By Phani Kolli, Chief, Security Operations Section

As stewards of the state’s financial data, FI$Cal’s Information Technology Division (ITD) works tirelessly every day to ensure the integrity of that data. More than $3.2 trillion in banking transactions and over a half of a trillion dollars in state spending flowed through FI$Cal last year alone. Approximately 15,000 system users and more than 150 departments use the system. That is an enormous amount of critical data to protect.

Security is a top priority for FI$Cal as is evidenced by our dedicated Enterprise Security Services Office (ESSO), which focuses on risk identification and mitigation through a variety of means including education, information technology security audits, phishing exercises, network monitoring tools, up-to-date security patching, penetration testing, and security policies. This is a continuous, department-wide effort involving every team within FI$Cal and we are always looking to improve these efforts.

In the last year and a half, COVID-19 related telework has added a new dimension to the security landscape. When FI$Cal employees began teleworking in different environments with varying points of access, the department’s security teams immediately pivoted to remediate any and all operational, process, and technology gaps related to working remotely.

The huge increase in telework across the state created opportunities for bad actors to launch new kinds of attacks in an effort to access corporate and government systems. The most common of these attacks involved social engineering and phishing. As a result, ESSO swiftly implemented various monitoring tools to closely monitor network and browsing traffic to detect those types of attacks at early stages.

The ESSO also provides yearly cybersecurity training to FI$Cal staff, which is one of the best ways to minimize the risk from phishing attacks. October is National Cybersecurity Month, and many state workers have been going through annual cybersecurity training exercises this month. Employees are given information and tested not only on how to spot phishing attacks, but also about handling sensitive data, securing devices that store data and other measures to protect data. ESSO conducts several phishing exercises per year to measure FI$Cal’s risk to phishing attacks.

ESSO also audits for key controls to be in place as per state standard. We ensure that our firewalls keep bad traffic out. We also have various devices that examine the data coming into the FI$Cal system. The State of California Telework and Remote Access Security Standard (SIMM 5360-A) is an example of a control that FI$Cal follows. The standard calls for enterprise-strength controls such as antivirus and security updates. ESSO checks that these controls are enforced.

We, as defenders of the FI$Cal system, have to be right 100 percent of the time, but bad actors only need to be right once.

We cannot afford to let our data be tampered with. We must be ever vigilant to protect it.

Security is everyone’s job. As end users of the system, it is important that you are doing your part to ensure security on your end. Below are some security tips:

  • Use strong password protection and authentication. The most critical factor is to make the password long. Your password should be at least 16 characters using a variety of capital letters, lower case letters, numbers, and special characters. In addition, your password should not contain your user name and should not be any of the 10 previous passwords.
  • Report any suspicious activity to your helpdesk immediately. The quicker you report an issue, the faster the mitigation response can be implemented. Even if you are unsure, it is better to report something and have it turn out safe than not report something and have it cause harm.
  • Avoid clicking on pop-ups, opening unknown emails and links. These are the common tactics used to gain access to information. It is best to verify the sender through a known email address or phone number if you are not 100 percent, sure it came from them.
  • Enable firewall protection at home. Making sure you change any factory-default passwords on any devices or software securing your home network is essential to making it more difficult for a malicious cyber actor to launch a successful attack.
  • Install security software updates and back up your files regularly. Updating software is one of the most effective steps you can take to improve cybersecurity. Besides adding new features and functionality, software updates often include critical patches and security fixes for newly discovered threats and vulnerabilities. Most modern software applications will automatically check for recently released updates.