Lewis County is putting extra focus on preventing cyber breaches, following a dramatic uptick in threats, Information Technology Services Director Steve Wohld told area leaders Friday.
“There’s an over 300 percent increase in endpoint user attacks [on agencies in Washington state]” Wohld said. “The attacks on Lewis County are significant and much higher than they ever were.”
Wohl spoke to leaders from throughout the county at Friday’s Mayors’ Meeting, a monthly event hosted by the Board of Lewis County Commissioners, urging them to make sure their cities and agencies are using safe cybersecurity practices.
Since last year, Lewis County’s IT Services department has moved from spending 10 to 15 percent of its time on cybersecurity to devoting 40 percent of its time to the issue. Part of the concern is that hackers are increasingly not just going after networks, but targeting county employees to try to infiltrate the system.
“The point is getting this out in front and letting our users know that the target has changed,” Wohld said. “The primary target now is the endpoint user.”
In other words, county employees who use unsafe passwords, click on dubious email links or plug in untrusted USB devices could be exposing the entire network to risk. One risk that has become more common is ransomware, in which a hacker takes over a system and demands payment to regain access or data.
The city of Atlanta recently failed to pay a $50,000 ransom and ended up paying $2.6 million in efforts to recover compromised systems. That case is an extreme version of a problem that has also hit Washington state.
“Agencies across the state are paying out serious money recently, and we’re trying to avoid that,” Wohld said.
Recently, Lewis County Treasurer Arny Davis received a suspicious email from a treasurer in another county whose account had been hacked. He notified IT Services instead of opening the link in the email.
“If Arny would have clicked on it, his account would have been compromised,” Wohld said.
That was among many stories mentioned by Wohld and others about the importance of being vigilant. Commissioner Edna Fund said she had recently received an email on a work account from a personal friend whose email had been hacked. She also received notice of false charges on her account, only to be led to a site that tried to obtain her Social Security number. She logged onto Facebook, only to find another account claiming to be her.
“I’m becoming very vigilant,” she said. “From all different vantage points, I was getting hit.”
Even as he warns county employees to be more careful, Wohld conceded that the increased threats will likely cause the county issues, although it hasn’t lost any data yet.
“We’ve had some close calls,” he said. “I really think it’s a matter of time. We will have a loss; we will have a failure.”
IT Services is preparing for such a compromise, storing physical backups of data in a vault. And it’s working to “educate [county employees] on how to think differently about their computer and the power it has over the rest of us.”
Long-term, the department is implementing the Center for Internet Security’s 20-step series of Critical Security Controls. This year’s priorities include creating an inventory and control of hardware and software assets, establishing continuous vulnerability management and controlling use of administrative privileges.
Wohld said it will take three to five years to implement the full list of controls. He told the assembled local leaders to bring cybersecurity awareness back to their employees, and to communicate if they believe they’ve been compromised, which can prevent the problem from infiltrating more agencies.
“We really need people to be honest and come forward,” he said. “It’s not about shaming anybody, it’s about responding.”