BRANDON — Following a selectman’s suggestion, the town will begin drafting a cyber-security policy.
Selectman Tim Guiles said at Monday’s Select Board meeting that he recently viewed a webinar hosted by the Vermont League of Cities and Towns on cyber security.
“It heightened my awareness of the need for our town to have a cyber-security policy, which I understand we don’t have one at this point,” said Guiles.
He said after the webinar, he got permission from Town Manager Dave Atherton to speak to town employees about what they’d do if they learned the town’s computers had been compromised. Guiles said he thinks town employees can be trained on the latest cyber-security practices, and a cyber-security policy or protocol can be drafted, for little to no cost.
“Even though we all kind of roll our eyes and say of course we know this stuff, it changes often enough — new scams come up often enough — it struck me as being a useful and necessary regular aspect of keeping our system safe,” he said. “And it wouldn’t cost us any money. It’s really a matter of creating a policy of management.”
He said training and a security policy was one of two items he thinks the town should address, given what he learned from the webinar.
“The second one which they alerted us to is that starting Jan. 17, 2020, Microsoft is no longer supporting anything previous to Windows 10,” said Guiles. “The supporting part is really quite important because that’s how you get viruses and vulnerabilities in the system.”
He said a few of the town’s computers are still using Windows 7, and the town should budget to have them upgraded lest they become liabilities.
The third item was possibly contracting with or hiring a network administrator who is and will remain an expert on internet security threats.
The town has been affected by hackers once before, Guiles said. He noted that many hackers target small towns specifically, knowing their defenses aren’t as strong as others. He said the problem seems to be new enough so that the VLCT doesn’t have any model cyber security policies.
“I propose we come up with our own policy,” he said. “I think this is still new enough territory where the reason they didn’t have a model policy is because there aren’t a bunch of them out there. I don’t think it would be harmful to take a first swipe at it.”
The other selectmen were supportive of drafting a policy. No vote was taken, but it was agreed that Board Chairman Seth Hopkins would meet with Guiles in the coming week, and they’d start working on a draft policy.
Hopkins said Friday he didn’t have many details on the past hacking incident, but knew the town clerk’s office lost some files because of it.
Town Manager David Atherton said at the Monday meeting that since the last problem, the town uses a new IT service, and has far more sensitive email filters than before.
“We discovered that IT folks hadn’t backed a lot of stuff up that was supposed to be backed up, so they’re not with us anymore,” he said. “We got someone local to come in, and it’s been good so far, but we need to do more.”
