We put the IT in city®

CitySmart Blog

Tuesday, November 14, 2017
Nathan Eisner, COO

Nathan EisnerDepending on your state, laws concerning body camera video policy, retention, and open records requests may vary. Last year, we reviewed various state laws and outlined some best practices that would apply no matter where your police department is located.

However, an interesting article from the Kentucky League of Cities (KLC) pointed out some problems that exist when your state law is ambiguous or lacking clear guidance. According to the article:

“...Kentucky is one of the last states to address the need for legislation dealing with when a video recorded with the cameras should be released and who should be able to obtain a copy of the video. The lack of policy could result in fewer departments using the cameras.”

When policies are unclear, assumptions can create liability. As a result, police departments are less likely to use body cameras. Yet, many police departments recognize body cameras as important and it’s probable that a law (such as Kentucky’s House Bill 416) may eventually get passed.

Because we covered best practices in our article last year, there is no need to revisit them here. But, we do want to explore some of the issues and questions raised in the KLC article about body cameras.

1. Clarify body camera video policy to avoid “entertainment.”

In the KLC article, Louisville Police Officer Nick Jilek says, “Unfortunately, in the modern media world the release of body camera footage ends up being passed around social media. Body camera footage should not be used for entertainment purposes, which is what that ends up being, on the nightly news or social media sites.”

Without a clear policy, an open records request may legally expose embarrassing footage to the public. Even if your state lacks clear policies, your city can create body camera video policies around privacy.

2. Define and clarify the scenarios for which footage can be released.

Some states will define when you can release footage. If not, be clear about what situations you’re allowed to release footage and which situations don’t permit it. For example, in Georgia, “The law excludes body camera recordings from public records when they are taken in a place where there is a reasonable expectation of privacy and no criminal investigation is pending.”

3. Define who has the right to view video footage.

Body camera video footage authorization can vary depending on the person requesting it. Is it someone involved in law enforcement? An attorney? A family member of a deceased victim? The media? A citizen? Define rules around who can view what. For example, Arkansas has detailed rules that explain who can see video footage if a police officer is killed in the line of duty.

4. How do you answer time-intensive open records requests?

In the KLC article, Representative Robert Benvenuti (R-Lexington) is quoted as saying, “We cannot create a situation where officers are being pulled off the road to sit for hours and hours editing footage or redacting footage. We need them out on the road, protecting all of us, not sitting behind a desk trying to interpret the Open Records Act.”

However, the reality is that if a law says you must provide the record, then you must provide the record. To prevent the hassle of officers getting tied up in heavy, tedious video editing and redacting, additional staff may have to address this issue. That way, your officers can stay focused on their job while additional staff can help with the video archiving aspects of open records responses.

5. How do you keep costs low?

The KLC article goes on to summarize the thoughts of Campbell County Sheriff Mike Jansen who said “small departments like his worry about the costs. He told lawmakers the expense goes beyond buying the cameras, into storage fees and equipment and hiring additional personnel for editing and answering requests.”

Obviously, storage costs can grow high because of the sheer amount of video footage needing storage. Each police department is different and may require a customized solution that works for them. In some cases, a cloud storage option is best. In other cases, storing data in-house makes more sense. A good option that’s available and popular with cities is video archiving that includes unlimited storage at a fixed cost. That makes it easier to keep costs low and predictable. This solution also forms part of a city’s disaster recovery plan and ensures that video remains available even if a disaster (such as a fire or flooding) hits a city.


Despite the complexity of body camera issues, a well-thought out plan that accounts for policy and technology can alleviate most of your worries.

Questions about your body camera video policies and technology? Reach out to us today.

Tuesday, November 07, 2017
Dave Mims, CEO

Dave MimsA recent article in CSO Online talked about some confusion between disaster recovery and security recovery. The article’s opening sentences state that “Many enterprises blend their disaster recovery and security recovery plans into a single, neat, easy-to-sip package. But does this approach make sense?” Analyzing the differences between the two, the article goes on to outline why it’s important to separate them out.

If we take a step back, this topic represents a bigger confusion about the holistic nature of IT. Information technology sometimes seems like it’s just about computers, software, networks, bits, and bytes. Best practices, policies, people, and other non-technical aspects of IT are often forgotten and too commonly unconsidered, which creates great risk for cities.

Limiting your IT scope will increase risk and liability for your city. Therefore, consider IT like a tripod—and stand firmly upon these three legs to address any real risks you may be overlooking.

