BY ELAINE GOODMAN
Daily Post Correspondent
Despite being a high-profile city that might be an appealing target for hackers, the city of Palo Alto lacks formal procedures for addressing information technology risks, according to a consultant.
Universities and tech companies in the area may spark the interest of “potential bad actors,” according to Atit Shah with Baker Tilly, a national accounting and advisory firm that is serving as Palo Alto’s city auditor.
And the city might look like a good target for a ransomware attack because of “the status of the city — it draws a lot more interest, because of who’s there,” Shah said. “Some of your residents, things of that nature.”
Shah’s comments came last month during a meeting of the City Council’s Policy and Services Committee. The committee reviewed an Information Technology Risk Management Assessment report prepared by Baker Tilly.
City Council is scheduled to vote Nov. 29 on whether to accept the report. The item is on the council’s consent agenda, in which several items are typically voted on at the same time without discussion.
The city has day-to-day controls in place to reduce IT risks, according to the report, but it hasn’t formalized its procedures to address the risks. Cybersecurity is one concern, as are database management and disaster preparedness and recovery.
“Gaps may still exist for unidentified IT risks, resources may not be prioritized to higher risk or strategically aligned areas, and senior management or oversight bodies may not receive timely awareness of risks affecting the city,” the report said.
Other cities have been hit
The report comes as a growing number of cities of all sizes have been hit with ransomware attacks, in which hackers lock down files on a city’s computers. The cities of Atlanta and Baltimore have been hit, as have Pensacola, Fla., and Wilmer, Texas.
In 2019, 113 state and municipal governments and agencies were victims of ransomware attacks, according to Emsisoft, a company that monitors the attacks.
Cities can pay the hackers a ransom to restore the files, or try to fix the system themselves at a cost that may run into millions of dollars while disrupting resident services.
In Palo Alto, the report from Baker Tilly rated the city’s risk as “high” when it comes to hackers breaking into the system and planting malware. The rating is based on the likelihood of an event occurring and the impact to the city if it does.
Another area of high risk is management of mobile devices, such as cell phones. The city is working on replacing mobile devices whose data can’t be deleted or “wiped” if they’re lost or stolen. The report recommends that the city prioritize replacing the devices that can’t be wiped.
“The inability to wipe mobile devices that have been lost or stolen may result in the unintentional disclosure of confidential organizational data to a malicious attacker,” the report said.
The city takes steps to protect data, such as credit card or health information, but hasn’t finalized a policy for classifying data it collects, according to the report. It recommends that the city formalizes the policy and catalog all of its data.
The city also has not formalized a disaster recovery plan, even though a plan was developed in 2014. The auditor’s report recommends revisiting and updating the plan to include a business impact analysis and details such as how to communicate and get into buildings following a disaster.
“Lack of a tested recovery plan may result in the inability for the city to respond in the event of a disaster and the disruption of operations and resident services,” the report said.
In detailing the areas of IT risk, the report included a spot for listing the city’s current practices. However, that area is left blank in the version of the report released to the public.
Areas of high risk don’t necessarily mean the city is doing something wrong, Kyle O’Rourke with Baker Tilly told the Policy and Services Committee last month.
“If something is high-risk, it’s not necessarily an indication that there’s an internal control weakness or operating effectiveness issue,” he said. “Rather there could be inherent risks associated with that category that might lead it to be high risk.”
During the committee’s meeting, Councilman Greg Tanaka asked how much of the city’s data is stored in the cloud, where it might be more secure, rather than on servers on city premises.
Darren Numoto, the city’s IT director, said “a very high percentage” of data remains on city premises, including information from budgeting, public works, finance and attorney offices. The city uses cloud-based Microsoft applications, and Numoto said he envisions moving toward a hybrid system of on-premises and cloud storage.
Even if data moves to the cloud, the city must still manage it, Numoto said. And the cost of cloud storage is based on usage and can be high, he added.