BARRHEAD - Cybercrime is on the rise, and it is not a matter of whether an attempt to hack the County of Barrhead's computer network will be made but when.
That is what finance director Tamara Molzahn told councillors during their June 18 meeting.
That is why she said the municipality has taken several steps to increase its cybersecurity.
She also noted that lack of training is the greatest threat to a potential breach, such as the one that the Town of Westlock experienced early this year, when the municipality's servers were down for three days from Jan. 31 to Feb. 2.
"They always talk about the human factor. You can put a lot of hardware in place, but most of it comes down to training and good practices," Molzahn said. "What the bad actors are trying to do is social engineering to feed on the need to respond to an urgent request or something else to elicit that human emotion."
She also said it is easy to become complacent, believing their anti-virus software is all they need.
"That is just not true anymore," Molzahn said. "Criminals are upping their skills all the time and are looking at exposing all the vulnerabilities, so we must continually up our game."
What the county has done
Molzahn said she recently attended two seminars, one hosted by Rural Municipalities of Alberta's insurance carrier, the other by the Government Finance Officers Association, which focused largely on cybersecurity.
She also added that council proclaimed October 2023 as Cyber Security Month. They conducted a five-week cyber fitness campaign using information from the Canadian government's Get Cyber Safe website and linking it to the municipality's web page.
Molzahn said they also commissioned KnowBe4, a well-known and respected cybersecurity training company.
She added that as part of their service, the company tests their clients' cyber security protocols using an outside source for things such as phishing — using fraudulent communications (e.g., e-mails) to steal sensitive information, often by installing malware.
Malware is a catch-all term for malicious software designed to harm or exploit any programmable device, service or network.
In their initial test in November 2023, KnowBe4 sent phishing e-mails to 28 municipal staff members, including council members.
Two staff members clicked the fraudulent e-mails and received remedial training.
In January, KnowBe4 set monthly automatic testing and added a "PhishAlert" button to all incoming electronic correspondence that municipal staff could hit if they believed they received a suspect e-mail.
The company also sends monthly hints and tips to all employers and publishes a scam of the month.
Molzahn happily said that in KnowB4's latest test, no one had opened the suspect e-mail.
She said the county's security awareness proficiency assessment score compares favourably to other North American government industries with less than 250 employees.
"The industry benchmark is 65 per cent while ours is at 71 per cent, so we are better than our peers, but there are some areas where we are lacking," Molzahn said. [KnowBe4] identified e-mail security and our 'human firewall' as areas where we are below-average and might want to increase our training."
She said the plan is to work with KnowBe4 in the future, specifically focusing on compliance training for staff.
"We can also add more role-based training modules starting in the fall of 2024, with more advanced levels of training, including more advanced phishing testing, using actual phishing e-mails we have received, starting in 2025," Molzahn said.
