July | August 2017







Cyber Security Awareness Month Begins Amid Concerns About Equifax Breach

By Shawntaye Hopkins, CSG communications associate
As the public sector prepares to recognize National Cyber Security Awareness Month, observed every October, cybersecurity has been a hot topic of conversation in households across the country since Equifax announced a major data breach on Sept. 7.
Massachusetts was the first state to sue the credit-reporting bureau, but several other states, as well as cities, have followed suit. Attorneys general in numerous states continue to investigate the matter.
Massachusetts Attorney General Maura Healey filed a lawsuit on Sept. 19 that argues Equifax could have—and should have—prevented the breach by implementing and maintaining reasonable safeguards. The breach may have compromised the personal information of 3 million people in Massachusetts, according to the complaint. 
“We allege that Equifax knew about the vulnerabilities in its system for months, but utterly failed to keep the personal information of nearly 3 million Massachusetts residents safe from hackers,” Healey said in a press release. “We are suing because Equifax needs to pay for its mistakes, make our residents whole, and fix the problem so it never happens again.”
Hackers had access to Equifax’s system from at least May 13, 2017, through the end of July 2017. The lawsuit, which states that the company discovered the breach around July 29, 2017, claims that Equifax failed to notify the attorney general’s office in a timely fashion.
Cybersecurity has been top of mind for lawmakers for years, long before the Equifax breach. However, asked whether he thought the Equifax breach had increased concern and discussion about cybersecurity, Rhode Island state Sen. Louis DiPalma responded with one word: categorically.
DiPalma is the sponsor of the first-ever Cyber Hygiene Event in his state, which will be held Oct. 18 and include a panel discussion with lawmakers; the state’s first cybersecurity officer, Mike Steinmetz, who was hired earlier this year; and a state police representative. The theme is “protecting yourself, your family, your identity and your data,” DiPalma said.
“What I want it to be is practical things that people can do when they go home,” DiPalma said.
The event will include discussion about passwords and phishing scams. DiPalma said he wants safe cyber practices to become as second nature as brushing your teeth.
An information technology security panel discussion was held during the National Association of State Technology Directors’ 40th Annual Conference in Memphis, Tennessee, in August. Through an online poll at the conference, 37 percent of respondents identified network security as their state’s greatest strength while staffing and education tied last at 6.7 percent.  Twenty-six percent of respondents identified information technology budgets as their greatest concern going forward. 
“Doing more with less is always a challenge for state government and IT is no exception,” said Paul Czarnecki, NASTD communications specialist. NASTD is a CSG Affiliate.
On Oct. 4, Hawaii will launch CyberHawaii, a program “committed to creating a community approach, which mitigates cyber risk, develops educational and workforce pathways for students, and invests in innovation and economic development for a cyber secure and resilient state,” said Hawaii state Rep. Mark Nakashima.
The program is modeled after Cyber Huntsville, he said. About a year ago, the University of Hawaii identified the need for more cybersecurity professionals, which resulted in a working group that visited Huntsville, Alabama, to meet with Cyber Huntsville, a community coalition of academic, industry and government officials who work to educate others about cyber threats.
The National Cyber Security Alliance and the U.S. Department of Homeland Security spearhead National Cyber Security Awareness Month. Information about how to get involved is available at staysafeonline.org/ncsam/ and dhs.gov/publication/national-cyber-security-awareness-month-resources#.
The National Association of State Chief Information Officers has participated in National Cyber Security Awareness Month for several years by promoting awareness through its social media channels.
“Because October is National Cyber Security Awareness Month and the NASCIO Annual Conference begins in October, we are having a day focused on cybersecurity and real-world scenarios,” said Danielle Doak, NASCIO’s digital communications coordinator. “Effective cybersecurity depends on people, so four states (Georgia, Illinois, Michigan and Pennsylvania) will highlight examples of the human factor in action.”
Even with encryption, antivirus software and other tools, humans can still cause a breach through actions such as clicking on phishing emails, Doak said.
“This is why training on cyber is so important for state governments,” she said.
NASCIO Executive Director Doug Robinson said securing information technology networks against threats has been the most pressing policy concern for state chief information officers for four consecutive years, according to NASCIO surveys.
Progress is being made, however. About 95 percent of states have adopted a cybersecurity framework, compared to about 75 percent of states three years ago, Robinson said. NASCIO recommends the National Institute of Standards and Technology, or NIST, Cybersecurity Framework, but Robinson said any framework helps. In addition, about a third of states have obtained cybersecurity liability insurance compared to five years ago when few, if any, had done so, he said.
Robinson said third-party contracts continue to cause concern in state government because many states use outside companies for services such as credit checks.