The Covid-19 pandemic forced Norwalk city employees, like those in the private sector, to work from home. Unlike other workers though, city employees have access to reams of sensitive information: tax records, HIPAA-protected health data, profiles of school children, arrest records and body camera footage.
With all of this information at risk, preventing a data breach is much more important than finding its cure, according to Connecticut cybersecurity experts.
Norwalk Chief Finance Officer Henry Dachowitz and IT Director Karen Del Vecchio joined Dale Bruckhart of Digital BackOffice on “The Municipal Voice” to talk about the changing face of cybersecurity. The Municipal Voice is a co-production of the Connecticut Conference of Municipalities and WNHH FM.
“Covid-19 changed the way we do business,” Del Vecchio said.
Given just 72 hours to plan for hundreds of employees to work from home for the first time, her department enacted a two-week hurricane plan.
“No one imagined that seven months later, most of our workforce would still be working from home,” she said.
With so many employees working from home, there are more ways to get into the city system. Bruckhart called these ins “attack surfaces.”
While some attacks require the kind of sophisticated techniques seen in movies, 90 percent of breaches happen through social engineering, according to Dachowitz. This means that a person simply asks you for sensitive information while posing as a legitimate resource or otherwise tricking you into providing an in.
Because of this, many places — both public and private — have begun using two-factor authentication. This is one of Bruckhart’s most cost-effective security measures, since it’s so easy to adopt.
Del Vecchio described the practice as involving something you have and something you know. If you want to use your debit card to take money out of a bank, she says, you have a card and you know your pin. In tech, two-factor authentication works on the same principle: you know your password, and you have an app to create a pin number (or one is texted to you on your cell phone).
This has helped during Covid. It’s easy to tell the system that the person logging in really is that person. This lowers the attack surface by eliminating one possible avenue into a municipalities IT system.
But there are others, and towns and cities across the country have fallen victim to ransomware attacks where the perpetrator encrypts important data for a ransom, usually to be paid in bitcoin.
Given the sensitive data governments maintain, any municipality that refuses to pay a ransom does not simply risk losing their data. They risk having that data made public to other bad actors who might steal that information.
This is why Bruckhart believes that the most important cybersecurity step is prevention – lowering the attack surface so that you don’t have to deal with the fallout later.
All three guests said that more and more cybersecurity should be a priority, not just for municipalities, but for businesses and home users. Success is contingent on a good plan, education, and staying up to date on the newest types of attacks, they said.
“It’s about people. It’s about process. It’s about technology,” Del Vecchio said. “You get one wrong and you won’t be successful.”