Announcer: [00:01] Whether you live in or just love Johnson County, Kansas, JoCo on the Go has everything. Johnson County. Here's what's happening and what's coming up in the community you call home.
Theresa Freed: [00:14] Thanks for joining us for JoCo on the Go. I'm your host, Theresa Freed, Johnson County resident and employee of Johnson County government. Today we're talking about cybersecurity. So much of what we do anymore is done through the internet and how do we know the information we're submitting in online forms or sharing through email is really going where we think it is. We have some great experts here at Johnson County government to shed some light on what you need to know to keep your information safe and also what the county's doing to protect confidential information. Joining me for this conversation are Donna Gomez, a security risk and compliance analyst with the county and the county's new Chief Information Officer of the Department of Technology and Innovation, Bill Nixon. And welcome to you both and thanks for being here.
Bill Nixon: [00:58] Thank you. I'm glad to be here and I'm glad we're doing this podcast. One of the tenets of the cybersecurity program is really to provide some education. So this is a great opportunity I think to provide some education to the residents and businesses that do business with the county.
Theresa Freed: [01:12] All right, perfect. And this is a timely topic because October is cybersecurity awareness month, but this is really an issue, Donna, that we need to be focused on every single day. Is that right?
Donna Gomez: [01:21] Yes, it is. Cybersecurity is everybody's responsibility. It's not this job of people who are doing the security function at an organization, but it's something that everyone should focus on.
Theresa Freed: [01:31] Okay. And we don't want to, we don't want people to think of the internet as being a scary place, but people really should be cautious and the information that they share. So what are some of the scams to watch out for anything that we have, especially here in Johnson County,
Bill Nixon: [01:44] One of the big things is phone scams that have been increasing a lot because it's so easy to get information from people when you're talking to them via the phone, either through scare tactics or being friendly. In most cases, the phone calls that you get are spam or malicious. Personally, I don't answer phone calls from numbers that I don't know. If it's important, the person normally leaves a voicemail and I'll call them back. You've probably heard it in the news and I've heard news stories about people being scammed by people calling and saying, I'm from a government agency. You need to make immediate payment or I'm going to arrest you. Something like that. Most in fact, all government agencies aren't going to do that. The IRS is not going to call you and ask for money over the phone. So just be very careful if you do get that type of phone call, don't, don't respond, hang up. If you do think it's a valid threat, call that agency back. Look up their phone number on the internet or in a phone book. If you still have phone books and call that agency back and confirm that there's not something going on, more than likely it's nothing.
Theresa Freed: [02:52] You know, it's funny, I get those on a, I wouldn't say regular basis, but you know, decent amount and you still feel little bit of a panic for a second and then you have to tell yourself, no, this is not legit. Don't worry about it. So and you know, I know that reassurance is probably especially helpful for people who don't get those calls quite so often. Is that right?
Donna Gomez: [03:11] Yes. And a lot of times people ask, well, what can I do about it? How do I stop these calls? And the biggest thing, the easiest thing to do is go to the FTC website and you can actually submit that phone number besides doing the do not call list. You can actually submit and if you received an email or even receive that phone call, you can report all the information and tell them what happened and then they will actually track those down.
Theresa Freed: [03:31] Okay. So if somebody gets a call from someone claiming to be Johnson County and asking for personal information, we need to assure them, obviously, that is not going to be legit. That's, that's not us. That's not how we are.
Bill Nixon: [03:42] The other thing you can do is a lot of the phone carriers have applications that you can download or services you can sign up with and they will filter pre-filter. A lot of those phone calls that come to you. So you'll get notified that you got a spam call from a certain number, but it won't ring through to you. And it's a great service that most of the major cell phone carriers provide.
Theresa Freed: [04:02] Okay. And I know that, you know, there's general awareness, but also just about the county specifically. We take security very seriously here and we have a great staff that's really dedicated to, to making sure that, you know, staff members information is protected and also the general public. And I know you probably can't go into a lot of detail, but just some, some reassurance for them.
