Results 1 to 7 of 7

Thread: Wayland Computer Security: Delays Lead to More Risk

Threaded View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Join Date
    May 2015

    Default Wayland Computer Security: Delays Lead to More Risk

    Remember when hackers broke into the Wayland Finance Office last January, and almost stole $4 million of our taxpayer money? The Board of Selectmen hired three IT consulting firms to assess the problem: Elysium, Advent and McGladrey. Over $100,000 was spent. So you are probably thinking, "They took care of it, to stop the hackers."

    Unfortunately, significant computer security problems have not been fixed – even though these problems were highlighted in Elysium’s investigation, Mike McCann’s (Advent Consulting) report to the Wayland Board of Selectmen on 13 July, and McGladrey's first report in August. Most of the “high priority” security upgrades recommended in the McCann and McGladrey reports have not been funded, scheduled or even planned.

    Risk and potential cost to Wayland taxpayers:

    Without appropriate security protection, hackers can easily take complete control of a Wayland computer via the internet, steal data, plant malware and spy on users – from inside Wayland’s network firewall. The computer becomes a ‘zombie’ that hackers control remotely to launch a wide range of criminal schemes.

    These security flaws put the entire Wayland network at grave risk – including confidential date for over 20,000 current and former Wayland residents, students, teachers and staff. If this data was stolen, the cost of notification and identity theft protection for every affected person – plus likely financial liability from lawsuits – would easily run into the $millions for Wayland taxpayers.

    A number of these computer security issues are so severe that I cannot describe them on the WEN site. I sent confidential letters to the Board of Selectmen, Finance Committee and School Committee with more details. As a member of the FBI / DHS InfraGard program, I also offered to meet with them in Executive Session to review the risks and solutions.

    Solutions are clear:

    Elysium, Advent Consulting and McGladrey gave clear recommendations that the Wayland Board of Selectmen should follow. Based on their expert advice, Wayland should immediately allocate $500,000 from the ‘free cash’ fund to cover the cost of implementing all of the security fixes, ASAP.

    If Wayland does not have enough trained IT staff to quickly implement all of the security upgrades, they should hire an IT services company to install them, and operate / manage the systems if necessary. This is McGladrey's first "high priority" recommendation -- #1 at the top of their list.

    Shifting $500,000 out of free cash may not be popular politically in Wayland vs handing this money back to taxpayers. (Wayland currently has more than $4 million in 'free cash'.) The Wayland Board of Selectmen, Finance Committee and School Committee need to show leadership. With reports from Elysium, McCann and McGladrey in hand, they can explain to Wayland taxpayers why quick action is necessary. Delay will not be cheaper. Wayland will have to pay for these security fixes now or later, and if there is another breach we could all end up paying much more.

    If the present course continues:

    If the Board of Selectmen do not take action now, the Town may vote on another round of computer security upgrades at the next Annual Town Meeting in 2016, followed by RFPs in May and June, for implementation (best case) over the summer. This would be a full 18 months since the attacks in January of 2015.

    Wayland will remain very vulnerable all the while. If, heaven forbid, there is another breach, Wayland taxpayers could easily be liable for $millions in financial damages and mitigation costs. Imagine the case a plaintiff's attorney could make, "They knew, and they had the resources but...."

    There is nothing to be gained by delay but more risk.

    There is some good news:

    (1) The Wayland School Committee did not wait to fix a major security problem. After the hacking attack, they launched a project to replace old Apple computers that could not be upgraded with a current version of Mac OS X -- a major security issue. They issued RFPs, picked the least expensive option and signed the agreement in July. All of the new computers and upgrades were installed over the summer. This significantly improved security for Wayland Public Schools.

    (2) Wayland IT and the Finance Committee drafted a Capital Improvement Project (CIP) for the November Town Meeting, based on the first report from McGladrey. They included only 3 of McGladrey's 7 "high priority" upgrades, however, so this is a 1/2 step forward. The Board of Selectmen need to take quick action to fund and implement the rest.

    Documents are attached:

    I attached a copy of the July 10 report to the Wayland BoS from Mike McCann (Advent Consulting) which includes his assessment and recommendations, and my public letter to the BoS.

    Please let me know if you have any questions.

    Mark Hays
    Last edited by MarkHays; 10-17-2015 at 02:29 PM.

Tags for this Thread


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts