State auditors found multiple cybersecurity weaknesses in the Town of Horseheads, including unmanaged user accounts, a lack of employee training and no written plan for responding to technology disruptions.
The audit by the New York State Comptroller’s Office reviewed the town’s information technology practices from January 2024 through early 2025.
Auditors concluded that town officials did not adequately manage network and local user accounts, develop an IT contingency plan or provide cybersecurity training to staff.
The report found the town had 28 enabled network user accounts and five local user accounts across the computers reviewed. Auditors identified 12 network accounts that were not assigned to specific personnel and two accounts shared by multiple users.
Five additional accounts were originally assigned to former employees who left town employment between 1½ and five years earlier but were still active on the network.
Auditors warned that unused or shared accounts can create security risks because attackers could use them to access sensitive information or systems.
The town also paid an outside IT vendor $14,790 in 2024 for services such as system maintenance, antivirus monitoring and data backups. However, auditors found the town did not have a written contract or service-level agreement with the vendor outlining responsibilities or performance expectations.
Another major finding involved emergency preparedness. The town did not have a written IT contingency plan explaining how staff should respond to disruptions such as cyberattacks or system failures.
Although the IT vendor performed nightly data backups and auditors confirmed a backup had been successfully restored, the report said the lack of a formal plan could slow recovery efforts during a major disruption.
Auditors also found none of the 18 employees with access to the town’s network had completed IT security awareness training.
State officials said training is critical to help employees recognize threats such as phishing emails, malicious downloads or unauthorized access attempts.
The audit issued five recommendations, including adopting written policies for user account management, establishing a formal contract with the IT vendor, developing a comprehensive IT contingency plan and providing cybersecurity training to employees.
Town officials said they reviewed the findings and plan to develop a corrective action plan to address the issues identified in the audit.
FingerLakes1.com is the region’s leading all-digital news publication. The company was founded in 1998 and has been keeping residents informed for more than two decades. Have a lead? Send it to [email protected].