1. Proactivity

What’s the easiest way to know if your IT is successful? Proactivity. A reactive IT environment is usually fraught with chaos. There is always a hot fire, issues are always very bad issues, and security risks are wide open. Shifting to a more proactive mindset literally transforms the way cities operate and work.

Proactive IT involves:

  • Policy: If you need a quick reference, we’ve talked a lot about security policies in past blog posts. Policies should cover vendor contracts and management, network security, wireless security, physical access security, logical access security, disaster recovery, and application controls (such as data input, processing, and output).
  • Processes: IT runs more like a machine when you have documented processes. Processes also reduce errors, decrease security risks, and allow for faster learning curves when new people must administer and use your systems.
  • Technology and Tools: IT professionals should use monitoring software that continually assesses the health of your systems and proactively detects issues that need resolving.

2. Employee Training

No matter how sophisticated your IT systems and how experienced the professionals who oversee them, your employees must use technology properly and protect themselves from constant security attacks. Ongoing training is essential, especially as security threats evolve.

Training should include aspects such as:

  • Spotting email phishing attacks: Email phishing attacks grow more sophisticated as hackers target specific people within cities to steal money or gain access to confidential, sensitive information. Employees need to know the signs of malicious emails and learn how to be skeptical.
  • Avoiding malicious websites: Employees are human. They like to download games, take quizzes, and visit websites that interest them. However, many websites mislead people to get them to download malware, viruses, and ransomware. While browser security can help block some websites, employees need to be trained on what to watch for as they visit webpages on the internet.
  • Social engineering by phone: Today, hackers are leveraging all means to steal and destroy your data for their financial gain, including the phone. A hacker that’s good at social engineering may trick you into thinking they are a city employee. From there, they may gain information they need to steal an employee’s identity or take over an employee’s email account. Employees must follow strict procedures when vetting people over the phone or email to know when it’s appropriate to give information away.

3. Data Backup and Disaster Recovery

The final leg of the tripod prepares you for the worst. In case of an incident, whether it’s a server failure or a tornado that destroys a building, you need the ability to recover your data. Data backup is also crucial for security incidents such as ransomware where a hacker encrypts your data and demands a ransom from you to get it back. Instead of paying the criminal, you are prepared and able to recover your data.

A good data backup and disaster recovery solution includes:

  • Onsite data backup for quick recovery after less impactful events like a server failure.
  • Offsite data backup for worst-case scenario recovery after a major incident like a natural disaster or a massive virus outbreak.
  • Periodic data backup testing to make sure you will be able to recover your data after a disaster. So many cities do not test their data backups, and those backups may fail when you need your data most.

Use this post to assess if you’ve got the full IT tripod. If you are missing one or more legs, then you might feel a bit wobbly. Make plans to fix those areas as soon as possible. When you do, you will increase your operational capabilities while decreasing security risks and liability.

Need help building your tripod? Reach out to us today.

Tuesday, October 31, 2017
Sarah Northcutt, Account Manager

Sarah NorthcuttIt’s still tempting for cities (especially smaller cities) to roll up their sleeves, purchase some software to fill a basic need, and install it themselves. After all, there can’t be much to worry about. You don’t need IT professionals for that, right?

Wrong. As much as we admire a “go get ‘em” attitude, even the “simplest” software improperly installed can open you up to major security risks. As an example, Bitdefender published a recent article that described how lax security settings led to a sophisticated phishing attack against an Office 365 system that tricked users into giving up their usernames and passwords.

As the article warns:

“...this isn’t the case of a hacker forging your email headers to pretend that the messages they are sending are coming from your business’s servers. They really are originating from inside your company’s email system. A compromised business email system. If you don’t act now to harden your defenses and make it difficult for an attacker to breach your Office 365 system via this technique, then you have a ticking time bomb on your hands.”

This warning applies not only to Office 365 but any software that you may attempt to install yourself. Here are some reasons why you need IT professionals to install, configure, and maintain even your most “basic” software.

1. Advanced administrative capabilities help IT professionals smoothly monitor and maintain software.

Today, quality software includes sophisticated administrative management tools that IT professionals understand how to use. For example, email software may include settings that involve storage limits and antispam filters. Document management software may include settings that involve retention schedules or permissions to access files. There are even administrative tools to manage compliance and user activity. All these administrative tools help IT professionals resolve issues, keep your city secure, and make sure you stay compliant with any laws and policies.

2. Security and privacy settings need careful attention.

When non-technical users set up their own software, it’s typical to find that the security settings are set to default. But also, and all too common, we find that non-technical users have set up full access and administrative rights for themselves and other users. This creates great risk. As a result, security needs to be tight.