Bill Nixon: [04:24] Yeah. For security reasons, of course, we won't go into any the detail about what we do. But however, what I can say is we have a very robust internal cybersecurity program. We actively work with government agencies and companies to coordinate both the detection and response to cybersecurity incidents. And it's a never ending process that we do. Attackers are constantly coming up with new methods of attack. We need to adapt in how we respond to that on a regular basis and how we detect it. We have a multilayer security model, so if, if somebody does click on a malicious email, we catch it through other mechanisms, for example, so that multi-layer security is always important. And we have a lot of that implemented within the county and we'll continue to enhance it because of the attacks that continue.
Theresa Freed: [05:12] Okay. And the work of the county isn't limited to the county. So you guys work pretty closely, as you mentioned, with some of some of our community partners and other entities. Can you talk about this upcoming event where you'll be hosting some, some important topics
Donna Gomez: [05:29] Monday, October 28th, is part of cybersecurity awareness month? We actually will host an event that's open to the public. So you can be someone who works at a local business or you just be a resident and come to this and you're gonna hear it from different sources. We typically have the FBI which will give a briefing, which is always good because that way everyone can ask questions on what law enforcement is doing to help track down these hackers as well as the preventative measures that a person can take. Cause sometimes that little snippet of information from an awareness perspective of here's the risk and what you need to do. Hearing it and seeing it and being able to ask questions is usually a better method for everybody. So that's that opportunity that we want people to enjoy.
Theresa Freed: [06:10] And is this the first time we're doing something like this?
Donna Gomez: [06:12] No, this is something that will actually be our second year that we've done. We had it previously in in 2015 and then we brought it back last year. And so we want to keep this going on year after year.
Theresa Freed: [06:24] Okay. And you mentioned the date, if you want to mention the time and location and how people, if they need to register,
Donna Gomez: [06:30] We'll have the registration shared on the county website. It will be about 830 in the morning. We try and allow for traffic, so that's why we're just trying to confirm that start time. But it's, it'll be on Monday, October 28th.
Theresa Freed: [06:43] All right. And where should people go?
Donna Gomez: [06:44] That will be here at 111 South Cherry Street. Our administrative building.
Theresa Freed: [06:48] Okay. A lot of people are familiar. That's in downtown Olathe. So pretty easy to find and good parking. And so we hope to see lots of people there so they can learn about cybersecurity and keeping their families safe. Anything else you both want to add? Just a message to the public about, about protecting their information?
Bill Nixon: [07:06] I think the key thing is just for awareness. Talk with your kids, for example, talk with your parents, make sure that people are aware of what's going on in the environment. And don't be afraid to if you do hear something you get a weird email or something like that ask other people about it. Especially with children, make sure that you talk to your children about that. Children are very open to sharing information and we want them to be that way except when the person on the other side could be an attacker. It's something that we only need to be aware of and make sure that we are secure in the environment. It's not just about physical security anymore. It's about that cybersecurity and what can be done online.
Theresa Freed: [07:52] Right. That's some great advice there. And thank you both for joining us today. For more on cybersecurity. We're joined by Geoff Jenista, an advisor with the Department of Homeland Security. Thanks for joining us.
Geoff Jenista: [08:05] Well, thank you ma'am for inviting me. It's always a pleasure working with Johnson County.
Theresa Freed: [08:09] All right, well first off, talk to us a little bit about what your role is with Homeland Security and then also what your relationship is with Johnson County. As far as that role goes.
Geoff Jenista: [08:18] My official job title is a cybersecurity advisor in the FEMA region seven, which encompasses Nebraska, Iowa, Missouri and Kansas. I'm pretty partial to Johnson County cause I live here just up the road from where we're doing the podcast. With our focus on critical infrastructure that would be primarily energy, water, lifeline services, and what will be coming up next year being our election processes.
Theresa Freed: [08:48] And how does that relate to, to cybersecurity?
