SC Department of Revenue
June 25, 2013: Rotarian Andy Brack introduced our speaker, Bill Bloom, Director of SC Department of Revenue. Mr. Bloom started his position earlier this year after being appointed by Governor Haley. He had previously been a Senior Tax Partner at Earnst & Young and has ties to Charleston. He attended Chicora High School mid ‘60s, received his Economics degree from Presbyterian and has a Masters Degree from the University of Denver
Mr. Bloom stressed that during his tenure at the Department of Revenue he wants to assure citizens that the state government is working hard to protect social security, info, etc. to prevent another security breach similar to what happened last year when SC was hacked and nearly 5.8 million personal records were stolen.
Mr. Bloom gave a brief overview of the Department of Revenue stating that it administers 32 different taxes and fees and collects 95% of revenue used by the State’s general fund.
One of the main purposes of his talk was to review the various types of breaches and security issues facing the Department of Revenue including hacking and malware, which they face every day. The DOR communicates with hundreds of different organizations and collects information on state businesses, education facilities, healthcare organizations, government/military and nonprofit entities. On August 13, 2012 – Malware sent malicious email to DOR and stole usernames and passwords. Last year’s security breach cost the state over $20M. Since that time over 1.5 M SC residents enrolled in Experian and he was hired to help fix the problem.
The 3 Most Common & Critical Risks:
1. Tone-at-the-top: Leader of organization controls the situation.
2. User apathy & indifference.
3. Culture.
There are additional issues that contribute to Security Risks including the DOR’s Budget, Expectations of users & taxpayers, and organizational conflicts. Since the breach the DOR made a choice . . . . “Security is non-negotiable.’ The DOR now has changed their procedures on email to improve containment. The have a two- factor authentication of emails and other information and they now have encryption of Data-at Rest. There has been progress to date of the DOR’s implementation of new protocols and they will be approximately 50% complete implementing the new procedures by 10/13/13. It is a difficult task because of the magnitude of DOR system access by more than 1000 users of the system.
Some changes they made are that the Chief Information Security Officer now answers directly to the Department Director, not the CIO. The Department now has much more stringent auditing process and they no longer do internal auditing. They have implemented Security-Employee Education to the tune of 4,000+ hours and they now test employees on “phishing” emails. They have also developed a Security Council and a system of “Security Layering”
The results (since March 2013) are that 795,000 spam emails have been blocked, 4,600 malicious content blocked, and over 1,400 files quarantined. Numbers in April and May were similar and are showing improvement, indicating their new protections are working.
Submitted by Steve Coe, Keyway Committee