IT professionals can navigate advanced security settings to help you with:

  • User access and authorization
  • Password management
  • Two-factor or multi-factor authentication
  • Encryption
  • Monitoring suspicious activity
  • Taking specific actions after a security incident

3. Remote access needs careful attention.

Non-technical people often unknowingly give unsecured, open access to their networks through software. Whether your staff uses their own laptops, smartphones, or tablets to access software, danger exists if sensitive or confidential information gets stored on those devices. Suddenly, you’ve increased your risk of a data breach nightmare.

Solutions like a thin client, application streaming, or a VPN along with device and data encryption need to be considered when giving users remote access. These solutions avoid problems related to data leakage or theft while only giving users access to necessary aspects of the software for their work use.

4. Improper software installation and deployment can lead to security issues.

While this may seem the same as the second point above, it goes beyond simply setting up the software. When you install software, you’re installing it on servers and computers that may be unsecured or configured improperly. And when you deploy software, you are activating it within a network of switches, routers, and firewalls that may have security issues. Many variables exist when software interacts with an IT environment. IT professionals are familiar with such complex environments and can avert security issues related to installation and deployment.

5. Failure to patch and update software leaves you open to hackers.

This year, something that used to get treated as a technical, menial task has become part of front-page headlines in mainstream news publications. Why? Failure to patch and update software is at the root of companies losing data to ransomware (such as the WannaCry attack earlier this year) and even at the heart of the Equifax data breach—one of the biggest and most devastating data breaches ever.

Software vendors regularly put out patches and updates but many organizations—including many cities—fail to apply those patches and updates. That failure leads to gaping security holes that hackers exploit. Their attacks lead to data breaches and data loss.


Maybe you could go it alone in the old days of technology, but today you need IT professionals to help you set up your software. Despite your natural technical know-how, there are just too many security risks that a non-technical employee may miss when setting up software.

Need help installing, deploying, monitoring, and maintaining your software? Reach out to us today.

Tuesday, October 24, 2017
Brandon Bell, Network Infrastructure Consultant

Brandon BellIn the wake of a natural disaster such as a hurricane, scams are as inevitable as the selfless help offered by generous people. A recent article from GovTech reported on a sharp increase in scams after Hurricane Harvey that led the IRS to issue warnings. According to the article:

[These] criminals often send emails that steer recipients to bogus websites that appear to be affiliated with legitimate charitable causes. These sites frequently mimic the sites of, or use names similar to, legitimate charities, or claim to be affiliated with legitimate charities in order to persuade people to send money or provide personal financial information that can be used to steal identities or financial resources.

This situation reminds us of an ongoing issue that cities must battle all the time: phishing attacks. Today, phishing attacks don’t take place just through email. Criminals also use the phone and social media to get important information from you (like personally identifiable information and even passwords). With that information, they can hack into your accounts, steal identities, or upload viruses and ransomware into your systems.

Employees are at the front lines of these attacks and it’s always good to remind them of ways to spot—and avoid—phishing attacks.

1. If you’re suspicious about an email, then open your browser and go directly to a website instead of clicking on a link.

Let’s say you get an email from a bank and you’re not 100% sure that it’s legitimate. Instead of clicking on the email link, go to the bank’s website directly from your web browser. That way, you will make sure that you are logging into the website legitimately and you can check if the message in the email actually pertains to your account.

Unless it’s extremely obvious that an email is okay, make it a habit to go directly to websites—especially when the information you exchange with them is sensitive. Good examples are banking websites, social media websites, or any websites where you make financial transactions.

2. Question email messages and be skeptical.

We recently published an interview with Stephanie Settles of Paris, Kentucky who successfully detected a whaling attack (an advanced phishing attack where a hacker targets a specific employee, typically a manager or personnel responsible for financial or purchasing decisions, with a sophisticated message to fool them). Her skepticism helped her detect the attack when the supposed city manager’s emails sounded a little off.

Even if an email says that it comes from a person you know, don’t assume it does. Spammers can spoof an email address to make it appear as if it’s coming from a specific person. That’s why examining the email message is so important. Look for misspelled words, broken sentences, irrelevant content, and other red flags. Look at the email address before you reply. Look at the link URL before you click it. And if you have any doubt about an email, contact the person directly to confirm that they sent it.

3. Don’t download attachments unless you are 100% sure they are from a trusted sender.

Email attachments that your co-workers, friends, and family send you as part of your ongoing communications may be fine. However, remain skeptical by following the recommendations above before you open any attachment, click any link, or reply. Especially double check the email address and be on guard for any attachments in emails from organizations or unknown senders. For example, you may receive an email that seems like it’s from a well-known bank that says your statement is ready to review. A PDF is attached, and the email asks you to download it. You do and...your city is now infected with ransomware.

