"People are the weakest link here," said Aurora's cyber and technology director.
Which is why city officials are looking to increase training and get an additional anti-virus module as part of an additional $336,697 added to the $3.2 million contract the city has with Chicago-based Data Defenders, LLC, a computer security firm.
The additional money would expand the scope of managed security services beyond the original contract.
The expanded security is in part a response to a phishing attempt in the city's email system last November, although it includes other things, like the additional training.
At the time of the phishing attack, technical controls were implemented to end any access by the attacker, according to city staff.
The City Council Finance Committee recommended the additional money for the Data Defenders contract. This week, aldermen meeting as a Committee of the Whole wanted to make sure the additional money would get the job done.
The money would bring the entire contract to no more than $3.54 million during its five-year length.
"I understand you cannot cover everything, because technology moves too fast," said Ald. Edward Bugg, 9th Ward. "But is a general phishing attack going forward going to be covered?"
Bugg was concerned the next attack would mean even more money for the city, and Mayor Richard Irvin said Bugg's inquiry was "a reasonable question."
"We're already paying $3.2 million; what do we get for that?" Irvin said.
The original contract with Data Defenders was $1.6 million, but the city doubled that to $3.2 million about a year ago. That allowed the city to have a 24-hour, seven-days-a-week set of eyes on all the city's technology systems.
The city was responding to a situation in Florida where a hacker broke into a system for a countywide water facility and changed the mix of hydrochloride in the water. An operator noticed the change before it went online, or it could have been catastrophic.
Jeff Anderson, deputy information technology director, said if another incident happened, the city would use the tools it already has to do what's called an "after-action," looking at what happened and how to stop it.
He said with the additional money, the city would have additional tools. But he added there is no guarantee the city will not need more.
"We are following best practices," he said. "We will try and contain anything that might happen."
The additional money also would cover a security training module for all city staff, and a subscription to an anti-virus module. Karumuri said these things had been provided in the past by another vendor, and getting them from Data Defenders would be cheaper, actually saving money.
Irvin said he understands Karumuri's statement about people being the weakest link. He admitted he has fallen prey to training tests sent by the companies testing city employees.
"I can tell you, I don't always pass," he said.
© 2022 The Beacon-News (Aurora, Ill.). Distributed by Tribune Content Agency, LLC.