City and Town

In this Issue:

• Leveraging the Power of Data

• Protecting Your Computer Network from Malware and Ransomware

• FY17 TAP Enrollment Deadline is March 31st

• New IGRs

• OSD Announcements

Leveraging the Power of Data

Happy St. Patrick's Day!

It's now been just over a year since I began my tenure at the Division of Local Services. Having served as a local official, I interacted regularly with DLS in a number of ways over the years, combing through data, reviewing best practices, obtaining opinions from the Municipal Finance Law Bureau, and depending on Bureau of Accounts and Bureau of Local Assessment field staff to work with the finance team we had in Brookline in order to get the tax rate approved. However, it wasn't until I came on board that I was able to appreciate the scope of work DLS is tasked with and the many ways in which we help municipalities achieve and maintain financial stability.

It is because of this combination of regulatory responsibilities, the depth and breadth of our municipal finance data, and the knowledge of our staff that I believe we have the capacity to provide significant insights and direction to municipalities that will allow them to recognize potential challenges and address them before they impact the overall fiscal health of a community.

I strongly support using data as a means to drive municipal innovation and address potential financial pitfalls and challenges, and this will be our focus at DLS in the coming weeks and months. To that end, we will provide additional tools and support best practices that utilize data. Here's how we'll do it.

351 Report

Still in early development, I envision this report as a way to utilize a set of standardized metrics and variables (for example, receivables, reserve levels, debt, new growth, etc.) to provide a useful snapshot of a community's fiscal health. It will have broad utility as an information tool. As we found with the improvements to our website, particularly with our databank reporting tools, data visualizations project information in a way that can be reviewed and interpreted by a broad range of people from local officials to residents.

Increased analytic review and data analysis in City & Town

These types of pieces in our municipal finance e-newsletter take the most time and effort from our staff, but they are extremely beneficial to our partners in municipal government. Judging from past survey results, statewide trend analyses and articles that comprehensively review data are exactly the types of articles our readers appreciate. Our dedicated staff is committed to providing these types of contributions to our publication, and I thank them for that as we move forward.

Web-based tutorials

For quite some time, we've heard feedback from across the state regarding the need for more online tutorials and information. As part of these efforts and with the goal of one day providing a fully online version of our Assessment Administration: Law, Procedures and Valuation (aka Course 101) seminar, I'm pleased to announce that we've taken the initial step toward this goal with our new Proposition 2 1/2 YouTube videos. We'll be rolling out more of these informational vignettes over the coming year, but, for now, take a look and feel free to access the videos as you see fit!

I welcome and appreciate your feedback. If you have ideas for articles and analyses you'd like to see, as always, I'd like to hear from our colleagues in local government as we go forward. If you have any comments or suggestions, please pass them along by emailing me at croninse@dor.state.ma.us. Thank you.

Sean R. Cronin

Senior Deputy Commissioner of Local Services

Protecting Your Computer Network from Malware and Ransomware

Susan Whouley - Bureau of Accounts Analyst, Kirsten Shirer-Taylor - Director of Information Technology and Tony Rassias - Bureau of Accounts Deputy Director

Maintaining the public trust is of paramount importance at all levels of government. In our digital world, this means safeguarding a tremendous amount of data - a task that is increasingly difficult, as a number of Massachusetts communities are well aware after having their IT infrastructure attacked by cybercriminals.

This article includes tips on how to protect your IT resources from cybercrime and shares one town's experience dealing with a specific ransomware attack.

Malware

Malware, short for malicious software, is a general term for any software installed by a cybercriminal to disrupt computer operations or gain access to computer systems or information with malicious intent. Malware comes in a variety of forms (viruses, worms,trojans, ransomware, spyware, adware, scareware, and others) and is often embedded in email or disguised as a common file like a Zip file or PDF.

Recent Reports

In one well-publicized report, hackers attempted to gain access to a Massachusetts town's finances in an attempt to transfer $4 million from its bank accounts to several overseas and domestic banks. Keylogging malware on a town computer and a deceptive phone call to a town office gave the criminals enough information to make the attempt, which was ultimately stopped by the town's financial advisory service with no financial loss. The town appropriately responded to this event by hiring a consultant to perform a security audit of its entire IT system, after which improvements were made to both IT infrastructure and internal policies.

