An audit by the New York State Comptroller's Office found cybersecurity electronic access vulnerabilities for the water system in upstate Middleton, N.Y., using a simulated cyberattack to find holes in the defenses.
Sadly, most organization have cybersecurity holes but do not take the proper precautions to find them.
What are the proper precautions?
It depends on budget but for a small to medium business, they should have a cybersecurity firm – either and MSP or MSSP who handles their IT.
Or – if they have an internal person or team, they should have an outside person – a consultant, MSP, MSSP, etc. look for holes.
They should perform cybersecurity audits regularly.
Jacob Tawil, commissioner of public works for the city, said state-hired technology experts conducted a thorough investigation, including simulating a cyberattack on the city's water system, and found holes in the policies and procedures that could have allowed a hacker to tap into the city's networked water system.
"I don't say that about state audits all the time, sometimes I butt heads with them, sometimes we don't agree on everything, but this time it's absolutely timely, needed and it should be done if not annually every three-to-five years by the state to make sure every commitment made is implemented because there are really bad people out there," Tawil said Thursday.
"Adequate" policies and procedures were not in place to document information technology employee security duties, to guide employee usage of portable devices, or to require monitoring of networked water system devices, according to the state Comptroller's report from November. Technology security awareness training was also not provided to employees.
Middleton is relatively small at under 29,000 water connections but size does not matter to hackers which is why this audit was important to perform.
Now that problems have been found, it is time to solve them
The moral of the story is – you can’t manage what you can’t measure.
Every organization needs regular audits like this – best case is quarterly, and the worst case is annual.
Just like the physical you have to keep your body healthy.
In the mean-time, they need top professionals managing their network to keep it as safe as it can be.
The threats are mounting. We have reported nation-state hacks, ISIS and most recently Evil Corp. who has hacked over $100 million dollars.
Make no mistake that there are thousands of other people who wish they could emulate Evil Corp’s success and the tools to do so are available to anyone on the dark web.
A little education is all it takes for anyone to hack for themselves or to create their own hacking syndicate.
Every organization – not just those in New York needs to take the threat seriously.
How do you stay secure or at least drastically reduce the risk? Follow these three steps to start:
1) Read cybersecurity essentials – a simple list which will help most organizations become far more secure.
2) Go to a phishing simulation vendor now and sign up for one of their offerings. Phishing Box, KnowBe4 and Phish360; are all great. This is needed to train workers by testing them without their knowledge by sending real-looking emails to their inboxes. If they click, they are immediately trained on what not to do.
3) We also recommend you get a free evaluation of your cybersecurity risk from an MSP/MSSP immediately – they can also help you build in the needed compliance to reduce the risk of being fined.