Key Findings of the Suffolk County Cyberattack Report
A newly released report highlights the urgent need for Suffolk County to enhance its cybersecurity measures following a significant cyberattack experienced two years ago. The attack exposed the personal information of approximately 500,000 individuals, underscoring the need for a comprehensive cybersecurity plan.
Recommendations for Strengthening Cybersecurity
The bipartisan Suffolk County Legislature’s Special Cyber Intrusion Investigation Committee published a 66-page report, emphasizing several key actions:
- Hiring More IT Staff and a Security Chief: It is crucial for the county to recruit additional information technology personnel and a chief information security officer (CISO) to oversee cybersecurity initiatives effectively.
- Cyber Breach Insurance Policy: The report recommends that Suffolk County secure a cyber breach insurance policy. This insurance would offer financial protection against future attacks. However, qualifying for such a policy requires implementing several security measures.
Current Shortcomings and Steps Forward
When the committee investigated the attack, it found that Suffolk County was unprepared. At the time, the county lacked essential security practices like multifactor authentication, a method that enhances security by requiring multiple verification steps for user identities. Since the attack, improvements like this have been made.
Importance of a CISO
The report stresses the necessity of appointing a CISO, a role that was only filled months after the 2022 attack and subsequently vacated. Suffolk County Executive Edward P. Romaine emphasized this as a top priority, essential not only for security but also for obtaining cyber insurance.
Legislative and Administrative Actions
The report suggests Suffolk County needs to comply with laws that require an annual IT risk assessment. It criticizes the failure to coordinate between various IT departments, noting this impacted the county's ability to manage the cyberattack effectively.
Detailed Analysis of Cybersecurity Failures
The investigation noted a "pass-through" in the county's firewall, which allowed unauthorized internet traffic to access the county clerk’s domain. While the report did not assign blame, it insists on preventing such practices in the future to secure the county's digital infrastructure.
Insights from the Committee
Legislator Anthony Piccirillo, the committee chairman, pointed out the lack of trust within the county's IT teams as a significant impediment. Moving forward, the new CISO is expected to develop a cohesive cybersecurity strategy.
The committee's findings are based on interviews with over 20 witnesses and examination of more than 35,000 documents. These recommendations aim to fortify Suffolk County against future cyber threats.