Be very suspicious about emails that ask you to download attachments. Usually, downloading attachments is not necessary to conduct business with a bank, business, or government agency—and it’s not a best practice for these organizations to send you PDFs, zip files, or other documents to download.

4. Be just as wary about social media.

All the above rules apply to social media such as Twitter, LinkedIn, and Facebook. Spammers and scammers use these platforms successfully to trick people, and their tricks may be harder to spot. On Twitter, spammers will often follow you and Tweet messages with spam links that they want you to click. On Facebook, spammers may post spam messages to your wall or send you direct messages with malicious links. And even on LinkedIn, many people that want to “connect” with you are actually false identities. Once you connect, they will attempt to get you to click on malicious links or attachments.

When you’re on social media, stay focused on communicating your messages, don’t click on links or attachments that strangers send you, and delete posts that seem spammy. Follow these 7 tips to secure your city’s Facebook page.

5. Be just as wary about the phone.

As an IT company, why are we giving a tip about answering phones? It’s because hackers use the phone more and more as part of their phishing efforts. As physical and online security has steadily improved over time, it becomes harder for hackers and spammers to pull off a scam through those areas alone. However, they can trick you into giving up passwords or personal information over the phone and then use that information to hack into your website, servers, or bank accounts.

Obviously, cities must answer calls from everyone as part of their service to citizens. Policies need to be in place that govern what information employees can give out over the phone. Just as you need to authorize people to enter your building or access a server, you need to follow an authorization process if someone asks for sensitive information (such as personnel information, a password, or financial information) over the phone.


Spammers and scammers will attack you from all directions. Your city needs to defend against these attacks with strong security policies, procedures, and technology. It helps to train employees and remind them on a regular basis how to spot the signs of a scam so that your city’s security isn’t jeopardized.

Worried about your ability to prevent scammers from infiltrating your city? Reach out to us today.

Tuesday, October 17, 2017
Ryan Warrick, Network Infrastructure Consultant

Ryan WarrickToday, all of government—including local government—is a target for hackers. Wired recently reported the results of a study done by SecurityScorecard that ranked government 16 out of 18 industries for cybersecurity. According to Wired:

The analysis of 552 local, state, and federal organizations [...] found that the government particularly lags on replacing outdated software, patching current software, individual endpoint defense (particularly when it comes to exposed Internet of Things devices), and IP address reputation...

In this post, we want to focus on modernizing and patching software. These two items were the reason that the WannaCry ransomware virus devastated so many organizations earlier this year.

If patching could prevent so many hacking attempts, then why don’t organizations (including local government) do it more often. According to a Computer Weekly article, patching is viewed as too costly and resource-intensive:

For those organizations where patch management is currently ad hoc at best, developing a policy and framework may seem like another cost that they can do without. However, continuing with ad hoc patching, as and when time and resourcing allows, is wholly inadequate if the organization is to be protected from threats exploiting known vulnerabilities.

The risks and dangers from failing to proactively manage technology patches and updates are simply too great to ignore. Here are five major reasons you need to patch.

1. Information Security

First and foremost, patch to shore up security flaws that are inevitable in any software. Vendors release patches when they discover security flaws and vulnerabilities in their software that hackers can exploit. Without patching, you are more susceptible to viruses, malware, hackers, ransomware, malicious websites, and malicious email attachments.

When discussing WannaCry back in April 2017, we said:

Microsoft released a Windows security patch in March 2017 that prevented WannaCry from affecting an organization. According to CNN, “The ransomware is spread by taking advantage of a Windows vulnerability that Microsoft (MSFT, Tech30) released a security patch for in March. But computers and networks that hadn't updated their systems were still at risk.”

Without applying basic, routine patches, you’re increasing the risk of getting hit by the next major cyberattack.

2. System Stability

Patches also help fix bugs and issues that can affect productivity. Like maintaining a car, software needs tuning and repair. Patches help keep your technology “car” in good driving shape. Otherwise, you may notice your systems slow down to a crawl, crash, or be visited by the blue screen of death. In some cases, not applying patches can actually damage your software configuration and/or data, ruining your investment and interfering with employee productivity.

3. Software Performance

In addition to helping your software simply function, patching also leads to new features and improved performance. Especially today, software vendors continually add updates, features, and functionality that help make your work easier. For example, your word processing software might add features like autosaving or collaborative editing that would assist you in your day-to-day work.

