To: California state workers
Subject: Watch what you click
The state’s top technology officer is reminding California public employees to protect their workplaces from hackers as she seeks to shore up cyber security weaknesses that were revealed in a harsh audit a year ago.
That education campaign, coupled with a new cyber security threat monitoring center, are at the heart of Department of Technology Director Amy Tong’s response to a report that warned state databases were “vulnerable to unauthorized use, disclosure or disruption.”
In some cases, the way to protect those sources may be as “rudimentary” advising employees not to “click on the phishing email that opens the door” to a hacker, said Tong, a 22-year veteran of state government who was appointed to her post in June.
“The remediation we’re talking about is training people better,” she said.
Her reminder follows an August 2015 report from state Auditor Elaine Howle that found 73 of 77 state departments indicated in a survey that they were not in compliance with cyber security standards, a finding that suggested medical records and Social Security numbers in state databases could be at risk.
Several large departments that maintain sensitive data, including CalPERS and CalSTRS, did not respond to the survey. Eight departments told auditors they would need at least until 2020 to bring their employees up to speed with the latest standards.
The state attorney general’s office, meanwhile, highlighted the stakes in February when it released a report that documented more than 650 breaches of state databases since 2012. The agency reported those breaches affected records pertaining to as many as 24 million Californians in 2015.
Tong in a roundtable with reporters on Wednesday said she’s aiming to help different state agencies become “more self-sufficient” in protecting themselves from cyber attacks.
“It is the top priority I’m going to be working in leading the department of technology,” she said.
Her department is one of four that are participating in a new cyber security threat monitoring center that opened in June, 10 months after Gov. Jerry Brown signed an executive order calling for its creation.
The California Cybersecurity Integration Center also draws from the Office of Emergency Services, California Highway Patrol and National Guard soldiers on active-duty assignments. It mirrors a similar program in Washington state, where National Guard soldiers have audited cyber security weaknesses for local governments.
At the center, Tong said officers are able to watch different networks and respond quickly if they see a threat that could compromise a government agency and pursue a criminal investigation if they can identify a culprit. They also collaborate with federal agents at the Department of Homeland Security.