Don’t worry Okanagan residents. The confidential, personal information local governments and public agencies have on you is perfectly safe and will never fall into nefarious hands.
Well sure, that’s the message local municipalities, Interior Health and school districts would like to tell you. And you wouldn’t believe them if they did.
For years, we’ve been hearing about large private companies being hacked and their customers’ information being stolen or made public.
More ominously perhaps, public agencies and local governments are being hit with ransomware demands and other cyberattacks lately.
So how safe are the systems of our local governments and agencies here in the Okanagan?
Cybercrime is “constant threat and no systems or organizations are completely immune from cybercrime,” acknowledged Mark Braidwood, Interior Health’s director of information technology, and information privacy and security.
While local organizations can’t promise they’ll never be hacked, the efforts they’re making to prevent it are considerable. A big part of that is training staff to do its part to keep intruders out.
“More than half of the risk is associated with human behaviour,” said Jon Rever assistant superintendent with Central Okanagan Public Schools.
In other words, most cybercriminals still rely on a human mistake to help them get into a system.
In perhaps the most famous hack of them all, that’s how the Russians got into the Democratic party’s emails in the 2016 U.S. election campaign, revealing embarrassing emails that likely helped Donald Trump win the election.
They got someone in the party to bite on a phishing email and open something he or she shouldn’t have. This gave the Russians access “to hundreds of thousands of documents from the compromised email accounts and networks,” which they turned over to Wikileaks and other document-spilling websites, according to special investigator Robert Mueller’s report.
Local governments train their staff members not to open phishing emails.
“We developed and maintain a comprehensive cybersecurity education and awareness program to ensure that we have the best possible protection against human behaviour. This training includes regularly sharing current information as well as running training modules and simulations,” said Rever.
The school district has planned a simulation in which a fake phishing email would be sent to all staff. Its arrival shouldn’t be a surprise. Staff was notified it’s coming.
Staff training is ongoing at Interior Health, too: “IH runs regular education exercises with all staff to ensure they have an awareness of phishing risk, how to recognize it, and take appropriate actions,” said Braidwood. “Staff at all levels are required to complete annual online information privacy and security training.”
Everyone hired by the City of Vernon takes cybersecurity training.
“Every person who joins the organization is required to go through training in order to help protect our system and identify potential threats while using the network,” said communications manager Christy Poirier. “Specific policies and procedures have been put in place to guard against cyberattacks and to help staff understand the seriousness of protecting the information on our network.”
“We are doing corporate-wide cyber security training to give staff the tools to be able to identify phishing emails and deal with them appropriately,” said Brian Abrey, the City of Kelowna’s infrastructure systems manager
Of course, having up-to-date hardware and software matters too.
“Keeping software up to date is an important part of prevention,” said Abrey. “We employ state-of-the-art firewalls, email filters, web filters, software update strategies, backup strategies, password policies and antivirus protection.
“We have undertaken multiple third-party security audits to identify gaps and weaknesses, and then taken action to address them,” he said.
At the Central Okanagan school district, “monitoring, assessing, reporting, and recommending on potential cybersecurity threats are a daily part of our IT operations,” Rever said.
“We work closely with the Ministry of Education and a number of cybersecurity providers to deploy state-of-the-art and industry standard security technology across all network systems and devices,” said Rever. “We have been working on our privacy and cybersecurity strategy for three years,” he said.
That three-year effort began following a brief hack of the district’s phone system from Africa and the Ministry of Education insisting school districts improve their cybersecurity. The district now has an advisory council on privacy and cybersecurity as well as an ongoing education and awareness program.
Over at Interior Health, “IH maintains an information security team and staff dedicated to an information security program and continues to invest in resources to maintain and improve our environment relative to cybersecurity threat. We follow industry best practice for cyber defences,” said Braidwood.
IH, too, is in regular contact with other agencies about cybersecurity.
Constant upgrades are also standard at the City of Vernon.
“As the world becomes more connected online, the city pays close attention to new digital threats and makes adjustments as necessary to protect information and the security of our network,” said Poirier.
Karen Needham, director of corporate services at Summerland, said upgrades are constant. Measures include up-to-date firewalls and anti-spam software.
Summerland also limits how much personal information it collects. Needham noted privacy laws require all personal information must be stored in Canada.
So what to do in the event of an attack? Would public authorities pay a ransom?
Rever said the school district has protocols for responding to various potential incidents, but “every scenario is unique, which is why we have multiple protocols to respond to particular issues. There is no uniform answer for these questions.”
Braidwood notes IH and the province have yet to face a ransomware demand. To hopefully prevent ever getting one, “IH runs regular education exercises with all staff to ensure they have an awareness of phishing risk, how to recognize it and take appropriate actions.”
Abrey said the best defence against ransomware is to prevent an attack. The next best defence is to back up your data.
“Speaking generally, we depend on all of the various levels of security we have in place to help prevent an attack from occurring. The next best protection against a ransomware attack is to have good backups that can be used to restore data after the virus has been identified and killed.”
“We have backups to restore our data,” said Needham. She also said Summerland follows protocols from the Office of the Privacy Commissioner to address any breaches of privacy.
Some local organizations want the public know about the efforts they’re making on cybersecurity, but others were reluctant to talk about it.
“I would love to let our community members know about the work we are doing ensure the safety of students, parents and staff in addition to protecting their privacy and personal information,” said Rever in an email to The Okanagan Weekend.
Vernon school district didn’t want to reveal too much.
“We do not want to divulge too much information on the type of protection the school district has in place. We can confirm we have significant processes in place to protect the district from hackers, SPAM and ransomware attacks. Our system is monitored daily and staff is reminded to be diligent of questionable emails,” said spokeswoman Maritza Reilly in an email response.
West Kelowna and Penticton responded to our questions with essentially no comment. The Okanagan-Skaha school district didn’t respond to emailed requests for information.
“We live in a digital age. Research has shown that many people spend as much time online as they do offline, conducting both personal and business transactions. With this, digital attacks such as hacking, ransomware and phishing scams are prevalent across the globe. Every computer around the world that is connected to the internet is vulnerable is some capacity.”
— Christy Poirier, communications manager, City of Vernon
“We are following new developments in security strategy and compromise very closely. We are notified of attacks by some of the security agencies and groups we are a part of, as well as through the media. We look at attack vectors used and ensure that we have done everything we can to protect our-selves from something similar.
— Brian Abrey, infrastructure systems manager, City of Kelowna
We work closely with the Ministry of Education and a number of cybersecurity providers to deploy state-of-the-art and industry-standard security technology across all network systems and devices. Again, our planning and processes are very thorough so that we reduce technological risk and educate our users to reduce the risk of human error.
— Jon Rever, assistant superintendent, Central Okanagan Public Schools
IH takes our obligation to protect the personal health information of our patients and clients very seriously, and keeping IH systems and software up to date is part of a broader information security program that helps reduce the risk of cyber threats.
— Mark Braidwood, Interior Health director of information technology, and information privacy and security