The town of Peterborough was recently scammed out of $2.3 million in taxpayer money in a cyber attack. More towns are being targeted by highly sophisticated cyber scammers who are able to identify any weak security protections. Jason Sgro, a cyber security expert, says local governments need to invest in cyber security when taxpayers’ money is at stake.
NHPR’s Morning Edition host Rick Ganley spoke with Sgro, who worked with Peterborough on their cyber security emergency response after the town administration realized their finances had been compromised.
TRANSCRIPT
Rick Ganley: First, I think some of us might think of cybercrime more as a ransomware attack in which, you know, you have an entire computer or a system hacked and the funds are stolen that way in some kind of a back door attack. But in Peterborough's case, the thieves went to some lengths to actually trick town officials into thinking there was somebody else in order to divert these funds to their accounts. Is that kind of thing very common?
Jason Sgro: Yeah. So that's actually very common. Ransomware gets a lot of press today, and certainly, that is a huge attack vector that is very common. But the next common attack vectors are business email compromise and phishing attacks.
And these are attacks where someone tries to defraud you out of money or get you to divulge information by sending you an email and posing as somebody legitimate that you would normally do business with. Years ago, these types of emails used to be poorly written. They were written by non-native English speakers. And so the grammar was easy to spot, but those emails have become more and more sophisticated and more and more believable.
Rick Ganley: It's obviously profitable for them. They're doing it more often. You're seeing many more of these municipalities being targeted, you know. Why do they go after a municipality like a Peterborough as opposed to going after some other company with some kind of ransomware attack?
Jason Sgro: These are wide net attacks. In a lot of cases, they're not looking for any one town. They are casting a wide net, going after a big group of organizations. And whoever they trick, that's who they're working with. And it is important to note that these are not organizations that are targeting you because they have a specific grudge against the town of Peterborough or somebody else, right?
They're casting a wide net, and if you get caught in that net, they're looking for the easy money.
So it's a matter of how easy are you to track, what protections do you have in place, and what's the likelihood of success? They want to just go after the fast money, and so they will attack widely and broadly and see what shakes out.
Rick Ganley: I know staff involved in this incident in Peterborough have gotten some flack for not realizing earlier that they were being scammed. Do you think civil servants need to be trained more in cybersecurity threats?
Jason Sgro: Yeah, I don't think New Hampshire is any different than many other states in this way, but our overall level of cybersecurity training and sophistication is not adequate to meet this threat. When we do cyber training today at a broad statewide level or organizations do these broad trainings, they're general cybersecurity trainings. And a lot of that is not applicable to any one role.
What we need to do is go into more targeted training. So a town clerk or a town administrator or a chief of police gets unique training that is appropriate to their role in the attacks that they are likely to see and the data that they protect.
If we do that and we make it relevant to their job, we have a much better chance of that training being effective than the hour-long, kind of click-through slides and get a general overview of cybersecurity. That is not as effective as we would hope it was.
Rick Ganley: Now, just in the interest of disclosure here, does the town of Peterborough or any of the municipality pay you yearly for that training? Do they pay you monthly? How do they contract with you?
Jason Sgro: Yeah, so I'm only involved with the town of Peterborough in the cyber response. There's also a lot of other cybersecurity companies out there in New Hampshire that are reputable that some of these towns are working with. It's just about understanding the importance of making the investment. New Hampshire does not have a long history of making significant cybersecurity investments at the local level, and that needs to change. Unfortunately, it does cost money, but what's on the table here is a lot more money.
You can see if in one cybercrime, $2.3 million can go missing, how much prevention is worth safeguarding against those kinds of numbers? And that's what we're looking at right now.
