Many Local Governments Withstood the 'WannaCry' Attack

Local governments like Haverhill, Mass., are glad they made cybersecurity a priority in recent years.

by PeterFrancis, The Eagle-Tribune, North Andover, Mass. / May 18, 2017
Shutterstock

(TNS) -- HAVERHILL, Mass. — Almost a year ago, Haverhill City Council President John Michitson stressed the importance of improving the security on city computers to protect the personal information of residents.

Now, after the ransomware virus WannaCry froze hundreds of thousands of computers demanding payment in over 150 countries last week, the city is glad it took the necessary precautions to ensure its data stays safe and sound.

When constructing the budget for the 2017 fiscal year, the city set aside $566,260 for its Municipal Information Systems Department, according to Peter Karlson, the city's Information technology director.

Mayor James Fiorentini said the city's IT budget "will go up" in the upcoming budget, but added he was unsure whether it would go up "by a lot or a little."

Karlson said after Michitson proposed the city investigate its tech security last year, the council approved an audit and an IT security committee, composed of city department heads, was created.

The committee rewrote the technology security policy. Another IT consultant, Frances Alexander, served as the adviser.

"Last year, the city set aside about $7,500 for the audit, and we took a portion of the IT budget to write the policy," Karlson said. "The audit didn't find any glaring weaknesses. Overall, our infrastructure is airtight."

In all, Karlson said the audit, which he said was conducted last year by Marcum, LLP., recommended only minor adjustments to the system's security settings.

While the city employs only one IT professional, Edward English, it hires out external consultants from firms like Karlson's, NeuEon, and others, including Boston Systems and Solutions, to man the city's IT help desk, provide strategic advice, and wire the city's computer network.

The city's total IT budget is dedicated to salaries and software licensing, an expensive, but necessary, proposition.

In its FY17 budget, the city set aside $138,000 for software licensing and $120,000 for system support, a figure that Fiorentini cut back $67,000 from the amount requested.

"Licensing fees can exceed $40,000 a year per program, and that's just to maintain what you've got," Karlson said, adding that the IT department is not looking for a large increase in its share of the budget this fiscal year.

"There aren't a lot of things we're looking to do, mostly replacing hardware and swapping out software to save some money," he said.

Fiorentini said the city has paid for two system back-up programs, as well as an imaging program that maps the city's IT network every day.

In addition, the city has switched its email server to a cloud-based system and has begun moving its back-up systems offsite to protect them from physical fires, which Fiorentini said has wiped out IT networks in other cities around the state.

As the rest of the world continues to grapple with the WannaCry attack, Karlson said Haverhill pays Boston Systems and Solutions to keep its systems proactively updated and patched across the board. He said the city spent $30,000 last year on backing up its entire system.

And in a city which operates around 500 computers in its network, that is no small task.

Karlson said he recalled a past NeuEon client that saw its system become infected with a similar ransomware virus after two employees clicked on a link in the same email.

"It downed their entire system for 48 hours," said Karlson, adding the lost productivity cost the company between $300,000 to $400,000.

While the city can take every security precaution money can buy with its system, Fiorentini said the biggest issue for tech security has been and will likely always be human error.

Fiorentini said that he has learned a lot about cyber security through working with Karlson and Alexander. He said he has also spoken with Police Chief Alan DeNaro about ways to improve cyber security.

"We've been going through a lot of training with our employees. But the big, big issue, 24/7, is human error," said the mayor. "We tell them unless you're positive the email you're receiving is legitimate, do not open it and tell Ed (English) or Peter Karlson."

©2017 The Eagle-Tribune (North Andover, Mass.) Distributed by Tribune Content Agency, LLC.