NEW PORT RICHEY – The recent “kidnapping” events of the data of four Florida local governments and other city and county governments around the country, has not been lost on those responsible for the information technology of Pasco County.
In a typical incident of this sort, a hacker sends an email to government workers in the hopes one will open an attachment in the message. Doing so launches a malware program that locks up the data in the government’s computer systems, including utility billings, property records and tax records. A demand for ransom to unlock the data then follows.
Lake City, in north Florida, was targeted with one such ransom attack and paid $460,000 to get its data back, according to news reports. Baltimore was another ransomware attack target.
The leader of Pasco County’s IT department says preparing for such threats is a daily protocol and that cybersecurity “is not a perfect science.”
“We are as secure as the due diligence that we apply within the county and to the best practices within the industry,” said Todd Bayley, Pasco chief information officer.
Bayley said the county takes cybersecurity “extremely seriously” and “we are only as good as our weakest link.”
“Our weakest link is our employees and as best that you can put appliances on your first line of defense, it takes a human and that first line of defense to mitigate any threat because the threat is constantly changing,” Bayley said.
His remarks were not meant to disparage the 90-member team that works under him to keep the county’s complicated IT structure running. Instead, they help emphasize that with constant changes to the technology, constant training is necessary throughout the county’s employee network.
“We have a four-member, full-time cybersecurity team and all four have master’s degrees in cybersecurity,” Bayley said. “But, that’s still not enough.”
He said the county also has a special electronic device that helps monitor all security activity “and alerts us to unusual behavioral statistics and activity that my team addresses immediately.”
In a program which has been endorsed by County Administrator Dan Biles, the IT team is allowed to send every employee who logs into the county system cybersecurity training material.
“If they refuse the training or don’t take the training within a certain period of time, their log-ins are taken away and they have to go back through the county administrator to have them re-enabled,” Bayley said. “If an employee does take the training, we randomly test them with a spoofed email that we generate. If they fail the test, then they are sent to refresher training and take another test to ensure they don’t become our weakest link.”
Bayley said the process constantly both revolves and evolves.
“The way we view security is it takes man, plus the machine, to bolster our first line of defense and, of course, our employees are our weakest link because they are the ones that may click on links thinking they are legitimate or the bad guys are so good they can spoof vendors that we work with,” he said. “It takes the extra step of trying to protect them from clicking on something and making them aware of what to look for.”
He also noted there is a complication in keeping data, which is required by law to be open and transparent, within a protected mode.
“They are probably easier to attack than private industries are with trade secrets,” Bayley said. “That’s why I feel the attacks are on the rise. Typically, we let our guard down thinking everything we do is transparent and open to the public anyway. But, we also do hold critical data and we have to keep those separated.”
“I never want to say we are 100 percent protected, but we are doing everything in our power and our prudence to cover and keep our data safe,” Bayley said.