling is CEO of Aegis Business Technologies. He can be reached at firstname.lastname@example.org.