4. Threat of Data Loss

When software breaks, malfunctions, or gets hacked, you risk data loss. Not patching threatens access to valuable data that—without proper data backup and disaster recovery—may get permanently lost. This is especially a risk when you use outdated software that’s not supported any longer by the original software vendor. It’s not unusual to see cities using software that is 8-10 (or more) years old and hasn’t been supported by the software vendor for a long time.

In addition, even having a data backup and disaster recovery solution in place may not work effectively with older, unpatched software. That’s why modernizing and regularly patching software also affects your data backup and disaster recovery strategy.

5. Compliance

If the above four reasons don’t convince you, then compliance should. Plenty of existing and proposed federal and state laws are requiring cities to follow basic cyber hygiene—including patching—to protect sensitive and confidential information. While citizens can choose to share information with businesses, they don’t have any choice about sharing information with cities. As a result, cities absolutely cannot be lax in their protection of that information. Otherwise, lawsuits, public outrage and embarrassment, job termination, and other consequences are possible results from such poor cyber hygiene practices.

While seemingly extremely tactical, patching is a part of compliance as cities make sure they are securing and protecting the information of citizens. As we noted in a recent post:

Federal and state compliance is getting serious. In May 2017, the President signed a cybersecurity executive order requiring departments and agencies to follow the same cybersecurity standards and best practices placed upon the private sector. And Arkansas signed SB138 into law in March 2017. Arkansas cities can now lose their charter from noncompliance with IT-related accounting practices.


To protect your city, you need IT support that helps you guard against cyberattacks by keeping your computers patched, protected, and healthy. Otherwise, you introduce a great deal of risk to your city that can lead to some dangerous consequences.

Are you patching regularly? Are you struggling with the budget and resources to handle this task? Reach out to us today.

Tuesday, October 10, 2017
Dave Mims, CEO

Dave MimsBeginning as a city built up around the SAM (Savannah, Americus, Montgomery) railroad line in 1891, Lyons has grown into a bustling part of the Vidalia Micropolitan Statistical Area while also serving as the county seat for Toombs County. Today, this family- and business-friendly city boasts an award-winning downtown with plenty of events, restaurants, shopping, and entertainment that attracts people from all over the South.

As Lyons continues to grow and serve citizens, its technology backbone needs to support all these efforts. Yet, the city began to reassess its technology costs and support structure—suspecting that it may have been paying too much to too many vendors for uncertain results.

Challenge

In 2015, the City of Lyons began a study to examine its technology costs. At the end of the study, the city uncovered two important insights:

  • Too many vendors: The city had many different vendors that all played some part in managing and overseeing its IT infrastructure. Roles such as troubleshooting, backup and recovery, document management, email, web hosting, telecom auditing, and product management were all split up among these different vendors. Plus, the city also paid three ISP companies each month for various services.
  • Liability risks: The city lacked proper document management and vendor management and, in some cases, did not meet federal or state compliance regulations. For example, the city’s email component was not compliant with open records and security laws. These deficiencies left the City open to liability claims and lawsuits on top of the day-to-day struggles that Lyons encountered with lackluster support from vendors.

It was clear that Lyons needed to make a choice about its technology future. While hiring a full-time lT person seemed tempting, the city’s size, budget, and staffing model did not allow for this option. Instead, the city reached out to vendors that could provide IT services that addressed the city’s challenges.

Solution

After evaluating many vendors, the City of Lyons eventually chose Georgia Municipal Association’s “IT in a Box” service and began working with Sophicity in January 2016. According to Jason Hall, City Manager of Lyons, “What impressed us most with Sophicity was the fact that they seemed to understand more than the others how a city functioned.”

By using GMA’s IT in a Box service, Lyons addressed many of its challenges. The services within IT in a Box included:

  • Vendor management: The city did not have to worry any longer about frustrating calls with vendors about software issues or hardware procurement. In addition, Sophicity reduced costs by reducing the number of total vendors.
  • Document management: City records were now protected, and staff could easily apply record retention schedules.
  • A highly available and dependable email system: The city switched to hosted email on its own city domain that included email archiving, shared calendars and contacts, and 50GB of mailbox storage per user.
  • Help with open records requests: The city was now better prepared for Open Records Requests, and Sophicity helps the city process them.
  • Data backup and offsite data backup storage: Lyons received unlimited offsite data backup storage and retention for disaster recovery and archiving. No longer did staff have to worry about data backup with Sophicity’s real-time monitoring and quarterly testing.
  • 24x7 helpdesk: Sophicity provides 24x7x365 support to city staff in the office, working from home, and on the road. Experienced senior engineers address any IT issue — ASAP.
  • Server, desktop, and mobile management: Sophicity now proactively keeps computers patched, protected, and healthy to guard against cyberattacks—taking this task off the plates of non-technical city staff.
  • A new city website: Lyons received a modern fresh website design with Sophicity hosting the website and managing the content. Plus, city staff can now also edit and update website content themselves.

