FOR IMMEDIATE RELEASE: March 25, 2015
City Auditor’s Office makes recommendations to protect against cyber attacks
Today, the City Auditor’s Office released an audit on City employees’ response to a phishing email. Phishing uses email or malicious websites to solicit personal information or information system login ids and passwords by posing as a trustworthy organization. The City Auditor’s Office tested employees’ response by sending a phishing email to all employees with a City email address and encouraging them to click on a link and provide their network login information.
The audit concluded that some employees put the City’s information systems at risk by clicking on the link of a fake website in the phishing email; providing valid login credentials that could be used to hack the City’s system; and not changing their password after they were alerted the phishing email was fake. Had this been a real phishing email, hackers could have used the information provided by employees to and harm the integrity, confidentiality and availability of the City’s information systems.
The City’s Information Technology Division (ITD) took appropriate steps in response to the auditor’s phishing email by alerting staff the email was fraudulent, deleting the email, and advising employees to change their passwords. Although ITD has practices in place to respond to phishing emails, it does not have a comprehensive cyber security incident response plan to ensure response to attacks are quick, consistent, and effective.
The audit includes recommendations to ensure employees respond to phishing emails and other cyber attacks appropriately and that cyber incidents are promptly identified, exploited weaknesses are mitigated, loss is minimized and IT services restored. Management agreed with the recommendations.
The complete report can be viewed online.
Media inquiries should be directed to Douglas Jones, City Auditor, by calling (816-513-3300.