In August of 2019, Palestine Herald-Press reported that the City of Palestine, Texas was the victim of a cyber attack in which the attacker somehow infiltrated the City’s email system. The City’s department heads received an email that appeared to come from the city manager. In the email, the person acting as the city manager asked that the department heads assist her by purchasing Google Play cards for a project. The email appeared legitimate. While most in the upper level management of the City ignored the email, three department directors succumbed to the spear phishing email and purchased a total of $1,200 in Google Play gift cards. Although the email asked them to reply back with photos of the back of the gift cards, out of sheer luck, the three directors ended up texting the photos to the city manager.
In this incident there was actually two attacks. The first attack, which was successful, occurred when the attacker somehow infiltrated the city’s email system in order to be able to send an email that appeared legitimate. The secondary attack, which luckily was not entirely successful, was the attacker using a spear phishing email to induce the three directors to purchase the gift cards. At the city manager’s direction, the organization’s response was to have training for all of the employees on phishing scams and cyber security. Training must be conducted more frequently in order to have an effective result. Cyber attacks seem to become more sophisticated over time and organizations need to constantly train their employees to avoid these attacks.
Recognizing this, the 86th Texas Legislature (2019) passed House Bill 3834 sponsored by Representative Capriglione that requires certain state and local government employees and state contractors to complete a cyber security training program on a yearly basis that is certified by the state cyber security coordinator. This bill went into effect on September 1, 2019, nearly a month after Palestine was attacked. By this time, the Texas Department of Information Resources was still working to adopt rules and working toward putting training programs into effect. While HB 3834 may not have prevented the cyber attack, the spirit of the legislation attempts to address incidents like what occurred with Palestine.
Now more than ever employers must recognize that network infrastructure alone is insufficient. Employees must be trained yearly; and I strongly advocate for an organization’s IT department to purposefully attempt to attack their own network system. The idiom “A Chain is As Strong As Its Weakest Link” has new meaning when employers accept that employees can be their own worst enemy.