San Marcos at risk before phishing scam
Report in fall 2015 found city lacked cybersecurity training.
More than a year before the February phishing attack that led a San Marcos employee to accidentally leak hundreds of W-2 forms, an assessment identified the city’s lack of cybersecurity training as a vulnerability.
The assessment, completed in the fall of 2015 by SHI Security Services, found that the city didn’t have a security awareness training program. The finding was one of a dozen low- and high-risk vulnerabilities listed in a draft version of the report obtained by the American-Statesman and was described as “the easiest to solve.”
A follow-up test was conducted with the city’s blessing, according to the city’s former information technology infrastructure manager, Lenora Newsom. The test found a number of San Marcos employees fell for a simulated phishing email sent with the help of a security consultant, Newsom said.
The city’s IT director purchased a one-year employee training package from that consultant, KnowBe4, but the plans to roll out the training took longer than expected, city spokeswoman Kristi
Wyatt said. The IT department submitted a budget request last year to extend the subscription, she said, but that request was denied during the fiscal 2017 budgeting process.
Newsom, who left the city in August 2016, was one of more than 800 current and former employees whose W-2s were stolen last month. When the city notified her of the breach, Newsom said she was infuriated.
“I thought, ‘Are you kidding me? I worked really hard to prevent this,’” New
som said. “I believe that San Marcos is ahead of a lot of places in the IT realm ... but this was a piece that, well, in my opinion, was not taken seriously.”
Wyatt confirmed that the city doesn’t have manda- tory cybersecurity train- ing for employees outside of its information technol- ogy department. Rather, managers periodically send emails to employees with educational materials and information about the latest hacking trends, and human resources employees talk to new hires about cybersecurity, Wyatt said.
The city’s IT director is working on creating a training program and on Friday
held its first citywide, in-per- son training on security, Wyatt said.
“The city will continue to provide security awareness and expand training to all employees,” Wyatt said. “Training is only one factor in protecting our information from scammers . ... In many incidents, including our recent attack, human error plays a role. While we can’t prevent every possible breach, we can and have taken steps to limit our expo- sure.”
City focusing on improvements
The report by SHI Secu- rity Services described the lack of training as a “low- risk” finding. But it noted that the “issues described represent a demonstrable risk of service interruption and/or theft of sensitive data with a medium- or high-level of exploit skills.”
City officials declined to comment on the draft report obtained by the Statesman.
“The recent phishing inci- dent is currently being investigated by the San Marcos Police Department, and the city is also working closely with the IRS and the FBI,” Wyatt said, adding that “fur- ther discussions could further compromise our security situation.”
Mike Sturm, the city’s IT director, wasn’t available for an interview Friday. But he said in an emailed statement that, after buying the train- ing package from KnowBe4, the department began “evaluating, testing, and developing a plan to implement training across the organi- zation.” Wyatt was unable to pro
vide information about why the city didn’t approve the IT department’s request to
extend the subscription for the KnowBe4 training pack- age during the fiscal 2017 budgeting process.
Stu Sjouwerman, CEO of KnowBe4, said he couldn’t speak about any specific cus- tomer, but said sending educational emails and going over information with new
employees isn’t a strong enough method of prevent- ing breaches.
S jouwerman s aid his company has had success in reducing its customers’ vulnerability to attacks by training. In one example he offered, a customer went from about 16 percent of its employees falling for simulated attacks to 1 percent.
“There will always be somebody who has an off day and falls for that attack anyway,” he said. “But it’s dramatically less” with training.
Luck ran out
The type of attack that d uped the San Marcos
employee in February, in which a hacker imperson- ates a familiar contact to
trick someone into forwarding confidential information, is called “CEO fraud” and is increasingly common, Sjouwerman said.
In February, the IRS issued a warning about such a W-2 phishing scam that had initially targeted the corporate sector but had spread to other areas,
including school districts, tribal organizations and nonprofits.
That same month, employees of Belton school district’s business office released W-2 forms for about 1,700 cur- rent and former district workers after being targeted by a phishing email that appeared to be from the district’s superintendent. The forms include sensitive information, such as Social Security numbers,
and some hackers use the information to file fraudulent tax returns seeking refunds.
In the case of the San Marcos breach, city officials have said, the email requesting the information was made to look as if it came from
the mayor. Sjouwerman said hackers can configure such emails using a forged address. That’s why it’s so import
ant for employees be trained to recognize and flag suspicious emails, he said.
In a June 29, 2016, email obtained by the Statesman, Sturm requested that employees of the human resources department incor
porate the KnowBe4 software into new hires’ train
ing — right away. “There are so many phishing emails and direct calls going around, that if a new employee doesn’t understand the risk on their first day, there is huge security risk to the City,” Sturm
wrote. “Yes, we have been lucky so far.”
A report from 2015 determined that the lack of cybersecurity training for city employees in San Marcos could be a vulnerability.