Given a recent spike in cyberattacks on municipal governments and school districts across the country, local officials are on high alert about the security of their computer systems.
“East Hampton Village is very proactive, you really have to be,” said Becky Molinaro Hansen, the village administrator.
The village employs an independent contractor to monitor its computer systems: government, the police department, and the dispatch center. Information about potential threats, Ms. Hansen said, is shared among members of the Suffolk County Village Officials Association and the New York Conference of Mayors.
While the village has not been alerted to any specific concern recently, it is continually on the lookout for hackers seeking to gain access to private information. A few months ago, for example, the village intercepted a “phishing” email from someone impersonating a village employee. The scammer supplied a bank account number and asked that the village deposit the employee’s pay checks electronically to that account. The scam was foiled when the village noticed irregularities in the email.
About two years ago, hackers hijacked the Montauk School’s computer system, said Jack Perna, the superintendent, and held it for ransom for Bitcoin. The district paid $900, and afterward hired an outside company, Long Island Computer Networks, to oversee its systems.
“All of our files were encrypted. . . . Within three or four days we had everything back,” Mr. Perna said. L.I.C.N. now has a staff member working full-time at the Montauk School. “Our antivirus software works so well that half the time I can’t get on our website,” the superintendent said.
Cyberattacks are “rather common, actually, and I think any large organization is vulnerable without the right measures in place,” said Steve Mazza, chief executive officer of the Hauppauge-based computer company, which has over 20 school districts among its clients. “I don’t think anyone is 100 percent immune, but there are certainly precautions that should be taken that reduce the risks significantly.”
In the East Hampton School District, administrators last year dealt with four instances of phishing. On Tuesday, the district held a training session for all employees about cybersecurity.
“There are ongoing, thoughtful, pre-emptive measures being taken by our technology department to avoid any unfortunate situation in the East Hampton School District,” Superintendent Richard Burns said in an email. “At this time, this is all we can share to protect the safety and confidentiality of all staff and students.”
The Springs School spent about $24,000 to upgrade its “storage area network” over the summer. “It protects all of our computer networking,” Michael Henery, the district’s business administrator, said during a June 17 school board meeting. Springs will receive state funding to help offset that cost.
In an email, John Charlton, who handles information technology at Springs, said the district “is constantly evaluating and improving . . . security measures in place to protect the students, student data, school financial data, and all of our technical assets.” Springs employs a strategy called “Defense in Depth,” he said, which “layers” firewalls, antivirus software, policies, self-audits of the security system, and a robust backup system.
That “layering” of security infrastructure is exactly what L.I.C.N. recommends school districts, municipalities, businesses, and other entities put in place. “It comes down to having multiple security pieces,” said Rich Cintorino, the company’s lead security specialist. “The analogy we like to use is an onion. Each security piece is like a layer in an onion. The more layers [hackers] have to get to, the harder it is to impact the school districts or other organizations.”
East Hampton Town also uses “a multilayer strategy to protect the integrity of its computer system and reduce the risks of a cyberattack,” according to Supervisor Peter van Scoyoc. “We understand the importance of continuing to adapt to the changing environment of cyber threats and to remain continually up to date.”
To further bolster security, L.I.C.N. recommends changing passwords regularly and creating complex, hard-to-decipher passwords. “We still have ‘Password’ and ‘Password1’ in the top-10 most common passwords,” Mr. Cintorino said, sounding incredulous.
Ms. Hansen said East Hampton Village employees are frequently asked to update their passwords, and noted that certain sensitive programs require dual log-ins, meaning that two people must authorize access to them.
Staff training, regular software updates, multifactor authentication, robust data backups, and paid versions, not free ones, of antivirus and anti-malware software are also recommended, said Mr. Cintorino. “The free applications don’t give you enough,” he said.
In many circumstances, it’s a foreign entity doing the hacking. “What usually happens is that really smart bad guys create this stuff and sell it to less capable hackers, who kind of use different attack tactics to get people,” Mr. Cintorino said. “They’re not necessarily the brains behind it, they just happened to have some money to use to create an opportunity.”
The Rockville Centre School District was a victim of a ransomware attack about two weeks ago, and paid almost $100,000 to have the system restored (largely covered by the district’s insurance policy). A handful of similar incidents have been reported upstate. The New York State Education Department sent a memo in July to all school districts warning them to take precautions against hackers and viruses.
Schools and municipalities can avoid having to pay ransom to unencrypt their data by backing up all of their files on a separate system. “If it were to happen, if any of these districts or organizations had solid backups with a good history of their backups, and even an untainted backup offsite, restoration is the way to go and there’s no reason to ever have to pay a ransom,” Mr. Mazza said.
--
Correction: The Montauk School paid a $900 ransom as a result of a cybersecurity attack four years ago. The amount was originally described in Bitcoin value, which was incorrect.