A message from Comptroller William McNamara marking National Cybersecurity Month
Cybersecurity Awareness Month occurs every October, shining a one-month spotlight on a threat that requires our attention all twelve months of the year. The October event provides a reminder to refresh and update our knowledge about cyber fraud, because the threats and tactics of the bad actors change constantly. October is an ideal time to step back and look at our own practices and tools, to see if we are adhering to best practices. And this year especially, it’s a chance to think about how dramatic changes in the environment can bring new cybersecurity challenges to the Commonwealth.
While we have continued to innovate the way the Office of the Comptroller does business by offering more electronic options, and many Commonwealth employees now work in hybrid models, fraudsters continue to find new ways to exploit both new and pre-existing technology and vulnerabilities.
Therefore, our goal for Cybersecurity Awareness Month is to help state agencies – to help you – to become more secure in the way you work now.
To that end, we at the Office of the Comptroller are delighted to take part in Cybersecurity Awareness Month with “31 Days of Cybersecurity”.
Over the next month, CTR is excited to identify resources, tips, and recommendations to ensure that your department’s system of cybersecurity internal controls is strong. We are particularly thrilled about new additions to our CTR Cyber 5 videos and a new “Pause Verify Report” campaign to reduce unintended breaches, and social media and tips with quick and digestible cybersecurity recommendations.
- PVR – Pause Verify Report Campaign
A new campaign to make Cybersecurity simple for employees with three easy action steps to reduce employees clicking on malicious links or falling prey to social engineering tricks. CTR will also be posting free employee cyber awareness training videos that can be used for new employees and as refreshers!
- CTR Cyber 5
A series of short YouTube videos featuring guest experts from the public and private sectors introducing their five cybersecurity tips
- Cybersecurity tips
Blog posts on general cyber hygiene and awareness that can be sent out to staff
- Enterprise Information Security Policies and Standards highlights
Social media content highlighting each of the standards published by the Executive Office of Technology Services and Security
To get all the latest cybersecurity content follow the Office of the Comptroller on MAComptroller.org, Twitter, Facebook, and YouTube.
Here are also the continuing cybersecurity internal controls for anyone in a leadership position this Cybersecurity Awareness Month.
- Tone from the Top
As with any other internal controls, department leadership and managers are responsible for establishing a “tone from the top” that promotes cyber awareness, data security and fraud prevention at all levels of the organization. - Enterprise Information Security Standards
Updating your Internal Control Plan is a strong message to staff, and must include implementation, testing, and training on the Commonwealth’s default Enterprise Information Security Policies and Standards. These standards apply to all Executive Department offices and agencies and are the default standard for non-Executive Departments who have not adopted comparable cyber and data security standards as part of their Internal Control Plan. - Everyone has a role
With increasingly sophisticated cyber attacks, everyone in a department has a role and responsibility to help prevent disruptions and theft of Commonwealth data and resources through cyber fraud and social engineering attacks. Promote an environment where everyone is invested in cyber safety. - Staff Training
Most cyber incidents result from staff being tricked into clicking on an infected email or responding to a fraudulent email or phone call. All department staff must be routinely trained on how to recognize and report suspicious cyber and fraud activity, how to safely work remotely, and to adhere to strict “zero trust” procedural controls to validate all financial transactions. See our CTR Cyber page for tips, videos and free cyber awareness trainings. - Critical Tasks Testing and Controls
Identify what kinds of cyber risks would hinder your department from performing its critical tasks, and implement operational and systemic controls to prevent those kinds of fraud attempts and cyber attacks from occurring. Testing systems for vulnerabilities, and having a rigorous plan to routinely update and patch equipment (both on-site and deployed), will significantly reduce cyber risks.
Working together, we can make October a month to improve our understanding and our processes, suited to today’s Commonwealth workplace. With this month of proactive cybersecurity work, we can be more effective in the following eleven months of cyber vigilance. Reach out to our Statewide Risk Management Team at [email protected] if you have questions or need assistance with internal controls.