North Carolina County loses Millions to Business Email Compromise and Phishing

August 6, 2019

North Carolina County loses Millions to Business Email Compromise and Phishing

Written by Michael Castro, vCISO and founder of RiskAware

Late last year, Cabarrus County in North Carolina fell victim to a crafted email asking to change banking information for a contractor with whom they had started business earlier that year. Within 3 weeks, the County had sent more than 2.5 Million dollars to who they thought was their contractor. It wasn’t.

It took a few more weeks to discover that they had been compromised. When the dust settled, the County was able to recover some funds, including a mere $75 000 from insurance, but even now, more than 1.7 Million remains unaccounted for.

Last year, losses to business email compromise topped 1.2 Billion dollars. As such, it is clear how an easy scheme can net quite large returns, and why it is so popular amongst cyber thieves.

Just the month previous, the city of Griffin in Georgia lost $800 000 in a compromise scheme.

Email as a process is not enough to deal with impersonation email, email fraud and wire transfer processes. Municipalities need to build new processes with checks in place to prevent the easy route of email compromise and fraud. Changes to account payable processes, proposer cybersecurity planning and education can all greatly improve the chance of such a scheme being caught before any money is lost.

Municipalities should also consider bring in cybersecurity experts to help with governance, compliance and process models that go beyond technical security controls and systems. For those government groups that have smaller budgets set aside for cybersecurity, a fractional or virtual Chief Information Security Officer (vCISO) is a good resource to help plan and build a more resilient cyber presence within a budget and capability of the municipality.

RiskAware is a boutique Cybersecurity firm, specializing in Security Governance and Strategy, assisting organizations of all sizes with security and risk advisory services and security-on-demand capabilities. RiskAware and its founder Michael Castro also provide fractional CISO services

RiskAware can be contacted at [email protected] or visited at www.riskaware.ca

Cyber Attacks & Municipalities: A Tale of Two Communities

April 15, 2019

“There are only two types of companies: Those that have been hacked, and those that will be.”,

Robert Mueller, FBI Director, 2012

Executive Summary

In 2018, many municipalities in North America fell victim to cyber-attacks, and in particular ransomware. This study reviews two municipalities, Atlanta, Georgia, and Wasaga Beach, ON whom both were impacted as a result of a malicious attack on their networks.

Atlanta

Atlanta (pop. 486 000) was hit in March 2018 with a cyber-attack through ransomware. A ransom of $51 000USD was demanded but not paid. Over the next few days, critical systems and activities were taken offline as city staff struggled to regain access to systems. Impact included:

· Public Wi-Fi disabled

· 30 mission critical applications disabled

· 8 000 employees were unable to access their email or networks for days

· Citizens were unable to pay fines or parking tickets

· Forms had to be completed by hand as systems restored

· Many official documents were not recoverable

Final tally was close to $10 Million, including costs for additional contractors, system upgrades, new technology and computer replacement.

Wasaga Beach

Wasaga Beach (pop. 21 000) was hit in April 2018 with a similar type of ransomware attack. Initial demand for close to $150000 was reduced to $35 000 and paid by the municipality. Despite this, the town was impacted for weeks even with recovery efforts.

Impacts included:

Government data inaccessible for weeks
Systems had to be re-imaged and rebuilt
Payroll systems hampered

Final tally close to $252 000, including $50 000 for consulting, $160 000 for lost productivity and overtime, system upgrades, new technology and computer replacement. Some costs carried into 2019 Budget Year.

How to be Prepared in Your Municipality

While Atlanta and Wasaga Beach are different sizes, they both suffered similar negative impacts due to a malicious attack, and having inadequate preparation for the type of attack that hit each separately.

Being prepared begins with a proper security risk assessment and review of the security practices and processes currently in place. Assessments should typically review such areas as:

Technology in place for security controls
Policies and standards related to Information Security
Training and awareness in place with staff
Incident Response plans
Disaster Recovery Plans

Municipalities should also consider:

Training for IT staff on cybersecurity
Cyber Insurance
Testing and training of staff on cybersecurity issues
Use of third parties with cyber specialization to complement skillset of internal team.

Conclusion

Cyber Attacks can be indiscriminate and attack all levels of companies including municipalities large and small. However they can also target municipalities, due to limited IT budgets, strained technical resources and small if any dedicated security personnel.

Municipalities should take proactive measures to prepare for cyber-attacks and reduce the impact and likelihood of financial costs and loss of services.

“The effectiveness of one’s security program belongs to those who see the possibilities
before they become obvious.”, Michael Castro, 2018

RiskAware can be contacted at [email protected] or visited at www.riskaware.ca

Cyber Security and Municipalities: Balancing Risk and Budget

February 19, 2019

Weak or nonexistent cybersecurity programs represent a massive organizational risk for municipal government agencies across North America, and of course Canada. Municipal leaders are often unaware of these risks because they assume that security is addressed or believe that a threat is minimized as a public sector organization.

In 2018, reports from three Ontario municipalities, one in BC and one in Quebec surfaced. All around ransomware, and all impacted adversely the operations and privacy of their records and impacting their constituents. Each also had a financially impact to the municipalities as each had to work to eradicate the malware, recover data or pay ransoms.

While ransomware attacks are often indiscriminate and are about disruption, other attacks are imminent that also hinge on weak security measures and experience. Theft of data from the public sector is valuable and should not be overlooked. Land deeds, mortgage information, birth and death records, SIN numbers and more, all constitute Personally Identifiable Information (PII) and all can equate to valuable dollars to those who can use them for further criminal activity.

Municipalities need to be looking at various areas to shore up cyber security for their offices and staff and help reduce the risk associated with these threats.Actions can include but not limited to:

-Developing a cyber security strategy to combat threats and understand security posture

-Implementing technology and security tools to handle threats as they emerge

-Awareness training for staff to help know when threats like phishing email are present

-Developing a information security policy for all staff to follow

Cyber threats is a multi billion dollar industry for cyber criminals. Municipalities are not immune to the threats that are present every day. Each municipal leadership team should look at their own areas and determine what steps are needed to be performed.

In the end it is not IF a cyber attack will affect them but rather WHEN and HOW impactful it will become.

Interested in an assessment or virtual CISO services? Feel free to drop a line

Michael Castro

Founder and Principal, RiskAware Group

[email protected] www.riskaware.ca

We connect municipalities and the businesses that serve them.

muniBLOG Archives