Derrick DeGroot, the Commissioner of Klamath County, OR, had a rough summer. An email scam had given criminals access to copious county and employee records, just three months after he thought he’d addressed the problem — in the wake of another costly email scam. He is not alone. Worldwide, cybercrimes cost victims a total of $600 billion. According to a Verizon study, a whopping 92.4% of malware is “delivered” via email, with the US getting more than 81% of phishing attacks. While nefarious emails are getting harder to recognize, cities and counties can defend themselves by securing board communications.
In July, just three months after a Nigerian phishing scam had wreaked havoc for Klamath County, a second such scam bested another two county employees who clicked on an email link, thereby exposing their county credentials. Moreover, the two signed an online document, for which the county is anxiously waiting to see what fallout might ensue. In the March scam, an employee had also clicked on an email, which let the sender see that employee’s email credentials. With that information, the phishers had accessed personal information on about 80 people, most of them also employed by the county.
The damages are significant. The July data breach will cost the county $5,000 in an insurance deductible; their cybersecurity insurance provider will absorb the rest of the cost of the needed investigation by a data security firm — expected to reach as much as $30,000. The March breach had already cost the county $32,135 for a software lease to protect the county’s 500 computers and servers. Clearly, that investment did not protect them enough.
Klamath County is hardly alone. Even in southern Oregon, Commissioner DeGroot says that “this kind of thing is starting to happen all over.” Other counties in the region have been targeted as well. Of national organizations whose IT and security officials were surveyed for the Wombat 2018 State of the Phish, 76% had faced phishing attacks in 2017.
A Symantec inventory brings those numbers down to earth:
“According to Symantec’s 2018 Internet Security Threat Report (ISTR), a whopping 54.6% of all email is spam. Even more to the point, their data shows that the average user receives 16 malicious spam emails per month, which leads to some scary math. Even if you only have 20 employees, that’s 320 times a month you have to trust in their ability to correctly scrutinize emails and make the right call. That’s 3,840 bullets to dodge over the course of a year.”
Such a strong offense calls for an even stronger defense.
Recognizing Email Scams
Unfortunately, the usual suspects are giving way to new, more sophisticated “spear-phishing” schemes, which far fewer people can spot. Joseph Opacki, Vice President of Threat Research at PhishLabs, reports from the front lines: “The business model of phishing has evolved. The bad guys have found ways to multiply their profits at the expense of organizations they aren’t even attacking directly.” Such spear-phishing attacks targeted 53% of the organizations surveyed by Wombat, and a staggering 97% of users don’t recognize spear-phishing emails.
How to Protect Yourself?
In an Infosecurity Magazine interview, McAfee Chief Scientist Raj Samani said that improving internal communication channels is the single strongest defense against phishers. That means both improved software and vigilant training. There’s no better place to start than with the people who handle the most confidential information: members of the board.
Good software can take a local government off the “low-hanging fruit” list. Phishers scan organizations to see which have the weakest built-in defenses, targeting them first. Good software protects data, in essence putting it in a fortified castle surrounded by a moat.
Two software features are essential. The first is encryption. Software typically offers no encryption, 128-bit encryption or 256-bit encryption. Only 256-bit encryption delivers the strong, robust protection that is needed. The second feature is storage on a private server. Secure storage remains “cloud based,” but at the end of the day, all information is stored on an off-cloud private server that is nearly impossible to find or to penetrate.
Encryption and secure storage can shelter all communications conducted through a board portal; nothing can protect emails. The best practice for boards is implementing a policy banning all emailing related to board business. Such a comprehensive ban brings greater protection than software that makes it impossible for employees to access their work email accounts from home (which Klamath County is now using).
Board education makes the best software even more foolproof. Not only must boards be trained to communicate without emails, but frequent training can alert them to new patterns in spear-phishing, so they recognize the most recent contortions of attackers who continue to target their personal or work email accounts.
The fact is that most boards need training in more than “how to spot” new forms of sophisticated spear-phishing schemes; they lack much more basic knowledge and skills. A 2017 National School Boards Association (NSBA) survey of 428 school boards showed glaring gaps:
- 61% of respondents regularly or occasionally use personal e-mail accounts to communicate about board business.
- 42% of respondents believe wrongly that digital technology for communications between the board and the administration has decreased security overall.
- 37% download board materials onto personal devices at least half the time. Only 31% of respondents never make such downloads.
- Only 42% store digital board materials on a board portal, which, alone, provides just adequate security. Rather, they store them on school websites, personal or external drives, or file-hosting sites.
- A whopping 51% of respondents answered “I don’t know” to the question: “Has a security audit of your board’s communications practices been conducted? Another 31% knew with certainty that such an audit had not been conducted.
Despite these dangerous beliefs and practices, no less than 67% of respondents sit on boards that require no cybersecurity-related training whatsoever. Another 26% of them have no idea if their board requires such training (which means they probably do not).
As phishers evolve to outsmart us, it’s time to batten down the hatches with internal communications and board education. The best offense is a good defense: maximally secure software; informed board communication policies; and regular, rigorous training. Or you could trust luck — but every gambler knows that, given enough time, the house always wins.