📋

Extracted from Consolidated Report

This investigation was originally published as part of a larger consolidated report containing multiple investigations. View the consolidated PDF for the complete document.

Santa Cruz County Grand Jury • 2023-2024

Cyber Threat Preparedness Phishing and Passwords and Ransomware, Oh My!

Published: May 18, 2023 24 pages

View PDF View Full Original

⚠️ Translation Notice: This content has been automatically translated. The original English text is the official version. Translation may contain errors.

⚠️ Este contenido ha sido traducido automáticamente. El texto original en inglés es la versión oficial. La traducción puede contener errores.

Findings and Recommendations 23 findings

Santa Cruz County does not have a Cybersecurity Plan, and the absence of a current plan that defines security policies, procedures, and controls required to protect its networks and devices increases the risk of vulnerabilities.

Related Recommendations (1)

Santa Cruz County should prepare and implement a Cybersecurity Plan , ensuring that city officials and all staff are well aware of the plan details, their responsibilities, and associated policies. (F1)

Santa Cruz County does not have a sufficiently detailed Incident Response Plan, indicating they would not be prepared to respond rapidly and effectively in the event of a cyber incident.

Related Recommendations (1)

, the county should revise and expand its Incident Response Plan to clearly delineate the steps it will take in response to a cyber attack, the responsibilities of identified officials, and the coordination required with state and federal officials for each type and level of cyber attack. A detailed plan is a requirement for continuity of county operations in a cyber incident. (F2)

Santa Cruz County participates in multiple information sharing groups at regional and state levels, although it has only minimal interaction with the cities across Santa Cruz County, degrading their ability to fully understand regional vulnerabilities.

Related Recommendations (1)

The County’s information sharing efforts should be expanded to ensure fulsome information sharing across all government entities in the county, specifically Santa Cruz, Watsonville, Scotts Valley, and Capitola, A simple schedule of monthly meetings would permit regular sharing of possible threats, TTPs seen across the county, and information learned from outside organizations such as the Cal-CSIC. (F3)

The City of Santa Cruz seems to have an adequate IT Department structure; however, in late 2022, 40 percent of its positions remained vacant, leaving them inadequately staffed to mitigate and respond to cyber attacks.

Related Recommendations (1)

The City of Santa Cruz should prioritize filling its vacant IT department positions by Fall 2023. The IT Department and the Human Resources (HR) Department should revise its position requirements, compensation packages, and recruiting priorities to enable the City to attract qualified personnel to these positions. (F4)

Inadequate staffing and high attrition has led to overworked staff and raises the risk of cyber vulnerabilities across its networks.

Related Recommendations (1)

By Fall 2023, Santa Cruz should identify and implement creative approaches to hiring and retention so they can maintain a fully staffed IT Department despite the competition with surrounding counties. The City should investigate potential partnerships with one or more of the 18 California colleges and universities with National Centers of Academic Excellence in Cybersecurity. (F5)

The City does not have an individual dedicated as the lead for cyber security, which could lead to inadequate preparation for and response to a cyber attack.

Related Recommendations (1)

By Fall 2023, the City of Santa Cruz should assign one individual responsible for cybersecurity. Adoption of a managed service provider arrangement will boost its security posture, although it does not eliminate the need for a dedicated security lead within the City’s IT Department. (F6)

The City of Santa Cruz does not have a Cybersecurity Policy, suggesting that preparations to mitigate a cyber attack are inadequate and not widely shared.

Related Recommendations (1)

or sooner, the City of Santa Cruz should develop and implement a Cybersecurity Plan that encompasses all aspects of information security. (F7)

The City of Santa Cruz does not have an Incident Response Plan, and this absence indicates that the City will be challenged in responding to a cyber attack, especially a ransomware attack.

Related Recommendations (1)

or sooner, the City should complete an Incident Response Plan with sufficient detail for city officials to use as a step-by-step guide in the event of a cyber incident. (F8)

Santa Cruz participates in some information sharing organizations such as the California Municipal Information Services Association (MISAC), yet it has minimal collaboration within the county and the other cities, forfeiting opportunities to share best practices and understand threats.

Related Recommendations (1)

Once the IT Department has adequate staffing and , it should expand its participation in local and state information sharing groups to maintain current knowledge of the threat environment and emerging technologies. (F9)

F10

After recently expanding its IT Department, the City of Watsonville has improved its IT functions although it does not yet allocate sufficient resources to cybersecurity.