Geoff Jenista: [08:52] There's been a lot of attacks, nation-state actors that have been in the news for a number of years now. Their goal is to disrupt our economy, our lifestyle, our freedoms the communities get them to question our public officials, our leaders, things like that. And they're doing it via cyber because they don't have to be in the facility. They can be sitting in another nation to do this. So there's little chance of them being caught.
Theresa Freed: [09:21] All right. And so how closely do you work with government entities such as Johnson County in terms of addressing this issue?
Geoff Jenista: [09:29] I've worked now for about two and a half years with Johnson County. We've got some really good relationships. We're preparing to do just some cyber exercises on different functions within the county to support the county. And the other communities, Johnson County does support. We have a close relationship with the Secret Service and the FBI they have been a part of our exercises, their ongoing briefings. It's really good solid developed partnerships for preparation activities, incident response activities all the processes that surround keeping the, the cyber infrastructure operational so that the community gets, gets their services.
Theresa Freed: [10:15] Okay. It seems like we hear about this issue on a pretty regular basis and criminals are always finding ways to prey on unsuspecting people. What are some of the more popular scams that still seem to, to get what they, what they desire?
Geoff Jenista: [10:30] The easiest thing and the most popular vectors or how they're doing this is by email. The challenge for everybody is that with the smart phones and the online connectivity through Facebook and Twitter and all this other social media activities that the average consumer in the community has 17 online accounts. What we have found is that when our IT departments tell us to change our passwords, will we change all 17 accounts to that exact same password. So the, the criminals out there are getting very good at sending new targeted emails because you've posted things on Facebook. They know you like Buffalo Wild Wings, they know you're going to a soccer game. They will send you targeted emails and ask you to verify your email and your password. And once they get one, they can pretty much figure out what your other user accounts are at work possibly your banking, things like that. So the number one things I don't, I don't like to use stolen, but exfiltrated from systems were emails and passwords last year. Little over 6 billion of them in just the U.S.
Theresa Freed: [11:50] Okay. So as far as passwords go, as mentioned, people have a lot of different places they store passwords and when they're changing them, they're changing them all to the same thing because it's easy to remember. Maybe. So what are some ways that people can safeguard that information in a better way?
Geoff Jenista: [12:09] Homeland Security will not make recommendations because we're vendor neutral. Personally I use a password wallet type thing. There's free ones out there you can, that will store your passwords. Whatever those passwords look like. And then you only need to remember one complex password complex would be greater than eight characters, upper case letters, lower case, special characters and numbers. It gets a little confusing for people, but if you remember one complex one, you can get into your password wallet and it can log in for you. Just make sure every account you have has a unique password individual to that. The other thing that's coming available anymore, they're doing it with banking, with Facebook and some of the other social media is what's called multifactor authentication. So you tie your smart device, your computer, whatever that is, however you log into these accounts when you log in, your phone or device would then get a text saying, please enter the code. This multifactor is something you have and something, you know, so you log in, you have your device, you now get a text that's unique every time. And so you're the only one. You've just proven your identity. It's not somebody else trying to get into your accounts. And that's, that's a feature all over the place now. So turn that on please.
Theresa Freed: [13:45] Okay. And so that's kind of scary that all that information is stored in your phone. What happens if your phone gets lost or stolen?
Geoff Jenista: [13:53] If you have the right account through like Apple there is a capability you can go to your, your account and remotely delete everything, factory reset it. The, the thing we're finding amazing is that people are willing to use these touch devices on their phone. I want to use my fingerprint. I want to use what facial scan. But then you get into the corporate world and they're like, Oh no, you're not getting my fingerprints. You're not getting my biometrics. And we're like, but you're using it on your phone. Well, that's my choice. Okay. So it is very secure. Using biometrics as an authentication device. There's, there's a whole lot of vectors that, that they could come into. Like I said, complex passwords, biometrics, multifactor authentication. These are easy things. They're adaptable. Watch your kids. Watch what you post on social media.
