ULYSSES, N.Y. — The New York State Comptroller’s office is telling the Town of Ulysses to improve its IT systems and cybersecurity — a process which the town says is well underway.
The audit was conducted throughout the summer and fall of 2021, and its results were released by the comptroller’s office on April 1.
The key findings were that the town of Ulysses’s Board had inadequate IT policies such as lacking a contingency plan in the case of disruptions, like those caused by natural disasters or hardware failures; a lack of a written service level agreement (SLA) between the town and their IT service provider; and a mismanagement of local user accounts.
Of the town’s 46 local user accounts, 6 of them were for former employees, a loose end leaving the opportunity open for unauthorized access to the town’s IT system. The comptroller’s office also found that account passwords were not routinely updated, were typically simple, and that there was no limit to login attempts, which benefits malicious hackers.
The comptroller’s office recommended that Ulysses establish an SLA with their IT service provider to better cement the two parties’ accountability to one another. The IT service provider is not named in the report, and the Town of Ulysses was not able to immediately respond to provide the provider’s name.
In the report, the office wrote, “Without a written SLA, the [Ulysses Town] Board and the IT service provider do not have stated responsibilities and procedures for how to resolve any failures in IT controls, service disruption or data breach.”
The recommendations come as small towns have been increasingly raised as a vulnerable target for hackers aiming to ransom and extort funds from.
The report revealed that Ulysses hadn’t previously known about the gaps in its IT system. The examiner wrote in the report that, “Officials told us that they believed that the policies covered in the Town’s employee handbook sufficiently covered IT issues, and they were not aware of the IT policies that they were missing.”
The Town of Ulysses responded to the comptroller’s office with a letter in March, prior to the report being released to the public. In it they outlined some of the work the town Board had begun in accordance with the state comptroller’s office recommendations.
The Board formed an IT/Cyber Subcommittee to make policy and procedural recommendations to the Town Board, moving to purchase insurance coverage for cyber protection, and hire an IT consultant to explore “still unknown issues” with the town’s IT systems.
Ulysses Town Supervisor Katelin Olson released a statement in April highlighting these steps, and thanking the state comptroller’s office for the guidance on how to best upgrade the town’s IT systems in an “age of unprecedented cyber attacks” on small municipalities.