By MAXWELL EVANS
Capital News Service
LANSING — Nearly one in five state employees gave out sensitive information to a fake phishing scam, according to a recent report from the Auditor General, and lower levels of government in Michigan appear ill-prepared to prevent tech attacks.
The harmless, state-sanctioned “scam” was actually an exercise conducted the Auditor General’s office, a nonpartisan investigative arm of the Legislature. It involved sending emails asking a random sample of 5,000 state workers to click a link and enter their login credentials.
This was a classic example of “phishing,” in which email recipients are deceived by someone posing as a legitimate entity, usually to get targets to enter information like passwords or identification.
Potential consequences from being “phished” include identity theft, unauthorized access, and damage to credibility, according to private cybersecurity firm SANS Institute, headquartered in Maryland.
The results of the exercise exposed weaknesses in the state’s computer security awareness and training programs. Thirty-two percent of targeted employees opened the fraudulent email, while 25 percent clicked the link and 19 percent entered their credentials.
“It is vital to the state’s network security that employees … fully understand cyber security threats and learn how to protect confidential information, including the consequences of their actions,” the Auditor General’s report read.
While the audit examined only state employees, some local government personnel are also lacking in cybersecurity training, according to David Sanders, Lake County’s information technology (IT) director.
“You don’t see a lot of cybersecurity training,” Sanders said. “A lot of it is, ‘OK, your password’s gotta be eight characters, one upper, one lower,’ and a lot of times that’s the extent of it.”
Kelly Miller, the state relations officer for the Auditor General, said she could not speculate about the worst-case scenarios that could arise as a result of poor cybersecurity training at the local level.
However, all one has to do is look to a recent rash of hacks against major companies, government agencies and institutions for proof of the dangers, said Vijay Bhuse, an assistant professor at Grand Valley State University’s School of Computing and Information Systems.
Bhuse said all governments should be on high alert after hackers attempted to influence the 2016 presidential election, as well as infiltrate private databases of information at Experian, PNC and Yahoo, among others.
He said lax security measures weren’t a result of maliciousness or laziness, but often stemmed from ignorance of the severity of the risks inherent in handling sensitive information.
Bhuse highlighted the Equifax breach, in which company officials blamed a single person’s missteps, as proof of the importance of cybersecurity training for all employees.
“A lot of bad things can happen, and I think we are just at the beginning. It can get a lot worse,” Bhuse said. “Most of the hacking happens because of people doing something really, really stupid.”
The targeting of high-profile entities like major financial institutions and tech giants doesn’t mean smaller governments are safe – just ask Sanders of Lake County, which was the victim of a security breach last year.
A timely response on the part of the IT department prevented significant damage, as staff were quick to identify the specific email that was opened to expose the network to attack. Sanders said since the problem was identified the next morning, Lake County escaped the situation without data loss or information leaks.
Sanders repeatedly pointed to human error, like the opening of a fraudulent email that endangered his county’s systems, as the biggest cybersecurity risk facing local governments.
Given this, he said it was crucial that employees receive continual training rather than a one-time session for new hires.
The rapidly changing nature of technology — and its ability to be hacked — makes it important for governments to constantly prioritize network safety, Sanders said. However, he indicated it was more difficult to implement detailed cybersecurity training within smaller entities, such as his in Lake County.
“Everybody here wears a lot of hats — there’s not a lot of time for that kind of thing,” Sanders said. “But it’s important, and time should be made for it. It’s one of those growing pains with the changing of technology and how people are doing their scams.”
Some counties don’t have dedicated IT departments, instead opting to outsource the work to technology companies that sometimes operate outside their county.
For example, Gladwin County partners with Bath firm IT Right, while Ionia County works with i3 Business Solutions in Grand Rapids for their tech needs.
No matter how governments choose to address their network safety, Bhuse stressed the importance of dedication to cybersecurity.
As public servants, government workers owe it to constituents to protect the sensitive public information they keep, like social security numbers, telephone numbers and addresses, he said.
“We as citizens need to hold government accountable for our information that they collect,” Bhuse said. “They have a responsibility to protect it, and they should train and educate their employees.”
By MAXWELL EVANS