Another common threat is a ransomware attack where cybercriminals use email to deliver and install a malicious program like CryptoLocker or WinLocker to lock screens or encrypt and lock important files. In several Massachusetts communities, CryptoLocker infections have effectively disabled departmental or entire computer systems, sometimes including backup systems, with criminals demanding ransoms between $300 and $750 payable in Bitcoin (a form of digital currency) in exchange for unlocking the files. In most cases, after numerous unsuccessful attempts to unlock the files, the communities were forced to pay the ransom to regain access to mission-critical data. In those cases, the data was successfully restored after payment. For contrast, the story of one community that chose not to pay the ransom follows.

We've been hacked!

The town of Royalston discovered a notice on a town computer stating that the computer's files had been encrypted and that a $300 ransom must be paid within 72 hours or else files would be destroyed. The attack is presumed to have begun by the opening of an infected email.

Having never been attacked by such a virus before, the town wasn't fully prepared. The town was fortunate, however, in four ways:

• 1. The computer was connected to the Internet only and was not networked to other computers in town hall;

  2. The computer was used for administrative operations and did not contain personal, financial or other critical information;

  3. A backup existed to recover the user's email; and

  4. The town had a computer expert nearby.

Jon Hardie, husband of town tax collector Rebecca Krause-Hardie and an IT expert whose background includes serving as the Director of Technology Initiatives for the Nellie Mae Foundation, advised the town to disconnect the computer from the Internet but to leave it turned on until he arrived at town hall. According to Jon, "Ransomware sends an encryption 'key' to the infected computer that can unlock files after a ransom is paid. Turning off the computer deletes the key or sends it back to the hacker and any option to pay the ransom is probably lost."

While Jon worked on the infected computer, Rebecca sent an email from her computer to all town staff warning them not to open any emails sent from anyone they didn't know, especially one entitled "admin," which they suspected was the source of the malware.

Town administrative officials then quickly met to determine their options. There were few: either pay the ransom and hope the files would be unlocked with no further complications or don't pay the ransom and attempt to rebuild files.

They decided not to pay. Jon arrived with a USB thumb drive containing software designed to combat ransomware, which he downloaded and installed on the infected computer. After much time was spent, the computer's files were successfully reconstructed.

To guard against future incidents, the town instituted the following changes:

• • New firewalls were created;

  • Antivirus software with automatically renewing licenses was installed on every non-networked town computer;

  • Additional file backups were put in place;

  • More complex passwords were required; and

  • Staff was trained in proper computer use.

In addition, Jon was hired as an IT consultant to continue the process of risk management. The Board of Selectmen added support by distributing policies concerning appropriate use of town computers and by making funds available for implementing security improvements.

Protecting Municipal Digital Assets

Protecting your computers and network infrastructure should be a group effort, because no one person or department can provide complete security against malware and ransomware. In addition to the steps taken by Royalston, DLS recommends these best practices to protect your computers and network against malware:

• Be proactive: identify an individual or committee to spearhead efforts for improving cybersecurity, and commit to providing adequate financial, political and human resources. Don't wait for a worst-case scenario; plan for it now.

• Use the services of a professional IT consultant or company if you don't have IT pros on staff.

• Keep all computer operating systems up to date.

• Ensure that firewalls and Internet security software are in place and kept up to date.

• Include cybersecurity in any risk management program or exercise.

• Develop and implement a comprehensive backup and recovery strategy.

• Regularly test backups to make sure critical files can be successfully restored.

• Allow users to download and install files only when necessary.

• Educate users early and often on the importance of following "safe browsing" and other acceptable use policies.

• Limit the use of municipal computers to municipal business. Give municipal users email accounts on the city/town domain to eliminate the need for using personal email accounts.

• Enable the built-in security tools available in all major web browsers and keep the browsers updated.

• If the worst does happen, alert local law enforcement so steps can be taken to try to identify the criminals.

Read More about Malware, Ransomware and Related Topics

FBI Cyber Crimes Stories

New E-Scams and Warnings

File an Internet Crime Complaint

Taking Steps to Protect Privacy and Control Losses

The authors would like to thank Jon Hardie and Rebecca Krause-Hardie of Royalston for their contributions to this article.

FY17 TAP Enrollment Deadline is March 31st

Bob Bliss - DLS Regional Manager and Director of Strategic Planning

Time is running out for cities and towns to enroll in the Division of Local Services' Taxpayer Assistance Program (TAP), the initiative designed to help municipalities set their tax property rates earlier. Enrollment endsMarch 31.

If the thought of setting a tax rate in December is not your idea of a holiday celebration then TAP may be the solution. The program is designed to increase communication between your community and DLS, and equally important, to improve communication amongst your finance and assessing teams.

