A recent audit of the Town of Horseheads’ information technology infrastructure has exposed serious cybersecurity weaknesses that could leave the community vulnerable to data breaches and system failures. The audit, conducted by the New York State Comptroller’s Office, reviewed the town’s IT practices from January 2024 through early 2025 and identified multiple critical issues.

Unmanaged User Accounts and Security Risks

The audit found that the town had 28 enabled network user accounts and five local user accounts across the computers reviewed. However, auditors identified 12 network accounts that were not assigned to specific personnel and two accounts shared by multiple users. Additionally, five accounts were still active despite being assigned to former employees who had left the town between 1½ and five years earlier.

Auditors warned that these unassigned, shared, or inactive accounts pose a significant security risk. Attackers could exploit them to access sensitive information or systems, potentially leading to data breaches or operational disruptions. ‘Unused or shared accounts can create security risks because attackers could use them to access sensitive information or systems,’ the report stated.

Lack of Formal Contracts and Contingency Planning

Another major finding was the town’s failure to have a written contract or service-level agreement with its outside IT vendor, despite having paid $14,790 in 2024 for services such as system maintenance, antivirus monitoring, and data backups. Auditors emphasized that the absence of a formal agreement could leave the town without clear expectations or accountability for the vendor’s performance.

Emergency preparedness was also a concern. The audit noted that the town had no written IT contingency plan explaining how staff should respond to disruptions such as cyberattacks or system failures. While the IT vendor performed nightly data backups and auditors confirmed a successful restoration, the lack of a formal plan could slow recovery efforts during a major incident.

‘Although the IT vendor performed nightly data backups and auditors confirmed a backup had been successfully restored, the report said the lack of a formal plan could slow recovery efforts during a major disruption,’ the audit found.

Employee Training and Awareness

The audit also revealed that none of the 18 employees with access to the town’s network had completed IT security awareness training. State officials emphasized the importance of such training in helping employees recognize threats such as phishing emails, malicious downloads, or unauthorized access attempts.

‘Training is critical to help employees recognize threats such as phishing emails, malicious downloads or unauthorized access attempts,’ the report stated. The audit issued five recommendations, including adopting written policies for user account management, establishing a formal contract with the IT vendor, developing a thorough IT contingency plan, and providing cybersecurity training to employees.

Town officials said they reviewed the findings and plan to develop a corrective action plan to address the issues identified in the audit. ‘We take these findings seriously and are committed to implementing the necessary measures to strengthen our IT infrastructure,’ a town representative said in a statement.

The audit highlights the growing concern over cybersecurity vulnerabilities in local government systems. Similar issues have been reported in other municipalities across New York and the United States, highlighting the need for improved IT security practices at the local level. With cyber threats continuing to evolve, the lack of preparedness in Horseheads could have real-world implications for residents and local services.

As the town moves forward with its corrective action plan, the next steps will involve evaluating the effectiveness of new policies, ensuring compliance with state guidelines, and providing ongoing training to employees. The timeline for full implementation is not yet clear, but officials have indicated that the process will be closely monitored to ensure all security gaps are addressed.