Related Recommendations (1)

R10

Watsonville should conduct an evaluation of its recently expanded IT Department, critical IT upgrades, and the status of cybersecurity measures Based on this assessment, the City should allocate existing or newly identified resources to ensure cybersecurity is adequately addressed going forward. (F10)

F11

The City does not have an individual whose primary responsibility is cybersecurity for the city networks, leaving cybersecurity oversight to the IT Director–along with a multitude of other IT responsibilities–and lowering the priority for cybersecurity measures.

Related Recommendations (1)

R11

Given the size of Watsonville, the City should have a dedicated position for cybersecurity , to ensure adherence to best practices, mitigation of potential threats, and education of city staff and leadership. (F11)

F12

Watsonville does not have a Cybersecurity Plan that defines security policies, procedures, and controls required to protect its networks and devices, a situation that increases the risks of vulnerabilities.

Related Recommendations (1)

R12

By early 2024 or sooner, Watsonville should prepare and implement a Cybersecurity Plan that addresses all of the best practices for strong cyber hygiene. (F12)

F13

Watsonville does not have an Incident Response Plan that provides detailed information on how to respond to an attack, suggesting the City would not be able to respond rapidly and effectively to a cyber attack.

Related Recommendations (1)

R13

By early 2024 or sooner, Watsonville should prepare and implement an Incident Response Plan with sufficient detail to serve as a guide in the event of a cyber attack. (F13)

F14

Watsonville participates in some regional information sharing forums, but it does not have the resources to expand its participation or tap into state-level information sharing, thus forfeiting valuable best practices and cyber threat information.

Related Recommendations (1)

R14

Upon completion of IT structural upgrades and a higher level of cyber maturity, and , Watsonville should participate in local, regional, and state information sharing initiatives. (F14)

F15

Although Scotts Valley’s managed service provider is very knowledgeable and capable of providing cybersecurity services, there is no single city official with cybersecurity oversight, potentially leading to a poor understanding of the threats and an inadequate response to a cyber attack.

Related Recommendations (1)

R15

By mid-2023, Scotts Valley should assign a city official as the lead for cybersecurity for the city. This individual should oversee the contractor’s performance in cybersecurity and ensure city leaders are well informed on emerging threats, cybersecurity challenges, and information provided from regional and state entities. (F15)

F16

Scotts Valley does not have a current Cybersecurity Plan that defines security policies, procedures, and controls required to protect its networks and devices, potentially increasing the risks of vulnerabilities.

Related Recommendations (1)

R16

Working with its IT contractor, by Fall 2023, Scotts Valley should write and implement a Cybersecurity Plan that is shared with all city officials to demonstrate comprehensive security measures and executive-level cyber threat awareness. (F16)

F17

Scotts Valley does not have a current Incident Response Plan, which could exacerbate the effects of a cyber incident such as increase the time a network is unavailable or raise the potential financial costs of a resolution.

Related Recommendations (1)

R17

By Fall 2023, Scotts Valley should write an Incident Response Plan that clearly delineates the steps it will take in response to a cyber attack, the responsibilities of identified officials, and the coordination required with state and federal officials for each type and level of cyber attack. (F17)

F18

Scotts Valley does not participate in any cybersecurity information sharing groups to enhance best practices, rather they depend on their contractor to stay informed, which makes the City last to know of critical cyber threats.

Related Recommendations (1)

R18

Scotts Valley should participate in local, regional, and state cybersecurity organizations for information sharing (F18)

F19

With one individual responsible for IT services, Capitola does not allocate sufficient resources to cybersecurity, a status that could lead to poor cyber knowledge and unnecessary vulnerabilities.

Related Recommendations (2)

R19

By Fall 2023, Capitola should hire a full-time IT Director to replace the IT Director who departed in mid-2022. The IT Director should oversee and expand IT services, including those of the consulting company, and lead cybersecurity initiatives. (F19)

R24

F20

The City of Capitola does not have a robust cybersecurity training program, nor does it conduct phishing tests or routinely remind employees to adhere to cybersecurity measures during potential periods of increased threats.

Related Recommendations (2)

R20

The City should develop a more robust cybersecurity training and phishing testing program for all employees by Fall 2023 or earlier. (F20)

R24

F21

The City of Capitola does not have a Cybersecurity Plan to address cybersecurity measures city wide, suggesting the city is not adequately mitigating the potential impact of cyber incidents.

Related Recommendations (2)

R21

Capitola should establish and implement a Cybersecurity Plan Several resources exist to provide a foundation or templates for these plans including NIST Guidelines, CISA resources, and Cal-CSIC guidance. (F21)

R24

F22

The City of Capitola does not have an Incident Response Plan, which could exacerbate the effects of a cyber incident such as increase the time a network is unavailable or raise the potential financial costs of a resolution.

