QUESTION
What aspects of the Office of Technology and Innovation's (OTI) response to the cybersecurity incident involving the New York City Automated Personnel System (NYCAPS) Employee Self-Service (ESS) portal can be improved?
2:01:35
·
5 min
The council member inquires about potential areas for improvement in OTI's response to a cybersecurity incident involving unauthorized access to the NYCAPS ESS portal.
- The Chief Information Security Officer explains that OTI worked quickly to identify and close threats, and implement enhanced security measures for the public-facing portal.
- OTI conducted an employee awareness campaign about the incident, which was a novel step.
- While the specific threat was neutralized, OTI still issued a threat alert to employees to raise cybersecurity awareness.
- The incident provides an opportunity to enhance communication procedures and further mature the city's overall cybersecurity posture.
Jennifer Gutiérrez
2:01:35
I wanna wrap up with something that that we've spoken with to OTI directly about the NICAP employee self-service issue.
2:01:47
And I just want to say that I think it I think from the time that we were notified to the time that, you know, the the site was accessible outside of work computers.
2:01:55
I think that was very quick.
2:01:57
So just wanna acknowledge that much.
2:01:59
But there were a lot of questions as to kind of the the the protocol in notifying us as the counsel.
2:02:08
Yes.
2:02:09
But as also people that utilize this this service, like myself, this was during tax season.
2:02:15
I personally found out through the news that there was no direct I think the direct notification from OTI Cape maybe 24 hours after it was dropped in the news.
2:02:24
So I just wanna ask if you think there were aspects of the city of OTI's response to that cybersecurity incident that you believe were important in areas that you think can be improved.
Kelly Moan
2:02:35
Thank you for the question.
2:02:37
And and again, thank you for allowing me an opportunity to speak about this publicly.
2:02:42
I think a couple things are really important to just provide the public an overview on.
2:02:47
First, as I mentioned in my opening and continued thread, social engineering tactics, tactics to lure individuals to disclose their sensitive information or their credentials continue to be omnipresent.
2:03:02
As a tactic being used by threat actors.
2:03:05
And so in this this particular case, we worked expeditiously to identify that to close any threats that were ongoing that might that users might have been susceptible to.
2:03:19
In the particular case of ESS, we also identify that there could be an opportunity to improve cybersecurity high regime and furtherance of protecting users.
2:03:32
As I mentioned, users are a line, and our our city workforce is a significant line of against cyberattacks, which we have which is why we have a robust cybersecurity awareness and training program.
2:03:45
But the reality is is that I think we all in the room and online probably have either them yourselves suffered from a cyber incident where you're disclosing your username and password or somebody in your family, somebody that you know And so it was really important for us to work with Faiza and Decast to very rapidly identify that there was an area of opportunity we could we could take advantage of the time frame, of identification of a threat, and we worked quickly to implement enhanced security measures in the public peace facing portal.
2:04:16
And we did so because we believed it was the right thing to do, and we did so quickly with close partnership, obviously, with with Faiza and and decays.
2:04:26
In terms of communication, just like any incident or any routine business that cyber command and endeavors to enter into, we always are looking for ways to improve and be more efficient and optimize.
2:04:41
I think my team here is that from me about fifty times a day.
2:04:45
In in that regard, I think communication for a city wide base.
2:04:49
Right?
2:04:50
We have relevant communication procedures, with our security teams and those security teams with HR teams, IT teams, and all of that is is well actioned and well understood.
2:05:04
In this particular case, we took above and beyond action for our public pacing portal to implement enhancements and with that coincided with an engagement and awareness campaign that really had never been done to in totality across city base.
2:05:21
So
Jennifer Gutiérrez
2:05:22
sorry.
2:05:22
There was a public awareness campaign on this particular
Kelly Moan
2:05:25
on the employee self-service site?
2:05:27
Within the city domain.
2:05:28
Yes.
2:05:29
Okay.
2:05:29
And so that was new Anastat.
2:05:31
So it was new and novel for that to be done.
2:05:35
And I think that's important to mention because as we as we see more tactics or tactics being perpetrated by threat actors, but also an opportunity to double down on the messaging that you as an individual are a line of defense, you know, essentially a human firewall, as we call it, against these attacks.
2:05:53
It's also important to socialize that city wide.
2:05:56
And so with partnership with DECAS, we were actually able to send out a threat alert for agency employees, even though that ongoing threat of for for that particular threat actor was neutralized.
2:06:11
We still thought it was to the benefit of the population and in the community that we were able to send out that alert.
2:06:20
And so there's always as part of any incident, there's always a an after action, areas of opportunity that we can enhance and that we can improve.
2:06:31
And while it is never a good day when we suffer an incident, it always provides an opportunity of improvement and maturation, which continues our cybersecurity journey and posture for City.
Jennifer Gutiérrez
2:06:44
Can you share how many city employees were directly impacted by that incident?