Danbury-area towns ramp up efforts to prevent cyberattacks

March 3, 2018 GMT

BETHEL — Not long ago, Bethel employees got an email, apparently from the town’s human resources director, asking them to check out a link to an updated staff manual.

Many employees clicked the link. When they did, a message in bid red type popped up on their screens, warning them they had been hacked.

It was only a test from the Information Technology department to teach employees how to avoid cyber attacks. But if it had been real, it could have put residents’ private information at risk.

The exercise was just one part of an ongoing effort in Bethel and nearby towns to train employees in cybersecurity.


“Cybersecurity has been an extremely important thing to protect taxpayer interest, to protect assets,” First Selectman Matt Knickerbocker said.

Bethel has signed up for its second year with KnowBe4 services, a nonprofit that helps the town conduct such tests and provides online training to employees, said Assistant Comptroller Brad Heering. The service costs $1,000 a year.

“A $1,000 investment that could save us tens of thousands of dollars is well worth it,” said Heering, who also serves as the town’s risk manager. “Unfortunately, cybersecurity is a major issue and a lot of towns are getting attacked.”

Governments are among the entities at highest risk for cyber-attacks, after business, medical and insurance companies, said Joseph DeLuise, director of information technology services for the Connecticut Interlocal Risk Management Agency, an insurance group that trains Connecticut municipal employees in cybersecurity.

“Cybersecurity is a critically important topic, particularly for municipal government, because of the kind of information they have at their disposal,” DeLuise said.

Local governments keep a “treasure trove” of information, including birth and marriage certificates, that hackers would love to get their hands on, DeLuise said, adding that cyber-attacks have become more profitable than the illegal drug trade.

Cybercrime is expected to cost the world $6 trillion annually by 2021, according to the 2017 Annual Cybercrime Report.

DeLuise said 90 percent of cyber breaches can be traced to human error—whether through clicking on a bad link in an email, using the same password for work and personal accounts or connecting to an insecure WiFi.

“Our training is focused on how to avoid those pitfalls,” DeLuise said.

New Milford has asked employees to take the cybersecurity webinars DeLuise’s agency offers, Mayor Pete Bass said.


“The thing is to stay vigilant and to reduce the ability for hackers to get into our system,” Bass said.

Bridgewater ramped up security and education for employees after a breach two years ago. First Selectman Curtis Reed said a hacker used a default password to shut down access to the assessor’s software program.

The error was the fault of a vendor system, not the town, and was quickly rectified, Reed said, and the information on the program was backed up, so there were no lasting problems.

“It was one of those things that was caught early and it wasn’t overly malicious,” he said. “We lucked out.”

But the incident prompted Reed to heighten cybersecurity awareness amongst employees, reminding staff to change their passwords frequently and ensuring that the town’s systems are secure.

“At this point, we are pretty well protected,” Reed said.

Danbury has also sent spoof emails to test employees’ abilities to spot potential attacks.

“Security is one of the biggest things that we actually look at from the IT perspective,” said Frank Gentile, Danbury’s information technology manager. “It’s not just constituent data; it’s employee data. We want to make sure it’s safe.”

The city also works with a third-party group to keep its software secure and up to date, Gentile said.

“We try to have a very short life cycle for any equipment and any software, whether it’s email security or computer network security,” he said.

Brookfield First Selectman Steve Dunn said the town started testing employees with spoof emails about three months ago. Fourteen percent of employees fell for the first test, but no one failed the second one, which was sent out sometime after staff completed an hour-long online training session.

“We’ve raised the awareness significantly,” Dunn said.

Dunn said he fears “ransomware” attacks the most, where hackers encrypt files on someone’s computer and demand payment to give the information back.

“Towns and corporations have a lot of sensitive information that we need to protect,” Dunn said. “I don’t want to tell the town I had to pay $1,000 to get my emails back.”

After Bethel’s test with the spoof staff manual, the town reminded employees that officials would never send a link like that in an email.

Other test emails Bethel has sent out included tipoffs that employees should be aware of, such as extra characters in anemail address. This was the case when the town sent an email appearing to be from CNN that said Special Counsel Robert Mueller had indicted President Trump.

Knickerbocker said employees have stayed vigilant. Once last year, an employee from the finance department received an email that appeared to come from Schools Superintendent Christine Carver, saying that thousands of dollars needed to be immediately wired. Instead of sending the money, the clerk went to Carver’s office and the two realized what happened.

“The employees are doing very, very well,” Knickerbocker said. “It’s a discipline. You have to get use to opening an email and every time you seen an attachment or link look at it carefully.”