July 2018

A quick recap of two cyber terms:

malware/ransomware and phishing.

Malware is software that is intended to

damage, control or disable computers and

computer systems and ransomware is a

type of malware that threatens to publish

your confidential data or perpetually block

access to it unless a ransom is paid. This

could mean that your customer database

becomes available to hackers or your

system financial information is exposed.

Phishing is the primary way that malware

gets introduced into your computer.

Phishing is basically a fake email that

tricks you into clicking on an email

attachment or a link that allows the

malware to infect your system. The

Verizon DBIR (Date Breach Investigations

Report) tracks all this and is published

annually. And once again, the most recent

data shows that 90 percent of successful

phishing attacks bypassed the company’s

antivirus and email filters and 84 percent

bypassed the company’s firewalls. Here's a

link to the information: 



This clearly shows that cybersecurity is

a people problem, not a technology

problem. So let’s get your small utility

system employees to become human

firewalls and stop clicking on phishing

emails. The main obstacle here is a

cultural shift. Employees need to start

thinking about avoiding phishing scams

just like they would think about fire

protection or a backed-up toilet. If a wall

socket shorted or sparked when we

plugged in a space heater, we would report

it and avoid using it. We all share a

common goal of preventing a workplace

fire. If a backed up toilet threatened to

overflow in the employee restroom, we

would call a plumber, because we all want

to avoid a sewage–filled office. It can all

become second nature if we practice an

office culture of cyber security. If

employees are the weakest link in our

cyber defenses, we can learn from these

historic social campaigns and turn them

into our first line of defense!

Do you still doubt that you would be the

target of a cyber attack? Do you scoff at

the idea that your small utility could be a

target? Well, would you take the FBI’s

word for it? They have a partnership with

Does you city or water district really

need a Facebook page?

In the past I have recommended that small utility systems have a Facebook

page. And if Facebook had done a better job of protecting its users, I would

still recommend it. But after the debacle with Cambridge Analytica and the

personal data that was gathered from 87-plus million unwitting users, does

your city or water district really need a FB page? Maybe going back to a

system web page is better, with

the ability for customers to enter

a cell number for text alerts in

the event of emergencies. The

real problem with Cambridge

Analytica? This is the piece that

has been overlooked. The

problem was that people took a

fun personality quiz! That simple

act is what gave CA access to so

much of their personal

information. And as a practical

matter, it is too tempting to have

an employee updating the utility’s FB page without assuming that they will

just pop over to check their own page. Then see an ad or take a quiz or go

down that rabbit hole of clicking on tempting links.

But after the debacle with

Cambridge Analytica and the

personal data that was

gathered from 87-plus

million unwitting users, does

your city or water district

really need a FB page?