Arkansas’ top tech official issued a warning at an IT industry meeting last week.
“Government is under attack,” Mark Myers, the state’s chief technology officer, told the Arkansas TechJunction conference.
According to Myers, state government computer systems face 75,000 attacks per day. That means all of the state’s information systems, which host student and financial management information, public employee data, and troves of insurance data, could be vulnerable.
Myers said his state was working to avoid what happened in South Carolina, where, in 2012, 3.6 million Social Security numbers and thousands of credit card numbers were stolen from the state’s Department of Revenue. According to Myers, it took two weeks to close the vulnerability and cost the state millions of dollars. And it all started when one state employee clicked on a link in a nefarious email.
“It was as simple as a split-second action,” said Myers, who also directs the Arkansas Department of Information Systems. “There is an employee who had clicked on a phishing email.”
Arkansas is no stranger to phishing attacks, either, Myers said. In fact, a hacker started sending phishing emails to state employees a few months ago. A database administrator, who should have known better, Myers said, clicked on the phishing email. But Myers’ department caught it in time and was able to send notifications before damage was done, he said.
CIOs “have to be successful every time, but cyber criminals only have to be successful one time,” Myers said. “I lay awake at night wondering, ‘has my network been breached? Has data been stolen that I don’t know about?’”
But that doesn’t mean the state can catch every attack — in 2014, Arkansas State University reported a breach to a professional development database for early childhood practitioners. Overall, the breach affected as many as 50,000 people, Myers said. The University of Arkansas for Medical Sciences has also had two data breaches, including one that compromised 1,500 patient records.