Related Recommendations (2)

R22

By Fall 2023 Capitola should prepare an Incident Response Plan that provides detailed guidance for a city response to a cyber attack. (F22)

R24

F23

Capitola does not participate in any cyber-focused information sharing groups, nor does it take advantage of state and federal resources designed to assist small cities with mitigating cyber attacks, thereby forfeiting opportunities to learn best practices and raise their cyber awareness.

Related Recommendations (2)

R23

When appropriately resourced to monitor cyber threats, and , Capitola should participate in regional cybersecurity information sharing groups, to gain valuable information to best protect the City. (F23)

R24

Conclusions 29

CL1 Page 11

Santa Cruz County participates in multiple information sharing groups at regional and state levels, although it has only minimal interaction with the cities across Santa Cruz County, degrading their ability to fully understand regional vulnerabilities.
CL2 Page 12

The City of Santa Cruz seems to have an adequate IT Department structure; however, in late 2022, 40 percent of its positions remained vacant, leaving them inadequately staffed to mitigate and respond to cyber attacks.
CL3 Page 12

Inadequate staffing and high attrition has led to overworked staff and raises the risk of cyber vulnerabilities across its networks.
CL4 Page 12

The City does not have an individual dedicated as the lead for cyber security, which could lead to inadequate preparation for and response to a cyber attack.
CL5 Page 12

The City of Santa Cruz does not have a Cybersecurity Policy, suggesting that preparations to mitigate a cyber attack are inadequate and not widely shared.
CL6 Page 12

The City of Santa Cruz does not have an Incident Response Plan, and this absence indicates that the City will be challenged in responding to a cyber attack, especially a ransomware attack.
CL7 Page 12

Santa Cruz participates in some information sharing organizations such as the California Municipal Information Services Association (MISAC), yet it has minimal collaboration within the county and the other cities, forfeiting opportunities to share best practices and understand threats.
CL8 Page 13

After recently expanding its IT Department, the City of Watsonville has improved its IT functions although it does not yet allocate sufficient resources to cybersecurity.
CL9 Page 13

The City does not have an individual whose primary responsibility is cybersecurity for the city networks, leaving cybersecurity oversight to the IT Director–along with a multitude of other IT responsibilities–and lowering the priority for cybersecurity measures.
CL10 Page 13

Watsonville does not have a Cybersecurity Plan that defines security policies, procedures, and controls required to protect its networks and devices, a situation that increases the risks of vulnerabilities.
CL11 Page 13

Watsonville does not have an Incident Response Plan that provides detailed information on how to respond to an attack, suggesting the City would not be able to respond rapidly and effectively to a cyber attack.
CL12 Page 13

Watsonville participates in some regional information sharing forums, but it does not have the resources to expand its participation or tap into state-level information sharing, thus forfeiting valuable best practices and cyber threat information.
CL13 Page 14

Although Scotts Valley’s managed service provider is very knowledgeable and capable of providing cybersecurity services, there is no single city official with cybersecurity oversight, potentially leading to a poor understanding of the threats and an inadequate response to a cyber attack.
CL14 Page 14

Scotts Valley does not have a current Cybersecurity Plan that defines security policies, procedures, and controls required to protect its networks and devices, potentially increasing the risks of vulnerabilities.
CL15 Page 11

Santa Cruz County does not have a Cybersecurity Plan, and the absence of a current plan that defines security policies, procedures, and controls required to protect its networks and devices increases the risk of vulnerabilities.
CL16 Page 11

Santa Cruz County does not have a sufficiently detailed Incident Response Plan, indicating they would not be prepared to respond rapidly and effectively in the event of a cyber incident.
CL17 Page 14

Scotts Valley does not have a current Incident Response Plan, which could exacerbate the effects of a cyber incident such as increase the time a network is unavailable or raise the potential financial costs of a resolution.
CL18 Page 14

Scotts Valley does not participate in any cybersecurity information sharing groups to enhance best practices, rather they depend on their contractor to stay informed, which makes the City last to know of critical cyber threats.
CL19 Page 14

With one individual responsible for IT services, Capitola does not allocate sufficient resources to cybersecurity, a status that could lead to poor cyber knowledge and unnecessary vulnerabilities.
CL20 Page 15

The City of Capitola does not have a Cybersecurity Plan to address cybersecurity measures city wide, suggesting the city is not adequately mitigating the potential impact of cyber incidents.
CL21 Page 15

