The Pike County Commissioners met with Joe Corbin from Compass Integration and Robert Entler, an IT Specialist with Ohio Valley Technology, to talk about email security within the county.
Recently a county official’s personal email account was hacked and caused his paycheck to be deposited into a fraudulent account. Hours after the deposit was made via direct deposit and withdrawn by the hacker, the account was closed.
Even though this seemed to be done through a personal email account that was hacked, it got the commissioners thinking whether all county employed persons should only use county-affiliated email accounts, for official business, and how they should be protected.
Corbin explained that one change he would recommend is that each employee in the engineer’s office have their own email rather than two email accounts they all share, which is the current setup.
Pike County engineer Denny Salisbury defended the way his email is set up, but said he was not against change as long as conducting business can stay the same.
“I really like the way I have it,” Salisbury said. “One is a common email address: everybody sees everybody, which means I don’t have to distribute or explain to anyone. Everybody sees everything. Nobody does any personal, out of the way things on my email account, because it’s policed by everybody else.”
Corbin and Entlter explained that it could be set up where all emails sent to the current address will be distributed to everyone’s individual account, so everybody will still be in the loop.
The biggest difference will be when an email is sent the it will be from invidual emal address, not a shared one, As it is now they cannot definitively determine who sent an email because the email account is shared.
The next issue Corbin brought was multi-factor authentication. These are security measures that require a code to login to the portal.
“That is something Microsoft is going to enforce by the end of next month,” Corbin said. “So it’s probably a good idea to go ahead and have that done. Basically, if you login to the portal, you’re going to be required to have a code, Either you’re going to have to have an app, or it’s going to be text to your phone.”
“Everybody has a phone,” commissioner Jerry Miller said. “But when we start relying on personal phones to receive messages about county business that question is going to be asked, and maybe it should be about compensation for using personal phones. Maybe someone doesn’t have unlimited data or texts.”
According to Entler, another option for the county is to distribute what are known as smartcards that is similar to a USB drive that you would plug into your that would generate an app that would give you the code. That would eliminate anyone having to use their personal phones.
“We want to be safe,” Miller said. “But if we change the way people are conducting business, and there is an issue. They can point to and we might hear ‘it’s cumbersome or a nuisance’ that’s an issue. But security is security. Another thing is this is my personal phone and I’m at work, that’s another issue we’d be sensitive to.”
“So there is another option (besides using their personal phones),” commissioner Tony Montgomery said. “They can use their phones or we can have some smartcards. Iif somebody says ‘I am not using my phone for work’ we can issue a smartcard.”
No formal motion was made, but the auditor’s office will be the first office where an email security system is implemented and the county will go from there.
