We've all seen the news articles and stories about Target, Home Depot, and other major retailers and businesses getting hacked, and the major business impacts this can cause, but up until recently we've felt pretty safe knowing that as Oklahoma towns and cities, we're relatively small targets. Unfortunately, that has changed. Hackers are more and more often targeting smaller, less well-protected targets, and one of our own has been a recent victim.
A few weeks ago, Enid, Oklahoma, (one of OMAG's member cities) was successfully targeted in what is known as a "Spearphishing" attack, and ended up losing over $30,000. The definition of a spearphishing attack is that it is when an attacker poses through email, social media, or over the phone as an executive or leader to trick the staff of an organization into wiring money or getting access to systems, including financial systems. Often, the spearphishers will utilize some clever technology tricks to make emails, phone calls, and social media messages look like they're coming from a supervisor or other person in charge.
There are two approaches to protect yourself, both of which must be followed. Number one is for your technology staff to properly secure and protect all of the systems a hacker might target. Often this is an arms race as hackers are becoming increasingly clever at finding new ways to attack systems, while technology staff, facing slimming budgets and increasingly complex needs and systems, are struggling to keep up, especially as it's hard to focus on cybersecurity as a priority until an attack is in progress.
The second piece is securing the human. As seen in most attacks, the weakest link is a staff member who is unaware of the risks, and may be far too trusting of those with malicious intentions. Such individuals, while meaning well, may not know the risks of sharing a username and password with someone over the phone, or they may click on links or download software and bypass filters and anti-virus safeguards. Always, cities should have policies and procedures in place that place controls on wire transfers and incorporate system security elevations, and they should provide good security awareness training on an annual basis. Finally, all staff should approach financial matters or access to any sensitive systems or data with a healthy degree of skepticism, and constantly ask themselves "What if?" The simple act of verification, procedures, and approvals for access to or implementation of these tasks can help to reduce or eliminate these risks and prevent cities from becoming Spearphishing targets of opportunity.
Finally, as always, you are welcome to contact OMAG's Technology Services department, and we will be happy to share sample policies and procedures, or conduct training, policy reviews, etc. and advise your city how to prevent these types of attacks to protect yourself in the future.