FORT EDWARD — Before hackers strike, Washington County may take a long look at its vulnerabilities and even hire someone to try to steal its records.
Despite the potential price tag, a risk assessment must be done to make the county more secure, said IT Director Karen Pratt.
She asked GreyCastle Security, a Troy-based cybersecurity firm, to explain the dangers of hacking to the Board of Supervisors.
The answer wasn’t reassuring. GreyCastle recently helped a hospital get its computer system back after hackers locked doctors out of everything, leaving them unable to even look up a patient’s blood type during an operation.
Others have had their data held for ransom, and some countries even help hackers to break into American computers, said GreyCastle Chief Business Development Officer Mike Stamas.
“You can’t be 100 percent secure unless you throw out your computers and unplug everything from the internet,” he said.
Short of that, he advised “constant” investment in cybersecurity — as in, a regular budget item rather than a one-time capital project expense.
“Technology’s moving so fast and things change so rapidly,” he explained.
The problem isn’t that Washington County would need to buy better equipment each year to secure its data. It’s that hackers keep finding better ways to get into the equipment, so employees have to adapt. They have to learn not to fall for ever-evolving tricks.
“You’d be surprised how much responsibility we all have,” Stamas said.
“Many” hacks are caused by “user error,” he added.
His company studies computer systems for weaknesses, trains the staff and then runs tests to see if they can break in.
“We see if we can steal your stuff,” he said.
If they can’t sneak in electronically, they’ll even send someone to try to slip into the building and access computers from there.
Washington County is aware of security concerns. Employees are told not to give their credentials — such as name, title, address and phone number — to strangers in emails that might be a “fishing” attempt to steal someone’s identity. They all wear key fobs to access locked areas of the county. But Pratt said employees regularly relax their guard, not convinced that anyone is really trying to break into Washington County, of all places.
She’s hoping training — or the tests to get into the system — will open employees’ eyes.
“Maybe they will say, ‘Oh, so that’s why you have a policy for web browsing. That’s why you don’t have administrative privileges on your PC.’ You don’t want to be downloading files,” she said. “Department heads will say, ‘Oh, now I get it.’ ”
And persuading them is key, Stamas said.
“Absolutely, people are often the biggest problem,” he said.
Supervisors were convinced after a lengthy presentation. But the big question is how to pay for it.
The risk assessment will cost at least $16,000 and includes finding the county’s vulnerabilities, training staff and then testing the new security. But any expenses for fixing vulnerabilities that are found could add up.
“If we start down this road and they come back with a litany of recommendations, as we don’t have the money to do it, in six months it’s outdated,” said Easton Supervisor Dan Shaw.
The county has about $159,000 in a capital project fund for IT. But only part of that was budgeted for the risk assessment. The rest is budgeted for other items.
The county could “reprioritize” to pay for security if absolutely necessary, rather than new software and hardware in the capital project fund, Pratt said. But she doesn’t want to use the fund for that.
Instead, the county should put cybersecurity funds in the regular budget every year, she said.
That will be debated when the budget is completed this fall.