Posted: 7:58 a.m. Saturday, March 25, 2017
More than a year before the February phishing attack that led a San Marcos employee to accidentally leak hundreds of W-2 forms, an assessment identified the city’s lack of cybersecurity training as a vulnerability.
The assessment, completed in the fall of 2015 by SHI Security Services, found that the city didn’t have a security awareness training program. The finding was one of a dozen low- and high-risk vulnerabilities listed in a draft version of the report obtained by the American-Statesman and was described as “the easiest to solve.”
A follow-up test was conducted with the city’s blessing, according to the city’s former information technology infrastructure manager, Lenora Newsom. The test found a number of San Marcos employees fell for a simulated phishing email sent with the help of a security consultant, Newsom said.
The city’s IT director purchased a one-year employee training package from that consultant, KnowBe4, but the plans to roll out the training took longer than expected, city spokeswoman Kristi Wyatt said. The IT department submitted a budget request last year to extend the subscription, she said, but that request was denied during the fiscal 2017 budgeting process.
Newsom, who left the city in August 2016, was one of more than 800 current and former employees whose W-2s were stolen last month. When the city notified her of the breach, Newsom said she was infuriated.
“I thought, ‘Are you kidding me? I worked really hard to prevent this,’” Newsom said. “I believe that San Marcos is ahead of a lot of places in the IT realm … but this was a piece that, well, in my opinion, was not taken seriously.”
Wyatt confirmed that the city doesn’t have mandatory cybersecurity training for employees outside of its information technology department. Rather, managers periodically send emails to employees with educational materials and information about the latest hacking trends, and human resources employees talk to new hires about cybersecurity, Wyatt said.
The city’s IT director is working on creating a training program and on Friday held its first citywide, in-person training on security, Wyatt said.
“The city will continue to provide security awareness and expand training to all employees,” Wyatt said. “Training is only one factor in protecting our information from scammers. … In many incidents, including our recent attack, human error plays a role. While we can’t prevent every possible breach, we can and have taken steps to limit our exposure.”
City focusing on improvements
The report by SHI Security Services described the lack of training as a “low-risk” finding. But it noted that the “issues described represent a demonstrable risk of service interruption and/or theft of sensitive data with a medium- or high-level of exploit skills.”
City officials declined to comment on the draft report obtained by the Statesman.
“The recent phishing incident is currently being investigated by the San Marcos Police Department, and the city is also working closely with the IRS and the FBI,” Wyatt said, adding that “further discussions could further compromise our security situation.”
Mike Sturm, the city’s IT director, wasn’t available for an interview Friday. But he said in an emailed statement that, after buying the training package from KnowBe4, the department began “evaluating, testing, and developing a plan to implement training across the organization.”
Wyatt was unable to provide information about why the city didn’t approve the IT department’s request to extend the subscription for the KnowBe4 training package during the fiscal 2017 budgeting process.
Stu Sjouwerman, CEO of KnowBe4, said he couldn’t speak about any specific customer, but said sending educational emails and going over information with new employees isn’t a strong enough method of preventing breaches.
Sjouwerman said his company has had success in reducing its customers’ vulnerability to attacks by training. In one example he offered, a customer went from about 16 percent of its employees falling for simulated attacks to 1 percent.
“There will always be somebody who has an off day and falls for that attack anyway,” he said. “But it’s dramatically less” with training.
Luck ran out
The type of attack that duped the San Marcos employee in February, in which a hacker impersonates a familiar contact to trick someone into forwarding confidential information, is called “CEO fraud” and is increasingly common, Sjouwerman said.
In February, the IRS issued a warning about such a W-2 phishing scam that had initially targeted the corporate sector but had spread to other areas, including school districts, tribal organizations and nonprofits.
That same month, employees of Belton school district’s business office released W-2 forms for about 1,700 current and former district workers after being targeted by a phishing email that appeared to be from the district’s superintendent. The forms include sensitive information, such as Social Security numbers, and some hackers use the information to file fraudulent tax returns seeking refunds.
In the case of the San Marcos breach, city officials have said, the email requesting the information was made to look as if it came from the mayor. Sjouwerman said hackers can configure such emails using a forged address.
That’s why it’s so important for employees be trained to recognize and flag suspicious emails, he said.
In a June 29, 2016, email obtained by the Statesman, Sturm requested that employees of the human resources department incorporate the KnowBe4 software into new hires’ training — right away.
“There are so many phishing emails and direct calls going around, that if a new employee doesn’t understand the risk on their first day, there is huge security risk to the City,” Sturm wrote. “Yes, we have been lucky so far.”