Results

Hall noted many beneficial results after Sophicity implemented GMA’s IT in a Box.

  • Data backup saved the day: After a major failure of two workstations, Sophicity got the city back up and running within 24 hours while providing city staff with alternative access to documents while those workstations were in the process of being replaced. During this incident, the city experienced no loss of data and they are now confident of their data backup when considering any future worst-case scenarios.
  • The city now easily responds to open records requests: Within just a few days, Sophicity was able to provide the city attorney with some emails that were required during a lawsuit. Hall says, “We would have been at a loss before our partnership with Sophicity.”
  • Sophicity found $900 per month savings from renegotiating telecom and internet contracts: Sophicity reassessed the city’s telecom and internet contracts, which led to a renegotiation of $900 per month in savings. And Sophicity not only reduced costs but they also increased internet bandwidth—leading to faster, higher quality internet service. Hall says, “Sophicity’s technical knowledge when speaking with potential internet service providers allowed us to get superior products for minimal cost.”
  • Modernized hardware for a low price: Sophicity modernized the city’s aging hardware while also carefully negotiating prices that are beneficial for a local government. Aware that cities need to be good stewards of taxpayer dollars, Sophicity also made sure that the city had the hardware needed to improve productivity and citizen services.
  • Cost and productivity improvements with existing software vendors: Sophicity worked with the city’s financial and public safety software vendors to accelerate troubleshooting and find workarounds to ongoing issues that saved the city time and money.
Regarding Sophicity's day to day troubleshooting, their knowledge and timing are impeccable. Most of the time their IT staff can take control of our workstations and fix problems within minutes. More complex problems that require onsite staff are handled in short order. The staff is very pleasant and patient to work with each time we call. We receive calls from them to check up on us from time to time once an issue is resolved. Response time to emails and chats is almost immediate. We are very happy with our choice and feel that the service provided is well worth the monthly fee. - Jason Hall, City Manager of Lyons

Contact Us Today

If you're interested in learning more, contact us about IT in a Box.

About Sophicity

Sophicity provides the highest quality IT products and services tailored to city governments. Among the features Sophicity delivers in "IT in a Box" are a website, data backup, offsite data backup storage, email, records/document management, video archiving, help with information security policy and compliance, Microsoft Office for desktops, server and desktop management, vendor management, and a seven-day a week helpdesk. Read more about IT in a Box.

Wednesday, October 04, 2017
Brian Ocfemia, Technical Account Manager

Brian OcfemiaCities—even smaller cities—eventually get to a point when they realize that information technology (IT) needs careful handling by professionals. Non-technical city staff can only do so much with IT, and liability concerns make it essential to hire professionals to address areas like data backup, cybersecurity, and compliance.

However, cities often have limited budgets and want to make sure they invest that money appropriately. A tempting solution is to hire a full-time IT employee. That way, a city will have someone onsite every day to handle IT problems and concerns.

We’re not against the hiring of full-time IT professionals. Sometimes, that can make sense for a city. However, we’ve found through many years of experience that the disadvantages usually outweigh the few advantages for cities.

One of our customers—a city with a population of about 4,500 people—recently told us that they faced the choice between hiring a full-time IT person or contracting with a vendor. When assessing the two choices, many disadvantages cropped up for the full-time option.

Salaries Too High for City Size, Budget, and Staffing Model

While salaries obviously vary around the country, for simplicity’s sake we’ll look at a median salary across the United States. According to PayScale, the median salary for a systems administrator is $60,843. Let’s round the salary down to $60,000 to simplify our example.

That means a city would have to budget around $60,000 plus about $18,000 for employee benefits. The systems administrator (or any other IT-specific role) would be limited to specific roles and responsibilities—meaning that person would lack knowledge about other IT areas. That’s $78,000 a year for an IT employee who is limited in knowledge.

Not only is $78,000 per year expensive but it also conflicts with staffing models appropriate for smaller cities. A full-time person on site for 40 hours per week may be overkill if a city only has a small amount of IT systems, hardware, and software.

One Person’s Limited Bandwidth Hurts You in Multiple Ways

Nowadays, IT is not a 9-to-5 profession. Think about public safety operating 24/7. Think about city council meetings taking place in the evening after business hours. Think about employees traveling, working from home, or in the field. For such a high demand area, a 9-to-5 job just won’t cut it—even if you add some on-call hours or overtime requirements to the job.