The City of Capitola does not have an Incident Response Plan, which could exacerbate the effects of a cyber incident such as increase the time a network is unavailable or raise the potential financial costs of a resolution.
CL22 Page 15

Capitola does not participate in any cyber-focused information sharing groups, nor does it take advantage of state and federal resources designed to assist small cities with mitigating cyber attacks, thereby forfeiting opportunities to learn best practices and raise their cyber awareness.
CL23 Page 14

The City of Capitola does not have a robust cybersecurity training program, nor does it conduct phishing tests or routinely remind employees to adhere to cybersecurity measures during potential periods of increased threats.
CL24 Page 10

Secure long-term funding for cybersecurity in the core budget. A proactive approach that prioritizes network defense, situational awareness, and education is a critical element of cybersecurity and well worth the commitment. Cybersecurity should be a budget item on a business level, not solely an IT budget allocation.
CL25 Page 10

Hire and retain cyber talent. Small and medium-sized cities need to identify innovative methods for hiring and retaining the appropriate expertise to ensure secure networks and a vigilant security program. If funding limits the ability to hire a sufficient number of competent IT professionals, cities may want to consider a part-time CISO position, shared resources, or hiring an outside contractor.
CL26 Page 10

Set up strong relationships with the private sector. Santa Cruz is well positioned to leverage private sector partnerships in the region that may offer additional resources and superb cyber expertise with minimal investments.
CL27 Page 10

Build an exhaustive Incident Response Policy. Every entity should maintain a current Incident Response Policy that delineates established relationships, detailed scenario planning, step-by-step instructions for incident responses, defined public relations measures, and plans for business continuity. Such a plan is critical to delineate the processes that will allow cities to continue serving the public in the event of an attack. The plan should define how systems will be restored without disrupting the business continuity, steps for a thorough investigation of the nature of the breach, and an immediate investment in addressing the vulnerabilities.
CL28 Page 11

Improve training and culture. A company culture that encourages security and provides a broad range of cybersecurity training is the best approach to mitigating cyber threats, in both government and private entities.[73] [74]
CL29 Page 11

Rely on cybersecurity best practices. At a minimum, entities should ensure the use of reputable automation and cybersecurity tools across all networks. The cybersecurity foundation should encompass firewalls, antivirus software, and strong endpoint and network security products that allow visibility into the network.[18] With proper cybersecurity measures in place, our county and cities could take advantage of the cybersecurity grant opportunities available from federal agencies such as DHS/CISA and the Federal Emergency Management Agency (FEMA). In the event of limited resources to prepare and apply for grants, the County and cities would be well served by hiring a consultant to write grant proposals. In the long run–or possibly in the short run–such expenditures would pay for themselves and much more.[43] [73] [79] Findings—Santa Cruz County F1. Santa Cruz County does not have a Cybersecurity Plan, and the absence of a current plan that defines security policies, procedures, and controls required to protect its networks and devices increases the risk of vulnerabilities. F2. Santa Cruz County does not have a sufficiently detailed Incident Response Plan, indicating they would not be prepared to respond rapidly and effectively in the event of a cyber incident. F3. Santa Cruz County participates in multiple information sharing groups at regional and state levels, although it has only minimal interaction with the cities across Santa Cruz County, degrading their ability to fully understand regional vulnerabilities.

Commendations 2

CM1 Page 15

C1. Santa Cruz County has built an excellent foundation for preparing for the possibility of cyber incidents. Its Information Services Department (ISD) has a very knowledgeable Director, is very well informed, and has taken steps to prioritize cybersecurity. The integration of ISD in all IT purchasing processes provides a sound check on the security of third-party software, and its cyber training appears well integrated for all county staff. C2. The City of Santa Cruz has instituted a cyber awareness program that is strongly enforced. Its IT Advisory Team and standard security questions provide a security perspective for all third-party software purchases, thus minimizing supply chain threats.
CM2 Page 16

C3. Watsonville has instituted commercial cyber security training for all employees and has recently begun to raise cyber risk awareness among city executives, highlighting that cyber security is a business problem for all departments and that promoting cyber education among government leaders is a critical element of effective cyber hygiene.

Agency Responses 1

Government agencies' official responses to this report's findings and recommendations. Click on a response to see the structured breakdown.

