Wellesley strengthening its cybersecurity

Following a recommendation from the town’s Audit Committee, Wellesley underwent a review and risk assessment of its data security protocols this past spring and summer in an effort to better protect its digital assets.

Town of Wellesley IT Director Brian DuPont recently summarized key findings and recommendations from the cybersecurity assessment with the Select Board (see Wellesley Media recording of the Nov. 7 Board meeting at about the 35-minute mark), and replied to our follow-up questions. The assessment, funded by a $50K authorization from Town Meeting, was conducted in partnership with a tech consultancy and integrator called GreenPages. The presentation gave me flashbacks to my days as a reporter and editor for Network World fighting the good fight vs. tech acronyms and jargon.

“While the IT department has routinely internally evaluated our security posture for many years, we welcomed this opportunity to take a closer look at our systems because (A), COVID radically changed our operating environment overnight and (B), the threat landscape has changed so dramatically over the last several years as well,” DuPont told the Board.

The 8-phase assessment examined everything from vulnerability testing to data retention and remote access security to social engineering (bad people trying to trick town employees into allowing unapproved access). Technical reports and a summary delivered by GreenPages for now are being closely guarded under public records law to keep the town’s IT systems safe.

(Note: This assessment focused on the town’s core data network for business and financial operations, not those of Wellesley Public Schools, the Police Department, or the library. )

The town rated well in some areas and could use improvement in others. Its perimeter defense—firewalls for blocking unauthorized access from outside and web filters to prevent employees from inadvertently clicking on potentially malicious URLs from inside—is strong.

However, Wellesley could stand to formalize its risk and vulnerability management approach, which has been over-reliant on its institutional knowledge at a time when even the most expert IT professionals can’t be expected to stay up on all the new threats. DuPont cites the Mass Cyber Center, regional conferences and events such as Massachusetts Digital Government Summit and  the Massachusetts Municipal Association Annual Meeting, and regular email conversations with counterparts in other communities as ways in which he stays current.

“A more sustainable approach to security requires an appropriate skill set either in-house or outsourced to deal with continuously changing threats,” DuPont said. The town already conducts regular phishing training and distributes cybersecurity reminders, but additional training will be needed when bringing staff on board and on a continuous basis, while IT security policies need to be better documented for current and future staff.

Maintaining certain standards is needed to qualify for and maintain cybersecurity liability insurance. To date, Wellesley’s hasn’t had to file a cybersecurity-related claim, DuPont said.

Wellesley also seeks to shore up its endpoint security, that is, safeguarding devices its employees use to protect against threats such as ransomware, where criminals seek compensation for allowing a target back into its own systems and files. This involves a combination of technologies, including threat monitoring services. (Wellesley suffered a ransomware attack in 2016, but thanks to good backup and other protocols did not pay ransom and was able to restore encrypted files.)

The town plans to boost its adoption of multi-factor authentication, which you may be familiar with as a requirement for something you know (like a password) and have (like a smartphone) before allowing access. Wellesley’s employees largely went remote during the pandemic, and their systems are protected using multi-factor authentication, but there are some challenges to address involving individuals uncomfortable with using personal devices to authenticate themselves.

Helping to make sure all of the above happens, the town is looking to fill a new cybersecurity administrator position, which replaces a long-vacant systems administrator position. The market for such talent is competitive.

The biggest immediate challenge for the IT department is its temporary relocation of the server room during the Town Hall’s interior renovation.

“I’m going to be perfectly honest with you here—we are going to be hard pressed to tackle any sort of larger scale initiatives here until probably at least the spring,” DuPont told the Select Board, terming the server room relocation as “the single most impactful project” in the department’s history.

None of this is going to be cheap. “The budget impact of these recommendations is significant,” DuPont told the Board. The IT department has a fiscal year ’23 operating budget of about $1.3M and the prospect of a new managed detection and response service that goes for some $50K a year, plus other rising software and service costs, is going to present new financial challenges in upcoming budgets. This holds true despite the existence of grant funding that should be available to cover at least some initial expenses.

The FY ’23 operating budget included a $41K line item for cybersecurity. Breaking the cost out is designed to help the town gauge its cybersecurity spending versus that of other organizations.

DuPont is a member of a state planning committee exploring development of a statewide cybersecurity plan and figuring out how some $3.2M in cybersecurity funds coming from the federal Infrastructure Investment and Jobs Act will be spent. So that should keep him very much in the loop about new grant opportunities as they arise.