Who might this program benefit?

• Local officials whose pleasures do not include scrambling to print and mail tax bills in the week between Christmas and New Year's

• Finance officials who would like to spend December getting their ducks in a row for upcoming budget preparations rather than sweating out a December 31st photo finish to get the tax rate set

• City and town managers and CFO's who would like to see their finance and assessing teams pulling in the same direction at the same time

TAP provides a framework for communities that see the advantages of setting their tax rate earlier.

Each TAP community meets with field representatives from the DLS Bureau of Accounts and Bureau of Local Assessment to create a work plan that lays out a schedule for the setting of a tax rates in November - or earlier - rather than in the December rush. Those meetings will take place in April and May.

The work plan lays out a community's proposed schedule to reach that goal. The goal is set by the community, not by DLS.

Does TAP work? In the FY16 tax rate setting season, 25 communities enlisted. Nineteen set their tax rates earlier than in previous years. Those results indicate that enrollment in TAP brings with it the promise, if not the guarantee, of getting your tax rate approved earlier.

TAP proved valuable in FY16 for certification as well as non-certification year communities. Of the eight communities in certification, seven set their rate earlier than they had done in their previous certification year.

Local officials whose communities enrolled in TAP last year attest to the program's effectiveness and value.

Timothy J. Harrison, Town Accountant in Sutton, said "We believe the program helped the town set goals and to attain these goals for all departments involved."

William G. Naser, Chief Assessor for Framingham, said, "Being in TAP made the finance area gear up early and have work done by specified dates...We set goals with our vendor, and they were happy to get it done early too. I'm happy to say we achieved all our goals with a team effort; all the way from the valuation vendor to the Selectmen adjusting to a before Thanksgiving classification hearing. It was really nice to be done with the full process by December 2nd."

Thomas F. Zidelis, Chief Financial Officer of Worcester said "In a time of fiscal austerity, at both the state and local level, the efficient coordination of resources has ensured a productive time line in the annual certification of assessed value."

If TAP sounds like something that would work in your community, please contact DLS Regional Manager and Director of Strategic Planning Bob Bliss at (508) 792-7300 ext. 22312 or emailblissr@dor.state.ma.us.

New IGRs

DLS has posted on its website the following annual IGRs regarding the form and content of tax bills and cost-of-living adjustments for FY2017.

16-201 Fiscal Year 2017 Tax Bills Semi-Annual Payment System

16-202 Fiscal Year 2017 Tax Bills Semi-Annual Payment System - Optional Preliminary Bills

16-203 Fiscal Year 2017 Tax Bills Semi-Annual Payment System - Annual Preliminary Bills

16-204 Fiscal Year 2017 Tax Bills Quarterly Payment System

16-205 Social Security Deduction for Fiscal Year 2017

16-206 Optional Cost of Living Adjustment for Fiscal Year 2017 Exemptions

16-207 Calendar Year 2016 Adjustment in Land of Low Value Foreclosure Valuation Limit

OSD Announcements

Operational Services Division

A February 17th article featured in Governing Magazine, Purchase Power: A Special Report on State Procurement, outlines the results of a nationwide survey focused on state procurement practices and takes the stance that effective procurement methodologies are fundamental to state governments achieving spending efficiencies. Massachusetts' approach to state procurement of goods and services, managed by the Operational Services Division (OSD), tied for fifth place overall and earned high marks in several focus areas.

Learn more about OSD's approach to procurement and access theGoverning Magazine article on OSD's blog.

Sale on Hundreds of Statewide Contract Items in Full Swing

Have you heard? More than 140 statewide contract vendors are offering deals on hundreds of products and services! Review your options to save on things your organization needs in the March 2016 Sales Event Booklet.

A Few Things to Remember

• All eligible entities may take advantage of these advertised savings. A list of eligible entities is provided in OSD's Statewide Contract User Guides

  • Include the March Sales Event Promo Code (Sale2016) on all Sales Event purchase order requests to receive advertised deals and discounts. Get complete purchasing information in the March Sales Event Booklet or the March Sales Event job aids

• Include the promo code only when purchasing eligible Sales Event items. Discounts only apply to those offers published in the March Sales Event Booklet.

Get Purchasing Assistance

Whether or not your organization places their purchases through COMMBUYS, you may get March Sales Event purchasing assistance from COMMBUYS Help Desk staff. Email the Help Desk atCOMMBUYS@state.ma.us or call 1-888-627-8283.

The sale ends on March 31st. Don't miss out on this unprecedented event!