Some simple scenarios show how the problem can get worse:

  • What if they get sick?
  • What if they go on vacation?
  • What if they decide to leave your city for another job?

In each situation, you’re stuck. Data backups not getting done. Problems going unresolved. Liability increasing. Over time, it’s easy for a limited resource to get bottlenecked. If a member of your city staff has an issue—even a simple issue—they may have to wait a long time until your IT employee gets to it.

An IT Employee’s Experience Will Be Varied and Inconsistent

Typically, your $78,000 will go toward someone with limited experience. Often, IT employees will lack municipal experience and not understand how cities work. There are also many areas of IT. It’s impossible to find someone experienced in everything such as network and systems support, data backup and disaster recovery, server management, software upgrades and maintenance, hardware upgrades and maintenance, website hosting and maintenance, document management systems, email software, open records requests, policy and compliance, and video archiving.

Attracting and Retaining IT Talent Will Be Tough

For many smaller cities, a dearth of local IT talent can affect hiring. Many IT professionals gravitate to a handful of highly populated metro areas. If you’re more than an hour outside one of these areas, it can be tough to find, attract, and retain IT professionals who are constantly bombarded by IT recruiters. You’re always competing with the market, even if you’re lucky to hire a very talented IT professional in your area.

Advantages of Contracting with a Vendor

Contracting with an experienced IT vendor is often a great alternative to a full-time employee because:

  • You can receive 24/7/365 support from municipal-experienced IT engineers for less than the cost of a full-time employee. On cost alone, the comparison between what a full-time employee can accomplish versus what a vendor can accomplish is not even close in terms of both financial investment and getting things done.
  • A 24/7/365 vendor doesn’t take a break. They won’t get sick, go on vacation, or leave you suddenly because they got offered a better job. That leads to ongoing IT stability and continuity.
  • A team of municipal-experienced IT engineers covers all aspects of IT. Instead of relying on the knowledge of a single person, a vendor’s team will cover all aspects of IT from data backup to website hosting, from video archiving to document management. It’s like having the IT expertise that only large companies used to enjoy.

The customer mentioned above eventually chose us after making these evaluations. It made more sense from a cost and knowledge perspective to go with us. When you face a similar dilemma, make sure you weigh your options carefully.

Ready to increase your IT support? Reach out to us today.

Tuesday, September 26, 2017
Nathan Eisner, COO

Nathan EisnerAfter struggling with technological limitations related to in-car cameras for many years, the City of Auburn moved to body cameras in 2013. However, the city’s body camera video technology introduced new problems such as where to store all that data and the expense related to that storage. After three years of using cloud storage, the City of Auburn moved to an on-premise system to save on fees. Coupled with Sophicity’s video archiving solution, the city’s new system saved them money—freeing up funds to purchase more body camera units.

In this Q&A, Auburn, Georgia’s Police Chief Carl Moulder and Lt. Chris Hodge talk about these technology challenges and how Sophicity’s vendor management (which is part of IT in a Box) helped them resolve these issues.

Before you implemented body cameras, what technology issues did you have to think about and anticipate to make the implementation a success?

We had in-car cameras for several years before replacing them with body cameras in early 2013. The in-car camera had serious limitations for video recording all police action, and the audio capability often failed when officers entered a residence or building. With the move to body cameras, we had to consider the increased storage needs of video/audio data because officers would be videoing all police action. The decision was made to use cloud storage. Our policy had to be revised and updated, but that was not a large task.

After three years of cloud storage, the decision was made to convert to in-house storage of the video/audio data. This also required the purchase of a new camera system. To successfully make the transition from our current cloud services provider, we had to procure our own server with enough storage to house videos of the size and capacity we produced. We also had to consider software that would enable us to upload and manage the videos without compromising chain of custody and evidence requirements.

From a technology standpoint, what was the most important thing you were looking for in a body camera system?

We wanted to move away from a cloud-based storage system and integrate a self-storage system within our own network. This saved on cloud storage fees, which were considerable, and allowed us to invest more money into the acquisition of more body camera units that could be assigned to an individual officer. Before, officers had to share body cameras because we didn’t have enough to go around.

What unexpected technology challenges came up when you implemented body cameras?

We experienced issues with cameras not communicating with the docking station, which in turn inhibited videos from uploading properly. The managing software is a crucial element for self-storage and maintaining videos. When this wasn’t syncing correctly, we experienced hardships. Manufacturers must understand how critical it is that their whole system (camera, software, docking station, storage medium, managing software) work flawlessly, as it’s better to not have a system than to have a system that doesn’t work.

