WATERVILLE — In March of 2015, the Lincoln County Sheriff’s Office paid $350 ransom after a computer virus infected its server and encrypted its data, essentially holding its records system hostage until the sheriff’s office paid a price. The virus was downloaded by someone who clicked on the link in an email.

In September of 2015, someone hacked the network of MaineGeneral Medical Center, compromising patient information such as birth dates and Social Security numbers.

Also in March of 2015, a hacker claiming to be Russian hacked the central Internet portal to the Maine state government offices, disabling it for about three hours.

These local examples show the need for greater cybersecurity training and awareness, officials said at a forum Monday. It’s why a professor at Thomas College and a coordinator for the Maine Emergency Management Agency are hoping to hold webinars and distribute information to municipalities throughout Maine on the subject.

Frank Appunn, a professor of information technology management at Thomas College in Waterville, and Cameron Wellman, cybersecurity coordinator for the emergency agency, spoke at Thomas College on Monday afternoon along with Forrest Labbe, a graduate student and director of the college’s Security Center. About 20 people gathered in the Summit Room for the seminar, and others tuned in virtually through a conference call.

The need for more focus on cybersecurity comes from an increase in threats from hackers who hold data for ransom, steal information or scam consumers. Businesses and governments, big or small, have to keep information secure, Appunn said, which they can do by maintaining three things: the confidentiality of the information, the integrity of the data and the availability of the information, meaning it is easily accessible for those who need it and is backed up for emergencies.


Some of the solutions seem obvious: Back up information, update firewalls, train employees not to click on links in sketchy emails. But the details are trickier.

According to Appunn, 87 percent of people in the U.S. can be tracked via their cellphones, which often contain GPS trackers. These trackers can be turned off though — “make it harder” for them to find you, Appunn said.

Consumers in general also have to be aware of the growing “Internet of things,” he said. Networks can be attacked through items people might not view as computers, but if they’re connected to a WiFi network, they leave you vulnerable. As an extreme example, Appunn talked about his new garage door opener, which connects to WiFi, and how someone could use it to attack him.

“You’re not safe in Maine. You’re no safer than you would be in San Francisco,” he said.

Labbe, who got his undergraduate degree in cybersecurity and IT management at Thomas College, discussed ways municipalities and businesses can prevent problems from arising. “When we think about cybersecurity, the first thing we think about is our programs,” Labbe said. “But we also have to look at the people. That side is often ignored in cybersecurity.”

Employee training can help raise awareness about scams and prevent exploitation. Labbe said people should be taught to verify before they trust. For example, if an employee gets an email from what looks to be the IT department asking for his password, he should call the department to verify that it’s them. Most likely IT will never ask employees for their passwords, he said.


Making backups is also essential for protection. Labbe said organizations should back up everything they can’t lose at that moment to multiple locations and test those backups. In one instance, Labbe had a local business test a backup that held two years worth of information only to find that none of the data could be recovered.

When it comes to passwords, Labbe said length matters more than complexity. If a password is complex but has only four characters, it won’t take a hacker long to go through all of the possible combinations, he said.

“It’s better to think of passwords as ‘passphrases,'” he said.

Wellman spoke about different information-sharing platforms that towns, law enforcement agencies and businesses could sign up for to stay aware of what hackers are doing and where in Maine they are doing it. For example, the Maine Information and Analysis Center takes federal-level information and melds that with state and local information, passing on relevant news on cyberthreats. It also sends out managerial cyberthreat reports, which Wellman said can be useful if a company’s management doesn’t see the value of cybersecurity.

“These threats show day-to-day compromise for industries that most likely the majority of you work in,” he said.

Wellman said they’re also working on developing a checklist for first responders, who may not know what to tell citizens when they call looking for help after a cyberattack or scam.

Madeline St. Amour — 861-9239


Twitter: @madelinestamour

Only subscribers are eligible to post comments. Please subscribe or login first for digital access. Here’s why.

Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.