ounty Executive Bellone to Announce Foiled Cyber-Attack Attempt Directed at Suffolk County Department of Health Services
In Wake of Recent Attempted Cyber-Attacks, Nassau County Comptroller to Partner with Suffolk County Cybersecurity Working Group
Regional Cyber Partnership Follows Phishing Scheme Targeting Nassau County Comptroller’s Office
PHOTOS of today's event are available HERE
Suffolk County Executive Steve Bellone today announced the results of Suffolk’s first cyber security risk assessment report to identify and reduce cyber vulnerabilities. Among the recommendations being implemented are cybersecurity awareness trainings for all county employees and the expansion of Suffolk’s cyber security working group to include representatives from the Nassau County Comptroller’s office to enhance intelligence sharing.
Earlier this year, the Suffolk County Department of Health Services foiled a cyber-attack attempt to re-rout an employee’s paycheck via direct deposit to a bank account that they controlled. Last week, Nassau County recovered more than $700,000 paid through the comptroller's office to scammers pretending to be a county vendor.
“This thorough security assessment of our current network has helped us understand our current abilities and identified areas that could use improvement,” said Suffolk County Executive Steve Bellone. “By using this report to adopt best practices from around the country and enhancing communication with our municipal partners, Suffolk County’s cyber infrastructure is safer today than ever before.”
“As cyber attackers adapt, the threat only worsens. It is incumbent upon all of us to ensure that we undertake necessary and critical efforts to modernize our financial systems so that we can remain vigilant against the threat of cyber-attacks and further protect tax dollars,” said Nassau County Comptroller Jack Schnirman. “I look forward to working on a regional basis to ensure that we are doing all that we can to protect taxpayers and residents.”
In February of 2019, County Executive Bellone announced that Suffolk would be the first municipality in New York State to contract with a vendor to conduct a security exercise to evaluate network weaknesses and develop responses to cyberattacks. The County selected RedLand Strategies to help lead a thorough security assessment of its current network with the assistance of Palo Alto Networks that focused on the Suffolk County Police Department, Suffolk County Fire and Rescue Services, and Suffolk County Department of Information Technology.
The “cyber checkup” helped the county understand current abilities to respond to a cyber threat and utilized a robust table top exercise to identify possible operating vulnerabilities. The table top exercise helped identify next steps to enhance the county’s cyber infrastructure and laid the framework for Suffolk’s first Cyber Security Assessment Report and recommendations as required by legislation introduced by Legislator Sarah Anker.
Suffolk County Legislature Presiding Officer Rob Calarco said: “The ongoing and increased risks associated with cybersecurity require proactive measures to ensure the County is protected against scams that needlessly create threats to our network and financial systems. Suffolk’s cyber security risk assessment report identifies our vulnerabilities and identifies proactive measures we can take to protect our systems and data. Anything we can do to prevent these threats is vital. I commend the County Executive on his swift and comprehensive response.”
Suffolk County Legislator Sarah Anker said: “In order for government to stay ahead of the hackers, scammers and cyber terrorists, there must be collaboration and communication with all levels of government, from local to federal, and all agencies within the County. That will be our advantage in dealing with cyber-crimes and cyber-attacks.”
Suffolk County Police Commissioner Geraldine Hart said: “No one is immune to falling for a scam. These types of criminals are creative, persuasive and relentless. But our best defense against these scammers is education—be vigilant with protecting personal information, take precautions when sharing that information and don’t overreact to an alleged crisis without thinking about exactly what the caller is telling you.”
Risk Assessment Recommendations
Some of the key recommendations that were identified as part of these various efforts and would ultimately affect policies within the County include:
- Organizational Governance Improvements
- Technology Upgrades to Improve Effectiveness
- Development of a Cybersecurity Response Plan
- Implementation of User Cybersecurity Training and Awareness
- Integrate a Physical Security Function
To further improve the County’s cybersecurity program, a cybersecurity working group has been established that includes all relevant security and cybersecurity personnel within the County. The working group is led by the Department of Information Technology and meets on a regular basis to exchange relevant cybersecurity related information, discuss technology requirements, resources, policies and funding related to cybersecurity. In addition to departments within the County, it has become very clear that Long Island as a whole, including towns, villages, utilities, special districts and school districts are struggling with the same cybersecurity concerns. As part of an effort to strengthen Suffolk County’s cybersecurity governance structure, special considerations are being given to how Suffolk County can leverage and share our resources in an attempt to minimize overall costs and ultimately overall risks associated with cybersecurity within our local region.
As a new policy, Suffolk County now requires every County employee, with access to a computer, to successfully complete cybersecurity awareness training on an annual basis. As identified in the report, having an effective cybersecurity awareness training plan can significantly reduce the risk of a cyberattack and is critical to an overall cybersecurity plan. The County’s training plan will include periodic simulated fake cyberattack email campaigns against all computer users. These simulated tests will occur periodically throughout the course of the year for all users, however, we will increase the number of simulations for employees who have failed the simulations multiple times. Employees that fail the simulated fake cyberattack will require retraining.