I was interviewed for a news story that ran on Friday night, on WSB Atlanta, about Child Protective Services (CPS) and how they’ve had a business email compromise.
The insane thing, for me, is that the big headline isn’t that this is yet another example of how simple it is to phish people and steal everyday users’ credentials. It’s not even about how insane it is that an agency that has such highly sensitive information about the weakest and most vulnerable in our society doesn’t appear to use two-factor authentication of any sort. The headline, my friends, is unfortunately much worse than this.
For years now we’ve all been talking about how important it is to have good cyber hygiene. “Do the basics” and all that has been on the lips of security professionals far and wide. As a parent and cyber security professional my heart hurts and I want to scream. I want to grab the people responsible by their shoulders and shake them and yell “What the hell were you thinking?!” until they hear me and understand. But therein lies the problem.
There are two issues at play here, which have come together in the most catastrophic way possible. First, with all the available security technology that could have prevented a business email compromise… it’s pretty clear (although I don’t have conclusive proof) that this tech was either not in use, or not implemented effectively. Second, and miles more disastrous, is that social workers whose job it is to protect the weak, vulnerable, and already exploited — our children — somehow thought that email was a good place to put highly sensitive information.
I’ll break this down in two pieces, so this post doesn’t end up a book.
Let me start with the fact that a close friend — outside the cyber security bubble — pointed out that “people that are not you don’t know that email isn’t secure”. That felt like a slap on the face on a frosty morning. It stung. She’s right, of course, and I think that’s what’s frustrating me. Somehow in the over two decades that I’ve been in this field the collective “we” have failed to convey to our users that email is not secure. How could we fail so catastrophically?
Come on now…social workers have apps they use, and they should know better. Isn’t it common sense that email isn’t secure? No. This isn’t common sense — and I think that’s at the root of the problem. But I think the problem is even deeper still.
Consider peeling this onion back further. Many of the men and women who are social workers know that this isn’t a glamorous field filled with high technology and good pay. These agencies get by with minimal tech, little training, and terrible pay. So it’s a pretty logical leap to say that most of the tech they use is “in the office”. And here’s the issue…
When Covid-19 hit, and it hit hard, social workers couldn’t just stop doing their jobs. So they joined everyone else that could, and went virtual. I’m willing to bet a decent sum that the IT department at CPS didn’t have a robust and ready work-from-home plan in place for such an event. I’m willing to wager that their response was something like “Use whatever you have available to you at home and do your job the best you can.”
A million things could have gone wrong from here… so what we have is a likely under-resourced organization with poor security technology, lacking best-practices, and under-prepared staff — that should be guarded with all the fervor of Fort Knox. I hope every agency across the country in this position is reviewing its budget and practices right now because they’re likely in the same boat.
There is so much that could have, should have, would have here… but at the end of the business day I place the failure squarely on an industry that lives inside our own little bubble. We have an embarrassment of riches in terms of widgets, tech, and gadgetry. We have experience. We all know better, and we laugh and shame those outside the bubble that “don’t get it”.
We’re failing. When incidents like this happen we collectively need to take stock in what we’re doing, who we’re talking to, and what our goals are — because adjustment is badly needed. This one is on us all.