.png)
Local agencies address cybercrime
NEWPORT — Municipalities like the City of Newport are not the only ones who can fall victim to cybercrime.
Cybercrime, or illegal activity conducted via digital devices or networks, poses on ongoing threat to all individuals and industries. From hyperlinks leading to ransomware attacks to phishing schemes utilizing artificial intelligence, cybercriminals employ a range of methods in order to steal money or data from their victims — as evidenced in Newport, where a cyber fraud resulted in the theft of $336,588 in public money from the municipality earlier this year.
The cyber fraud at Newport was part of a phishing scheme, or a cyberattack that attempts to steal money or data by convincing victims to reveal personal information.
In response to such cyberattacks, some agencies in the Pend Oreille River Valley have taken measures to address cybercrime, including the Pend Oreille County government, public hospital district and school districts.
“It is definitely a very big, real threat that all governments are facing, it’s not just us,” said Shane Flowers, director of Information Technology Services for the county. “And it’s across all industries, it’s not just government.”
Moreover, cybercriminals are now targeting rural areas like Pend Oreille County, where populations have even fewer resources to defend against or recover from cyberattacks.
“It used to be small businesses were safe from ransomware,” said Stu Steiner, director of the Eastern Washington University Cybersecurity Institute. “But now, even if they can get $1,000 out of it, you get $1,000 out of 100 small businesses, that’s a significant amount of money.”
The county is constantly under threat of cyberattack, Flowers said. Hundreds of devices have attempted to breach the county’s firewall, a cybersecurity system that monitors all network traffic. Unfamiliar users are blocked from logging into county accounts every day.
Cybercrime has also posed a threat to Newport Hospital and Health Services, wrote Bryce Thompson, NHHS Information Technology director, in an email.
While neither the county nor NHHS have experienced a cybercrime, other counties and hospitals have. As recently as last week, Flowers was informed of a cyberattack on another county that was still under investigation. Thompson knew of a couple hospitals in Wyoming and Montana that were involved in a credential-harvesting incident and an encryption attack.
“The important thing to take away from these incidents is to learn and adjust,” Thompson wrote.
Information technology officials recommend implementing multiple layers of security into any one system, a practice Flowers referred to as defense in depth.
“They’re not relying on just one thing to save them,” Flowers said. “They’re doing many things to help mitigate the issue.”
For the county, that means starting at the physical level, such as by closing doors to server rooms and other points of entry for cybercriminals when necessary. Firewalls then protect the county at the Internet level. Beyond those, the county has security built into network switches and routers. Multi-factor authentication for county accounts and email protection serve as additional layers of security. The county also conducts training for employees that educates them on phishing schemes and best practices for cybersecurity, Flowers said.
For security reasons, Thompson declined to share details about NHHS’s cybersecurity practices, but he wrote that they have strong safeguards in place that align with healthcare industry standards. Protecting patient information is particularly important to NHHS, Thompson wrote, as well as cybersecurity education and testing.
“You can have a world-class security system, but it is ineffective if you have someone unintentionally holding the front door open,” Thompson wrote.
After the county was informed of the cyber fraud at Newport, ITS launched a reassessment of all policies and procedures related to cybersecurity.
One policy protecting the county from cybercrime prevents employees from wiring funds — the means by which public money was stolen from Newport. Instead, employees are required to send checks, Flowers said. If an employee wants to switch their payment method, the county requires they visit in-person rather than call or email.
The county did not end up changing any policies or procedures, Flowers said, as they have protected the county from cybercrime thus far.
“But any person who’s in cybersecurity, the common phrase is, it’s a matter of when, not if,” Flowers said.
The cybercrimes committed in Wyoming and Montana, Thompson wrote, were devastating to the hospitals involved and their reputations.
Of small businesses who experience a cybercrime in their first year, 62% go out of business by the following year, Steiner said. A small municipality like Newport can be financially upended for multiple years after dealing with ransomware.
“Cyber insurance will only pay so much, it really depends on the attack,” Steiner said. Newport’s insurance is covering upwards of 75% of the stolen funds. “And a lot of small businesses can’t afford cyber insurance.”
Steiner recommends three main methods for defending against cybercrime: multi-factor authentication, password management and education.
Multi-factor authentication utilizes more than one device to verify a user’s identity upon login. In password management, creating separate usernames and passwords for separate accounts protects users in case any account is compromised; even a one-character difference in both makes accounts more secure, Steiner said.
Finally, employees should be educated on not just phishing schemes and the like, but on general cyber awareness — not just during one month of the year, but yearround. Information technology officials suggest monthly modules, Steiner said, with each module focusing on a different subject.
“Just having consistent cyber awareness on different things is critical,” Steiner said.
“Because right now, we are all very cyber-fatigued.”
Furthermore, Steiner recommends users be mindful of their digital footprint by setting privacy limits on social media accounts and reading — actually reading — end-user license agreements. And users should never click on hyperlinks without verifying their authenticity, as they may allow in ransomware.
“You have to stay vigilant,” Steiner said. “Because all it takes is one wrong click and one wrong answer to the text message.”
The cyber fraud at Newport was likely a social engineering phishing scheme, Steiner said. These are phishing schemes where cybercriminals imitate legitimate parties, such as loved ones or insurers, in order to steal money from victims, often with a sense of urgency. Some cybercriminals are utilizing generative AI to replicate voices for phishing as well.
Steiner said cybercrimes like this can be avoided just by exercising a basic level of cyber awareness — by stopping, thinking and asking questions about the situation before taking action.
“Even if you think it’s the insurance provider, actually look up the insurance number and call them and say, ‘Are you really requesting this?’” Steiner said. “Just that extra minute, two minutes to do that makes all the difference in the world.”
