A message from Comptroller William McNamara marking National Cybersecurity Month
A message from Comptroller William McNamara
Cybersecurity Awareness Month occurs every October, shining a one-month spotlight on a threat that requires our attention all twelve months of the year. The October event provides a reminder to refresh and update our knowledge about cyber-fraud, because the threats and tactics of the bad actors change constantly. October is an ideal time to step back and look at our own practices and tools, to see if we are adhering to best practices. And this year especially, it’s a chance to think about how dramatic changes in the environment can bring new cybersecurity challenges the Commonwealth.
In October 2019, Cybersecurity Awareness Month found us grappling with the upswing in ransomware attacks and persistence of phishing attacks. We were examining e-signature as an efficient business tool that could either increase risk or reduce it, depending on implementation. As always, the threats were real and evolving, but the business environment itself seemed to be “steady state.”
By October 2020, both the business environment and our lives had been overturned. The pandemic had driven the majority of Commonwealth employees from offices with secure networks to their homes. To grapple with the public health crisis, many agencies found themselves moving more money and more information, under more urgent circumstances, than ever before. Remarkably – and because of your hard work and diligence – the massively greater potential risks of operating in those circumstances were successfully managed.
Now, in October 2021, the environment has changed again, and Cybersecurity Awareness Month presents a new opportunity. Hybrid and remote work, an exception only eighteen months ago, is now normal ongoing policy for many agencies and departments. State agencies, vendors, and residents have all become accustomed to doing online what was once done on paper and in person. Data that once sat on hard drives and office servers is now in cyberspace. Unfortunately, yet predictively, fraudsters have found new ways to exploit both new and pre-existing vulnerabilities.
Therefore, our goal for Cybersecurity Awareness Month is to help state agencies – to help you – to become more secure in the way you work now.
To that end, we at the Office of the Comptroller are delighted to take part in Cybersecurity Awareness Month.
Over the next four weeks, CTR is excited to identify resources, tips, and recommendations to ensure that your department’s system of cybersecurity internal controls is strong. We are particularly excited about CTR Cyber 5, a new video series featuring experts in the field of cybersecurity from both the public and private sectors, with quick and digestible insights on the nature of preventing what we face in 2021. In the spirit of the CTR Cyber 5, here are five takeaways for anyone in a leadership position this Cybersecurity Awareness Month.
- Tone from the Top. As with any other internal controls, department leadership and managers are responsible for establishing a “tone from the top”that promotes cyber awareness, data security and fraud prevention at all levels of the organization.
- Enterprise Security Standards. Updating your Internal Control Plan is a strong message to staff, and must include implementation, testing, and training on the Commonwealth’s default Enterprise Information Security Policies and Standards. These standards apply to all Executive Department offices and agencies and are the default standard for non-Executive Departments who have not adopted comparable cyber and data security standards as part of their Internal Control Plan.
- Everyone has a role. With increasingly sophisticated cyber attacks, everyone in a department has a role and responsibility to help prevent disruptions and theft of Commonwealth data and resources through cyber fraud and social engineering attacks. Promote an environment where everyone is invested in cyber safety.
- Staff Training. Most cyber incidents result from staff being tricked into clicking on an infected email or responding to a fraudulent email or phone call. All department staff must be routinely trained on how to recognize and report suspicious cyber and fraud activity, how to safely work remotely, and to adhere to strict “zero trust” procedural controls to validate all financial transactions.
- Critical Tasks Testing and Controls. Identify what kinds of cyber risks would hinder your department from performing its critical tasks, and implement operational and systemic controls to prevent those kinds of fraud attempts and cyber attacks from occurring. Testing systems for vulnerabilities, and having a rigorous plan to routinely update and patch equipment (both on-site and deployed), will significantly reduce cyber risks.
Working together, we can make October a month to improve our understanding and our processes, suited to today’s Commonwealth workplace. With this month of proactive cybersecurity work, we can be more effective in the following eleven months of cyber vigilance.