Cybersecurity: What steps are Long Island towns, villages, cities taking after Suffolk ransomware attack?

Alarmed by a September ransomware attack that crippled Suffolk County government, several Long Island towns and villages said they are re-evaluating their cybersecurity programs and taking steps to close vulnerabilities that could be exploited by hackers.

Municipalities contacted by Newsday said they had not experienced any recent attacks on their systems. But the breach on Suffolk County computer networks that may have exposed the Social Security numbers of some 26,000 county employees and the personal information of up to 470,000 people was a wake-up call, they said. 

For instance, in East Hampton Town and Patchogue Village, officials are beefing up their cybersecurity systems.

The Sept. 8 ransomware attack on Suffolk County exposed weaknesses in hardware that stores sensitive personal information on employees and people who pay fees and fines to county agencies, officials said, and it forced the county to resort to paper records and in-person payments, applications and evaluations across a range of departments.

“It really made you aware of the gravity of it,” Patchogue Mayor Paul Pontieri told Newsday. "If you can paralyze a county … and paralyze Suffolk County, can you imagine what it would do to a village our size? It would shut us down.” 

Town, city and village agencies, from clerk's and tax receiver offices to courts to building and police departments, typically store information from residents and employees such as home addresses and driver's license numbers that could be of interest to hackers.

Steps to ensure cyber safety

Long Island municipalities, speaking generally about cybersecurity in the wake of the county attack, said they believe their computer systems are protected against hacking attempts, and some said they have moved in recent months to improve data backups, upgrade monitoring programs and educate staff about cybersecurity.

Officials in Brookhaven, Riverhead and Southampton towns declined to disclose how much they spend on cybersecurity and refused to discuss details of their programs — citing fears that even the slightest public dissemination of those measures might help hackers break into their systems. But they said their systems were secure and tested frequently. 

Riverhead Supervisor Yvette Aguiar, a retired NYPD sergeant, said the town has increased monitoring since the county attack and worked to ensure it has data backups both locally and off-site. “Currently, we have not experienced any unusual activity or losses in our town,” she said in a voicemail message to Newsday.

Brookhaven Town “had a number of things in place prior to what happened to the county that protected our system, and we continuously monitor, update and upgrade,” said Kevin Molloy, chief of staff to Supervisor Edward P. Romaine.

East Hampton Town on Dec. 20 authorized $865,000 for a cybersecurity service to monitor possible cyberthreats and implement a cloud-based backup system, and Pontieri said Patchogue officials are following recommendations from the village's East Northport-based consultant to move more sensitive information to the cloud.

Smithtown officials met last fall with IT staff to discuss upgrading security, conducting "penetration testing" to see whether data is secure and possibly hiring an outside consultant to monitor the town's systems, spokeswoman Nicole Garguilo told Newsday.

“There’s no harm in ... hardening your defenses and review what you’re doing,” she said. “You could have a secure [system] this month, and next month someone hacks into your system."

The Islip Town Board voted 5-0 on Jan. 24 to pay a Pennsylvania firm, Custom Computer Systems, $136,000 for "investigation, repair and remediation" following the discovery in November of what town officials called "unusual activity" in cyber systems.

The Town of Southold has added to cybersecurity since the county attack, implemented multifactor authentication and is in the process of getting cyber insurance, said Lloyd Reisenberg, network and systems administrator.

Officials in Long Beach, Hempstead, North Hempstead and Oyster Bay were tight-lipped about protocols but said they take protecting municipal IT systems seriously and regularly test safeguards in place. 

Officials in the towns of Huntington and Babylon declined to comment or did not return phone, email and text messages.

Glen Cove Mayor Pam Panzenbeck told Newsday the city has budgeted $100,532.49 this year for cybersecurity, about 52% of its information technology budget.

Cybersecurity consultants contacted by Newsday warned against complacency, saying no system is perfect and breaches are inevitable.

"The biggest mistake we see with state and local governments is not taking cybercrime seriously enough," said Steve Morgan, founder of Cybersecurity Ventures, a Northport-based cybersecurity research firm. "The prevailing attitude having to do with a major cyberattack is that, 'It won't happen to us,' which leads to, 'We'll deal with it when it happens.' " 

'No one on the internet is safe'

Budget-conscious municipalities often don't spend enough on security — a shortsighted view that could lead to much greater costs later on, said Vahid Behzadan, assistant professor of cybersecurity and networks at the University of New Haven in West Haven, Connecticut. Paying ransom and restoring compromised systems could run to millions or tens of millions of dollars, he told Newsday. 

