Reston Association details technological mishaps that led to $46K in extra costs

Reston Association has acknowledged that technological mishaps resulted in tens of thousands of dollars in additional expenses.

The organization described how it’s working to prevent those types of incidents following a cybersecurity review by information technology professionals with Wipfli, a consulting firm that the organization is using.

The recreational services organization created an IT committee in March that met for the first time last week. RA says that upgrades put in place in 2020 and recommendations it pursued from an assessment report from Wipfli will help mitigate the risk of similar incidents.

“The security of personal information is and remains our top priority and these new processes and protocols will help safeguard our information,” RA said in a statement. “Additional security initiatives will continue to be explored in 2022 with the assistance of RA’s new Board Information Technology Committee.”

Issues with RA’s technological framework and IT practices drew some board scrutiny early last year.

Incidents cost RA an extra $46,000

As part of the IT review, the association recently described three costly problems in recent years.

One incident involved a compromised Microsoft email account that resulted in a loss of over $187,000 in December 2020. That amount was recovered through insurance policies, though, but RA had to pay a $10,000 deductible.

Reston Now previously reported that it involved then-CEO Hank Lynch’s account, according to a board member.

Earlier that year, an individual also accessed the RA website and embedded malware, making the website lose functionality and member access to information.

The organization used a national law firm, BakerHostetler, to investigate, and directed Crypsis to conduct a forensic investigation, showing that members’ personal information was not exposed.

Insurance covered the costs, aside from a $10,000 deductible. That led to the association replacing its website with an interim site through Squarespace.

“The rating on that is yellow,” Kraus said, adding that the website is more of a billboard, though than an interactive portal for members.

Also, a server crash in 2019 led the organization to shift to cloud-based storage. On-site hard drives failed that contained financial data and vehicle fuel log data, requiring the association to around $26,000 in additional costs.

Ratings, recommendations given for IT practices

The assessment review found the organization is reactive — but not chaotic — in four areas: constituent-facing services, IT governance and benchmarking, cybersecurity, and IT vision. Wipfli also found that RA is proactive — but not optimal — in two areas involving Microsoft 365 deployment as well as roles and responsibilities of its managed service provider.

“We rate these key areas from red, yellow, green, blue, to white,” Joseph Kraus, a chief information officer advisor with Wipfli, told RA’s board of directors last week, noting the review showed RA having green and yellow statuses. “Most organizations we evaluate are largely red, yellow, and some green.”

RA’s visual report card, consisting of green and yellow reviews, is not that bad, though, Kraus said, noting it’s rare to be blue or above.

The results come after the organization’s chief information officer, Clara William, resigned in August, just short of two years on the job.

A Wipfli employee, Michael Lockett, began as a virtual chief information officer for RA in November and helped the organization with operational improvements.

He’ll be working with the IT committee to act as a partner with the organization, approve projects, create baselines for communications, and assist RA with other areas.

Wipfli’s assessment also included a roadmap of solutions. Among those recommendations, it said RA should decide if a full-time IT director is needed or if a service should be used. RA currently has two IT staff.