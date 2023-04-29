WILMINGTON — Wilmington’s IT Director John O’Neil provided a presentation to the Select Board at their meeting on Monday night. He presented two recent initiatives coming out of the IT department.
The first initiative he described was a year-long cybersecurity training. O’Neil detailed that cybersecurity is important because most town operations have technological components and employees use connected services to perform their everyday job functions.
He also mentioned that while technology provides a number of benefits to those who use it, it needs to be used in an appropriate manner for the benefits to outweigh the risks.
He shared the figure of $9.44 million as the average cost to a business in the United States in the event of a cyber breach, which doesn’t account for the ransomware payment. He included that a ransomware attack involves a bad actor encrypting all files in a manner that cannot be restored until the payment is made.
He also shared that 58 percent of local and state governments were hit with ransomware attacks last year, and that an average of one month is required to recover from a cyberattack. Most cyberattacks, he said, begin with a phishing email, which is another reason why cybersecurity training is critical.
The training grant allows all of the town’s municipal employees — fire, police, and dispatch — along with a few Wilmington Public Schools staff to participate in a years’ worth of training. It would add up to 4-5 hours over the course of the year. There is a test at the beginning, followed by four training modules, and a final assessment test to measure progress.
The first module will cover phishing, emails, passwords, and surveillance. The second will include training on malware, ransomware, and business email compromise scans. The third module will provide training on secure printing, mitigating compromised devices, and urgent requests. The last module will pertain to artificial intelligence, mobile application security, and protecting data.
Some of the benefits of this training that O’Neil highlighted were improving the first line of defense against cyberattacks and ensuring employees know the best cyber practices and recognize digital clues while they perform their job functions. The town’s insurer also offers credits if the town achieves a training completion rate of over 80 percent.
O’Neil said that the department sends out ongoing phishing simulations where employees who fall for the simulation are required to attend a targeted email phishing training.
The second initiative O’Neil described is a switch to the use of multi-factor authentication for account logins. This, he said, involves a secondary way to identify an individual during sign-in. The town’s insurance requires the use of multi-factor authentication on all computer login and web email accounts by June 30. This includes the town’s vendors and all of the various board and committee members.
He went on to say that this is a recommended security practice according to the Cybersecurity and Infrastructure Security Agency. The second layer of verification acts as protection if a user’s password is compromised.
The rollout plan involves giving all users two weeks to decide which type of authentication they would like to use, either a hardware token or their personal device. Then, they would set up the configuration in the backend according to who selected which mechanism.
He also mentioned that there would be a need to seek funding from the Finance Committee since they didn’t have enough notice to include this project in the budget. Implementation would hopefully be finished between the end of May through June. They would launch the authentication technique in one department at a time.
The board members each thanked O’Neil for his work in this area. Greg Bendel commented that this type of authentication process is relatively easy to use on a daily basis in his own experience. O’Neil added that when using the personal device option, a notification will come up on the phone and the user simply hits approve.
Kevin Caira asked how much money the IT Department would ask of the Finance Committee. O’Neil replied that the cost to implement would depend upon the mechanism selections made by the users.
Town Manager Jeff Hull provided this is the third year that the town obtained the cybersecurity training grant. He expected that this type of training and other security requirements would become more extensive as ransomware and bad actors get more creative.
