October 29, 2024 — From phishing to malware/ransomware to widespread coordinated data breaches, the list of ways cyber criminals can access your information and devastate your finances and privacy continues to grow. The same danger lies in wait for the systems PEF members use to deliver state services to New Yorkers.
According to the Identity Theft Research Center (ITRC) Annual Data Breach Report, 2023 saw a record-high number of data compromises in the U.S. in a single year: 72 percent more than the previous record set in 2021, impacting at least 353 million individuals. That same year, the public submitted 880,418 complaints of cybercrime to the FBI, increasing the potential total loss to $12.5 billion in 2023, up from $10.3 billion in 2022.
October is Cybersecurity Awareness Month and PEF members at the New York State Office of Information Technology Services (ITS) shared what they do to keep New Yorkers safe, and tips for you to keep yourself safe online.
The importance of cybersecurity
Cyberattacks come in all shapes and sizes, and they can impact PEF members as state employees and as individuals, alike.
“Paying with credit at the pump? Jiggle the card reader – there may be a card skimmer on there. Got a call from your bank about a recent transaction? Hang up and call the bank directly using the number on the back of your card – scammers like to call pretending to be the bank asking about a huge charge. Receive an unknown phone call from a loved one in a panic asking for emergency funds? Hang up and call them directly – new scams are now using AI voice generation to make calls sound like they’re coming from someone we love.”
That advice comes from Abraham Lara, who joined PEF in January 2024, and is one of the recently appointed Dedicated Information Security Officers at ITS, assigned to supporting the Department of Labor (DOL). The dedicated support model allows for 24/7/365 service from a team that knows the agency inside and out.
“My team and I work hand in hand with our partners at DOL to review technology solutions, provide recommendations on information security best practices, and respond to any issues that may arise,” Lara said. “Our goal is to mitigate risk and come up with possible controls to prevent future issues while aligning with the agency’s objectives.”
Lara answered a call to action during the global CrowdStrike outage in July 2024 when a software update from the cybersecurity firm CrowdStrike caused Microsoft Windows operating systems to crash—resulting in potentially the largest IT outage in history.
“We mobilized and went across New York to manually repair state computers to restore critical services to our citizens,” Lara said. “I was scheduled to attend a friend’s wedding out in Rochester when we got a call for volunteers to help with the CrowdStrike outage. I remember going on site in a suit and working with other local tech folks to remediate more than 100 computers.”
What can we, as a community and a state workforce, do about it?
PEF member Andrew Dolan, an Information Technology Specialist with ITS’s Chief Information Security Office (CISO), whose team focuses on training and awareness, has some advice: the best defense is you.
“The most important thing anyone can do to beef up their cybersecurity is to educate themselves,” said Dolan. “Whether you are utilizing social media or banking applications, it is critical that we all practice good cyber hygiene to better protect ourselves.”
Dolan’s team organizes the annual New York State Cybersecurity Conference, which has been going strong for more than 25 years. The conference brings together people from state government, schools, the federal level, and more, for days of workshops and training.
“New York is one of the leaders when it comes to taking charge of cybersecurity,” Dolan said. “We are always at the forefront. People know there is executive support and leadership buy-in. End users and our PEF workforce are the most important part because at the end of the day, people are the biggest component to cybersecurity.”
State employees are regularly tested on their ability to spot cyberattacks and Dolan’s team is part of the procurement process for those vendors.
“A lot of work goes into figuring out who is the best fit for what type of cybersecurity training and phishing exercises we need,” he said. “The biggest thing with phishing is they try to manipulate emotions. They try to get people to click without thinking. We are looking to kick off a new round of training for Cybersecurity Awareness Month.”
Testing statewide system vulnerabilities
For PEF member Jared Hoffman, a Manager Information Technology Services 1 on the CISO CyberCommand Red Team, penetration and offensive security testing has been a passion for more than a decade.
“My team performs offensive security testing on various state technologies,” he said. “This is commonly referred to as penetration testing. Our focus is to identify and exploit the vulnerabilities present within these applications and systems, execute various attack paths, and then work with the teams and stakeholders who are responsible for fixing the issues.”
