Seldom a week goes by that someone doesn’t ask me the status of the more than $500,000 cyber-theft that occurred between March and May 2018. And while looking for someone to blame makes for good reading, the more important issue in front of Galveston County government is to understand the process, how the criminal element took advantage of the process, how to safeguard the process from future attacks, and finally how to safeguard financial and information technology from future attacks.
Don’t be mistaken, criminals will attempt to attack us again.
Dawson Forensic Group provided its report to county legal for commissioners court on Sept. 7. Their report was to examine what caused the cyber-theft and recommend changes to prepare and defeat any future attacks. Even before any of them had seen the report, the interested parties had taken action. However, the report might tell us if changes made are appropriate.
On June 22, Judge John Ellisor convened a meeting of the Galveston County Purchasing Board. In attendance were judges, commissioners, law enforcement, treasurer, auditor, IT director and purchasing agent. The auditor, IT director, treasurer, purchasing agent, and law enforcement all presented their plans and ideas preventing future thefts. These plans have been acted on and include:
• Suspend electronic payments to vendors and employees pending verification.
• Re-verify vendors’ electronic payment information.
• Purchasing centralized Master Vendor File changes with one employee, supervised by purchasing’s chief deputy.
• A company was identified June 21 to provide real-time fraud detection services for Purchasing Master File/Accounts Payable system. (Commissioners’ Court approved non-disclosure agreement to begin hiring process for company on Monday).
The Sheriff’s Department continues to work with the FBI on this large-scale interstate theft. And Galveston County isn’t alone in being victimized by these or similar criminals. While a full recovery isn’t likely, there’s still a possibility to make partial recovery based on asset seizures.
But, instead of always responding to criminal attacks, we should be planning for the next challenge. Those changes should include:
• Required training for county employees on recognizing email fraud.
• Additional protection to various county systems against malicious activity and infected email attachments.
• Additional policies concerning ransomware attack.
• Spotting and defending the IT system against ransomware.
• A plan for possible ransomware attacks, including keeping our systems operating (justice system, jail system, financial system, health care, employee records) or at least safeguarding the data in event of an attack.
• A recovery plan in the event of a cyber-disaster, in other words, how to restore or safeguard our data.
We shouldn’t be spending time and money to create more bureaucracy, an oversight board with zero Constitutional authority answering to one branch of government, adding additional salary and benefit cost. Instead, our current elected officials and their appointed directors — all answering to the voters of Galveston County — should “dig in” to safeguard taxpayer money and taxpayer information.