Part of the research involved the use of ethical hackers. These are professional IT professionals who try to break into the SWO systems. Various vulnerabilities were discovered. The SWO has been informed of this and has now taken measures to solve the problems.
(test) phishing emails have also been sent to employees. With such emails, criminals try to steal data or money.
The test with the emails was carried out in June. About thirteen percent of employees clicked on the fake message and almost half of them entered personal details. According to the Courts of Audit, De Wolden and Hoogeveen score lower compared to other municipalities, but the result is flattering, the researchers say.
Two weeks earlier, SWO received a real phishing email. The organization has paid attention to this, which should have increased employees’ alertness to danger. “Such defense mechanisms work, but in that light, 12.9 percent of clickers on the test with the phishing email can still be interpreted as quite a lot,” the report reads.
“We can also conclude that risk awareness among employees has increased due to the ‘real’ phishing email at the beginning of June.” The same test was carried out on council members. “Nineteen (De Wolden) and eighteen (Hoogeveen) percent clicked on the link, respectively.”
The research also looked at password use in the organization. Of the 1,446 user accounts, 209 were found with passwords a year or older, 108 accounts whose passwords never expire, and 194 passwords that are used more often. The Court of Audit believes this is an inconsistent password policy.
We also checked whether employees were familiar with the rules regarding information security. There are often protocols that they must adhere to. The Court of Auditors examined how well staff are aware of this and whether the procedures are put into practice. You can score on a scale from one to five.
With a five, the situation is handled well, with a three the situation is reasonably under control and with a one there is a lot of work to be done. The SWO scores a 1.5. “This means that there are procedures, but incomplete. And that they are carried out inconsistently and ad hoc,” the report states.
The Court of Audit states that SWO has already taken steps in the past to improve the security of information. Yet more is needed. For example, more money is needed to combat the problems and additional staff is needed. There are not enough employees who take care of information security in the organization, the researchers say.
Staff awareness regarding safety could be improved. “And make sure that management understands the need for this and communicates it.” In addition, the policy on handling information must be more complete, the researchers say. This must be supplemented with the correct protocols and guidelines.
The SWO board says it is working on an awareness program for staff with regard to information security.
“The challenge here is people as a risk and success factor: attitude and behavior are not easy to influence, but it is the people who can actually implement improvements and must be vigilant, with which we make circumstances more manageable.” According to the board, this is difficult due to the high turnover of staff.
The report of the audit committees is supported. The SWO first wants to get the basics in order in the near future. “The maturity of the organization is still low, but various actions are being taken to bring this to the desired level.” For example, councilors and mayors want to become ambassadors to increase awareness.
The municipal councils of De Wolden and Hoogeveen will consider the Court of Audit’s recommendations on December 21.