Summit County is about to start a cyber security awareness campaign to prevent phishing attacks
November 8, 2018
You get an email. The sender appears to be someone you trust, perhaps a co-worker or someone else in the company. The person is asking you to proofread a document and wanting you to click a link to get to it. You haven't been at the job that long, so you think this might be a normal request. You click on the link and a website that looks a bit like your company's asks you to enter your login username and password. Again, not knowing any better, you submit it. Just like that, you've been phished.
Phishing attacks have quickly become the most prolific tool for hackers trying to infiltrate organizations and steal information. Phishing works like it sounds. "Bait" is sent out to a potential victim in the form of an email or other communication. The victim bites by clicking the link, responding or otherwise engaging with the email. The attacker's reward is the victim's personal information, with the prized details being usernames, passwords, Social Security numbers or financial information.
On Tuesday, phishing took center stage as Summit County's information services director, Byron Rice, provided the county commissioners with an update on the county's cyber security.
Rice started with the results of a six-week-long phishing assessment conducted in April as part of the Cybersecurity Awareness Program run through the Colorado Secretary of State's office and the Department of Homeland Security. Summit County was one of 24 counties in the state to participate in that assessment.
It involved sending six progressively more sophisticated phishing test emails to county employees. The emails only measured how many recipients actually clicked on links. That April test showed that Summit County clicked on the links at a rate of 9 percent, right in line with other counties.
In July, the county contracted with a vendor to gauge Summit's cybersecurity. The vendor did a site assessment at the courthouse, the justice center, the county commons and other county facilities. Network monitoring tools were used at each of these sites to analyze data going in and out to keep track of hacking attempts and other network-based attacks.
Recommended Stories For You
"I know this might sound huge, but in the six days they detected we had prevented 335,945 intrusion events," Rice said. "What that means is that our protection is good, because they spotted zero actual penetrations."
Rice said the attacks came from all over the world, including Russia and North Korea. Rice also said that the vendor remarked how those hundreds of thousands of intrusion attempts were not that high.
"They are constantly tweaking their intrusion attempts to try to get into our systems and gather information," Rice said.
In September, the county did its own baseline phishing assessment to test county employees for their response to fake phishing emails. The email, purportedly from the county's information services department, asked the recipient to click on a link to verify their password, which leads to a very realistic website, complete with an official logo.
Rice said 429 emails were sent out to county employees. Seven of those bounced back to the sender while 422 were actually delivered. Thirty-two percent, 135 recipients, actually opened the email. Fifteen percent, 56 recipients, clicked the link — 35 employees went a step further and actually submitted information. One person replied to the email.
The assessment showed that the county had a "phish rate" of 21.5 percent compared to the average baseline of 25.1 percent, putting the county in good position to improve.
As part of a new cyber security awareness campaign, the county will look to instill best practices when it comes to avoiding phishing or intrusion attempts into the network.
"The vendor said that if you do regular and frequent testing, phishing and follow-up education, the baseline phish rate will drop to 12.8 percent within 90 days," Rice said. "After a year of continually training, you can get it down to 1.5 percent."
Rice said that as part of the campaign, the county will also be looking to add a button that allows recipients to flag possible phishing attempts and other measures to respond more proactively to the scams. Aside from infrastructure improvements, there will also be a general awareness campaign with posters, flyers and regular training.