This behind-the-scenes work is vital to data safety for New Yorkers accessing state services.
“Our offensive security testing has a direct impact on both state citizens and fellow PEF members given the types of applications and systems we test,” Hoffman said. “A large portion of these systems and applications are used by the public. We ensure that all associated data, resources, and underlining technology supporting these applications are secure.”
Testing, however, can only go so far – people need to be aware of what they do on the Internet.
“In today’s world, having a strong cybersecurity awareness and forethought can help protect an individual from the tidal wave of scams, attacks, and cyber threats that seem to grow by the day,” Hoffman said. “No matter how much we try to avoid it, all aspects of our lives seem to have some level of internet connectivity. Since we are expected to operate in this domain, being aware of the risks and threats is a must. Cybersecurity is a responsibility we all share as public servants.”
The Joint Security Operations Center (JSOC) was developed to be the nation’s first-of-its-kind cyber hub to provide a statewide view of the threat landscape and improve coordination and agility on threat intelligence and incident response, said PEF member Arbina Camaj, a founding member of the JSOC initiative and currently a Manager Information Technology Services 1 working as a senior SOP and Playbook Developer under CISO CyberCommand’s NYSOC division.
“We monitor New York’s critical infrastructure 24/7/365 because we know no one can do it alone,” Camaj said. “NYSOC provides security monitoring for state, local, tribal, and territorial entities and has achieved a level of security collaboration across government lines never seen before. Nearly all platforms PEF members utilize are monitored in some capacity by NYSOC staff.”
Camaj said involvement with other PEF members and the NYSOC team is rewarding.
“There has been a persevering mentality amongst our team of going to work to do the best job conceivable and coming back the next day to do even better,” Camaj said. “We feel a deep-seated duty to protect New York to the best of our ability. I can genuinely say I enjoy the work I do and the impact we have is making New York state a safer place.”
A data breach of more than 272 million Americans’ Social Security information puts into perspective the importance of cybersecurity as technology, such as artificial intelligence, evolves.
“Cybersecurity awareness is absolutely crucial,” Camaj said. “Without proper awareness, it is difficult to prevent, detect, or respond to threats, protect data or information, and so much more. With the emergence of AI, the capability of bad actors is increasing at an alarming rate. It should be apparent this is something people cannot opt-out of.”
What steps can you take today?
Dolan had a few tips for people who want to improve their protection.
“Even the simplest steps can help you be better protected,” he said. “Make sure you are using up to date anti-virus software, make sure to install updates and patches in a timely manner, use secure passwords, avoid connecting to public wi-fi, utilize multi-factor authentication when possible, and most importantly, never stop learning.”
Most of us have been annoyed at the complexity required when creating a password – that complexity, however, is an integral part of cybersecurity defense.
“Updating your password on a regular cadence is a standard best practice, as well as enabling multi-factor authentication on all online accounts,” Hoffman said. “This can help keep someone protected even in a situation where their password is compromised.”
Steering clear of unsolicited or suspicious emails, texts, phone calls, or social media activity is also paramount to staying safe online.
“Phishing has splintered from primarily email-based attacks to almost any type of communication,” Hoffman said. “Avoid these messages and follow up with the institution the attacker is claiming to be.”
Camaj likened beefing up your cybersecurity to how you protect your home from a common thief.
Enabling two-factor authentication (2FA) is like a security alarm for your home,” said Camaj. “Even if someone is able to get through your locked door (your password), the alarm (2FA) adds another layer of protection.
“Just as you wouldn’t let a stranger into your home without knowing who they are, don’t click on suspicious links or download unknown attachments,” Camaj continued. “In the event protections fail, report it as soon as possible to the appropriate authority, even if you are not certain. The situation often only gets worse until there is appropriate intervention.”
Start young for success
One of the keys to successfully battling cybercrime starts with our youth, Dolan said.
“We really need to start at a young age,” he said. “By the college level, it’s too late.”
That’s why ITS holds an annual poster contest for K-12 students.
“The poster contest is a fantastic way to do it,” Dolan said. “It’s incredible to see how some of these kids in elementary school really know the message. I’m always impressed.” Click here to see last year’s contestants. Schools can find information about the next round here.