Geoff Jenista: [14:50] You know, they'll, I understand you like to tell your friends when you're out of town or away or on vacation or eating, but that just opens yourself up for, hey, they're not home. Internet of things. There was some, some stuff in the news of, I believe it was the Samsung TVs that they were able to get into those internet of things and turn the cameras on or the microphones on, on the TVs and record you. They can do the same thing through these home devices like Siri. Just be very cautious on how these are connected. And again, if you've got a home network, don't leave the device with default passwords. Like there's a couple home routers that the path, the user ID is password and the password is password and they leave them that way. You have to change that up.
Theresa Freed: [15:41] Okay. Everything is kind of technology driven now. So it seems like this is something that, you know, every single person who exists in our universe now really needs to pay attention to. Right?
Geoff Jenista: [15:53] Well, it is think about the hospitals. Your medical records are electronic now. You get an X Ray, it's sent electronic across, it's, there's no films are looking at. Your prescription medications. They're now transmitted 90% of the time electronically from the doctor's office to your pharmacy. Anybody can intercept that, change it up there they could hurt your health. It could potentially impact first responders if, if we lost power, if it impacted the police station and the dispatch systems. I think the most expensive ransom so far in the United States was about $4 billion or million dollars. Excuse me. There was somebody local to Kansas city, just under a million dollars, just paid the ransom because they had to stay operational. And everybody talks about emails and scams and what to be looking for and there's a lot of good training programs out there. I've seen we've, we've got one company here in the Kansas City Metro area that went from about 34% click rate on these bad emails down to 2%. And they were proud of that. But the math still says that's 170 people clicking on that email. That's 170 people opening a door or a window for a bad person.
Theresa Freed: [17:23] We don't want to scare people, but it sounds like, you know, just need to stay on top of it no matter who you are. Right.
Geoff Jenista: [17:28] I mean, this is October is cybersecurity awareness month. There's a lot of material out there. I highly recommend everybody talk to your kids about it. Talk to your, your family. Talk to your parents particularly. Those tend to be easy targets is the kids and the elderly. They want things easy. Focus on it. Reiterate it at school, talk to your educators. This is a lifestyle for us nowadays. You, we need the internet. It's not like everybody get home when the street lights come on anymore and this is, you can send a text to your kids and they come home kind of a deal. Other scary parts. Look at our cars, they're connected to the internet, Bluetooth, whatnot. You've seen the news, all these self-driving cars. What happens if somebody gets in and hacks that somehow, I don't know. It's not, it's not scary if you just do the right things like check the front doors at night for you, go to bed. If you do that, there's no difference between that and what we refer to as cyber hygiene.
Theresa Freed: [18:31] Okay. And what should people know about? Who do they contact if they suspect for example, their bank information or their social security number has been compromised?
Geoff Jenista: [18:44] Contact your banks immediately. The banks are all over this. They can put stops and holds on your funds if you catch it in time. And it was a fraudulent transaction possibly going overseas. They may or may not. If it's large enough, contact the FBI who can, if it's within the first 24 hours, they have about an 80% chance of recovering those funds. Anything after that, it drops dramatically. Contact your credit bureaus. They have whole processes to report credit fraud. Check your credit reports, make sure there aren't any accounts being opened up. I would even invite parents to check their kids' accounts because the kids aren't, can't get credit till they're 18, 19 years old. But if a bad actor gets a hold of the social and the information from say a school or something like that that, that gives these folks 12 years use of that social or birth date, undetected.
Theresa Freed: [19:43] That's scary.
Geoff Jenista: [19:49] Yes ma'am.
Theresa Freed: [19:50] Goodness. All right, well some great advice there and of course look for some links and more information about how to record cybercrimes on jocogov.org/podcast. Thanks for listening.
Announcer: [20:03] You just heard JoCo on the Go. Join us next time for more everything Johnson County. Have a topic you want to discuss? We want to hear from you. Follow us on Facebook and Twitter at JoCoGov. For more on this podcast, visit jocogov.org/podcast. Thanks for listening.