County beefs up cyber security efforts

ALAMOSA — With no one immune from cyber attacks, Alamosa County officials recently met with WSB Computer Services President John Manesiotis to discuss ways to prevent them from happening in county government.

Alamosa County Administrator Gigi Dennis said with cyber security a focus of Colorado Counties Inc. and among county administrators, she believed it was a good idea for Manesiotis to come in and explain what procedures the county already has in place and what needs to be put in place in the future to make county computer systems more secure.

Dennis said some counties have been the victims of phishing scams and cyber attacks where they have had to pay money to get their systems back. One county, for example, had to pay $15,000, she said.

Dennis added that commissioners talked about clamping down on employees’ uses of the internet even before she was hired three years ago.

“It’s going to take some hard discussions on how we want to approach this,” she said.

In the past when the county clamped down on internet use, there were web sites employees felt they needed access to that they could no longer access. For example, the Department of Human Services uses Facebook to monitor clients, she said.

Manesiotis said he was not trying to restrict staff from what they needed to do but to provide maintenance of the system and guidelines for best practices for the county.

Likening the county network to a castle with homes inside it, he said firewalls are like the gates to the castle that separate the county network from intruders. WSB has in place such protections and has limited access to web content based on categories such as gaming, nudity and drugs/guns. WSB also provides antivirus protection, he explained, that is updated multiple times a day.

He said WSB plans to finish implementing additional security measures this year, for example requiring password changes every 90 days and displaying a compliance banner before accessing computers. The banner states that the county-owned computer is for county business only.

Also this year and into 2019 WSB will finish upgrading Windows 7 to Windows 10 because by January 2020 Microsoft will stop updating Windows 7, Manesiotis explained.

WSB will also be encrypting mobile devices such as laptops in the county to protect the information on them in case they are stolen, Manesiotis explained. For example, the county health nurses may have HIPAA (Health Insurance Portability and Accountability Act of 1996) protected personal health information on their laptops.

County Attorney Jason Kelly asked if Manesiotis recommended that cell phones be county owned. Manesiotis said it depended on whether or not that was less expensive. For security reasons, it would be better if such devices were county owned, because the county would have more authority and control over them, he said.

He said a year or so ago when his company looked into the internet use at the county, they found that 70-80 percent of the use was for music and video streaming.

“It’s not like that music streaming is bad if it’s from a reputable source,” he said. The concern would be when people click on some of the ads that come up with those sites, he said.

The main problem becomes user error when people click on a link they are not supposed to or did not mean to, he added.

Manesiotis said 90 percent of malware or ransomware comes from emails when people click on a link that looks like it is official but is not.

He suggested that people could use their own devices if they wanted to stream music or videos and use the guest internet, rather than the county internet. Guest internet usage is available in conference areas, for example, for people attending events at the county building who want to connect to the internet but who would not be allowed into the county site itself, for example.

Manesiotis said more training needs to be provided to county employees regarding internet usage, “pretty much everybody that works for the county and has access to county computers and resources.”

Dennis suggested that the annual insurance enrollment period might be a good time to conduct that training since employees would be gathered together anyway.

“It all starts with holding the user accountable,” Manesiotis said.