Behzadan and others strongly recommend moving backup data to off-premises sites such as cloud systems and storing some information in separate on-site computer systems. They also advise simpler steps such as frequently changing passwords, adopting multifactor authentication — using separate devices to log in to computers and email — and training staff to recognize potentially malicious messages. 

“Many of the larger organizations drill on a regular basis, but smaller organizations either can't see the benefit” or think it’s not cost-effective, Behzadan told Newsday. “In many cases, it’s worth the time and the effort because it prevents larger problems that may occur.

“No one on the internet is safe. ... Everyone on the internet can become a target or a victim of a ransomware campaign,” he added.

Estimates of Suffolk's costs related to the September breach have ranged from $5.4 million for investigation and restoration to as much as $17 million for new software, hardware and licenses.

County Executive Steve Bellone said in December officials refused to pay a $2.5 million ransom to hackers.

Gov. Kathy Hochul on Wednesday proposed the state provide $44 million to strengthen local governments’ cyber defense and response to attacks. The funding would cover hardware and software security tools and the cost of some trained workers. The idea is to reduce vulnerabilities in government computer networks in state and local governments, she said.

Suffolk officials added $8 million to the county budget this year for cybersecurity. The funds are earmarked for 10 cybersecurity analysts, a chief information security officer and to "upgrade and harden existing systems to better protect the county from the possibility of future intrusions," Suffolk spokeswoman Marykate Guilfoyle told Newsday in an email Friday.

The Nassau Legislature in December approved a contract with a cybersecurity vendor but did not disclose the vendor or how much the firm would be paid, citing concerns that such information could compromise county systems.

Hacking tests to security upgrades

Attacks on town and village systems appear to be rare.

But Islip Town reported suspicious activity during the Thanksgiving weekend that prompted the town to "limit access as we thoroughly review any potential unauthorized use of the system," officials said at the time.

Town officials declined to specify the nature of the suspicious activity or how it was addressed. Newsday on Thursday submitted a state Freedom of Information Law request for that information.

Officials of other towns said they regularly test their systems for flaws, even conducting surprise tests of staff. 

Paula Pobat, information technology director for Southampton Town, said the town has both in-house staff and an outside consultant working on cybersecurity. She declined to discuss specific security measures.

“We continue to look at our cybersecurity posture as part of our daily operations. Can I say that something has changed specifically [since September]? Probably not,” she said. “The town, and probably all towns at this point, need a cybersecurity coordinator. I think that really is a necessity, which probably wouldn’t be the case five years ago.” 

Would you fall for this spam email?

Here is an example of a suspicious email used by Shelter Island Town IT staff to train employees about potentially malicious messages. The town conducts “test-phishing” exercises in which fake emails like this are circulated to see if employees respond to spam. Those who click on links contained in the emails are reported, and those employees receive additional training, Shelter Island IT director Kevin Lechmanski told Newsday.

Shelter Island IT chief Kevin Lechmanski said the town regularly conducts hacking simulations, or "test phishing," by sending fake emails to staff. Employees are trained to look for anomalies such as nonstandard email addresses that indicate a seemingly innocuous message could be an attempted hack, he said. 

“People are pretty aware … about what not to open,” he told Newsday. “If you know what you’re looking for, you can tell that they’re kinda fake.”

Some phony emails, such as the infamous Nigerian prince scam, are relatively easy to spot, Lechmanski said. But others might be disguised as the kind of casual messages office workers see every day, he said. 

“Someone sent out an email saying, ‘We’re organizing a birthday party,’ " Lechmanski said, recalling one recent spam message. "Uh, no, we’re not.”

Patchogue officials agreed to upgrade their cybersecurity following a Dec. 12 presentation by Sourcepass Inc., the village's IT consultant.

Sourcepass security architect Dan Levy told officials and residents at a village board meeting that the Suffolk attack left the county scrambling to restore systems that had not been properly "segmented," or separated from main data storage centers.

“When systems went down, their ability to restore and get things up in a timely matter was very difficult," Levy said. 

“There’s never perfect," he said. "We always have to continually improve.”

With Brinley Hineman, Brianne Ledda and Michael Gormley

By Carl MacGowan

carl.macgowan@newsday.comCarlMacGowan

Carl MacGowan is a Long Island native who covers Brookhaven Town after having previously covered Smithtown, Suffolk County courts and numerous spot news and feature stories over his 20-plus year career at Newsday.