Report with Responses

May 18, 2023 • 92 pages • 14 responses View Details ▾

PDF

14 responses to findings and recommendations

R11

Response: Unknown

Score: 0

R11. Given the size of Watsonville, the City should have a dedicated position for cybersecurity by the end o

R12

By early 2024 or sooner, Watsonville should prepare and implement a Cybersecurity Plan that addresses all of the best practices for strong cyber hygiene. (F12)

Response: Unknown

Score: 0

R12. By early 2024 or sooner, Watsonville should prepare and implement a Cybersecurity Plan that addresses all of the best practices for strong cyber hygiene. (

R13

By early 2024 or sooner, Watsonville should prepare and implement an Incident Response Plan with sufficient detail to serve as a guide in the event of a cyber attack. (F13)

Response: Unknown

Score: 0

R13. By early 2024 or sooner, Watsonville should prepare and implement an Incident Response Plan with sufficient detail to serve as a guide in the event of a cyber attack. (

R14

Upon completion of IT structural upgrades and a higher level of cyber maturity, and , Watsonville should participate in local, regional, and state information sharing initiatives. (F14) Cyber Threat Preparedness published May 18, 2023 24 Santa Cruz County Civil Grand Jury

Response: Unknown

Score: 0

R14. Upon completion of IT structural upgrades and a higher level of cyber maturity, and by the end o

R15

Response: Unknown

Score: 0

R15. By mid-2023, Scotts Valley should assign a city official as the lead for cybersecurity for the city. This individual should oversee the contractor’s performance in cybersecurity and ensure city leaders are well informed on emerging threats, cybersecurity challenges, and information provided from regional and state entities. (

R16

Response: Unknown

Score: 0

R16. Working with its IT contractor, by Fall 2023, Scotts Valley should write and implement a Cybersecurity Plan that is shared with all city officials to demonstrate comprehensive security measures and executive-level cyber threat awareness. (

R17

Response: Unknown

Score: 0

R17. By Fall 2023, Scotts Valley should write an Incident Response Plan that clearly delineates the steps it will take in response to a cyber attack, the responsibilities of identified officials, and the coordination required with state and federal officials for each type and level of cyber attack. (

R18

Scotts Valley should participate in local, regional, and state cybersecurity organizations for information sharing (F18)

Response: Unknown

Score: 0

R18. Scotts Valley should participate in local, regional, and state cybersecurity organizations for information sharing by the end o

R19

Response: Unknown

Score: 0

r 19, 2023 . 4. When your responses are complete, please email your completed Response Packet as a PDF file attachment to both The Honorable Judge Syda Cogliati [email protected] and The Santa Cruz County Grand Jury [email protected]. If you have questions about this response form, please contact the Grand Jury by calling 831-454-2099 or by sending an email to [email protected]. Required Response from the Santa Cruz County Board of Supervisors Cyber Threat Preparedness Due by August 16, 2023 Page 2 o

R20

The City should develop a more robust cybersecurity training and phishing testing program for all employees by Fall 2023 or earlier. (F20)

Response: Unknown

Score: 0

R20. The City should develop a more robust cybersecurity training and phishing testing program for all employees by Fall 2023 or earlier. (

R21

Response: Unknown

Score: 0

R21. Capitola should establish and implement a Cybersecurity Plan by the end o

R22

By Fall 2023 Capitola should prepare an Incident Response Plan that provides detailed guidance for a city response to a cyber attack. (F22)

Response: Unknown

Score: 0

R22. By Fall 2023 Capitola should prepare an Incident Response Plan that provides detailed guidance for a city response to a cyber attack. (

R23

Response: Unknown

Score: 0

R23. When appropriately resourced to monitor cyber threats, and by the end o

R24

By mid-2023, Capitola city management should raise the priority it assigns to cybersecurity and demonstrate a recognition of their role in ensuring the security of the City’s information networks.(F19–F23) Commendations C1. Santa Cruz County has built an excellent foundation for preparing for the possibility of cyber incidents. Its Information Services Department (ISD) has a very knowledgeable Director, is very well informed, and has taken steps to prioritize cybersecurity. The integration of IS...

Response: Unknown

Score: 0

R24 August 16, 2023 Definitions Access:The ability and means to communicate with or otherwise interact with a system, to use system resources to handle information, to gain knowledge of the information the system contains, or to control system components and functions. Adversary: An individual, group, organization, or government that conducts or has the intent to conduct detrimental activities. Antivirus software: A program that monitors a computer or network to detect or identify major types of malicious code and to prevent or contain malware incidents. Sometimes by removing or neutralizing t...

No Responses Found 5

Government entities assigned to respond to this report. No response documents have been linked in our database.

Capitola City

Santa Cruz City

Santa Cruz County Board of Supervisors Elected County Office

Scotts Valley City

Watsonville City