How did IT in a Box’s vendor management and video archiving components help you with your body camera technology?

Our IT vendor was very instrumental in helping our department determine the best system for our needs while understanding our size and budget. Their assistance was critical in the implementation of the new software and cameras as well as the migration of existing videos to our new in-house server. Our vendor had the unenviable task of organizing thousands of videos into a manageable and retrievable arrangement. Without this structure, we would be unable to efficiently retrieve and disseminate these videos to the appropriate parties. Our IT vendor continues to work with us to ensure that our system functions correctly and efficiently, recommending upgrades as needed.

For other cities either implementing body camera technology or already using it, what technology advice would you give them?

Focus on getting quality software that will manage the videos. While the camera capabilities are important, without an efficient managing software the in-house storage endeavor will fail. I highly recommend involving your IT provider from the very beginning. They can keep you from making huge IT-related errors. Again, I believe it’s better to not have a system at all than to have a system that doesn’t work properly.


A few important points are worth noting from this interview:

  • Transitioning to a new technology requires research and assessment to determine the right fit. All body camera technology is not the same. The City of Auburn leveraged Sophicity to help determine the right technology and software for the city’s needs and budget.
  • Technical problems will inevitably arise with new hardware and software. When this happens, it’s best to have an experienced IT partner on hand to work with the hardware and software vendor on issues ranging from implementation to migrating data from one system to another.
  • Ongoing monitoring and maintenance is critical. Sophicity monitors and maintains the city’s body camera technology, software, and data to proactively watch out for any problems. Sophicity also upgrades and patches software while ensuring that the systems work.
  • A city’s technology partner can help ensure compliance with the law. Body camera video data contains sensitive, confidential information and it’s often needed for investigations. That information needs to be handled with care like any open record. Body camera video data needs to be stored, findable, and accessible.
  • Storage costs can be brought down by examining creative solutions. For the City of Auburn, it made sense in their situation to bring their data storage back in-house to lower storage costs. They also complemented that strategy with IT in a Box’s video archiving feature which helped the City of Auburn archive data into the cloud. That solution provides them unlimited storage at a fixed cost and protects that data as part of their disaster recovery strategy.

Exploring body camera solutions? Having issues with your existing body camera technology? Reach out to us today.

Wednesday, September 20, 2017
Dave Mims, CEO

Dave MimsEquifax is a multi-billion-dollar Fortune 1000 company that just experienced one of the biggest data breaches in history. This data breach potentially affects nearly all American adults. Media publications, Congress, and the public are currently in angry attack mode.

If you’re a small- or medium-sized city (or even a larger city), it may seem like there’s nothing much to be learned when comparing yourself to such a giant company like Equifax. Yet, there are three important lessons you can learn from the Equifax data breach that makes this a good time to review your current cybersecurity efforts.

1. The Equifax data breach stemmed from the company failing to patch software. What is your patch management strategy?

You know the story of David and Goliath. That’s how Equifax got taken down. Despite its size and revenue, hackers found one small security vulnerability in software that Equifax failed to patch—even though the vulnerability was well-known in the security community. The result? Hackers stole the PII (personally identifiable information) of 143 million people.

According to Ars Technica, hackers exploited “a Web application vulnerability that had been patched more than two months earlier. [...] [The company’s] disclosure strongly suggests that Equifax failed to update its Web applications, despite demonstrable proof that the bug gave real-world attackers an easy way to take control of sensitive sites.”

Similarly, a lack of patch management became the reason why so many organizations were affected by the WannaCry ransomware virus earlier this year. Unfortunately, many cities still don’t proactively apply patches to software and systems. By failing to patch, cities are inviting a data breach with wide open arms.

We’ve written a lot about patch management in the past, but a few reminders include:

  • Creating a policy and procedures that require proactive patch management on a regular schedule.
  • Relying on IT professionals to oversee patch management. Non-technical employees may get distracted and/or apply patches incorrectly.
  • Applying patches to all machines regardless of location. This includes patching remote machines (such as servers hosted someplace other than your city buildings) and devices (such as laptops and smartphones that employees use at home or while traveling).

2. The Equifax data breach showed a stunning lack of responsibility at a fundamental level to protect people’s personal, sensitive information. Do you see the safekeeping of citizen data as a critical responsibility?

What makes people especially angry about the Equifax data breach is that we have no choice about Equifax acquiring and using some of our most personal data. They are not a typical services company where we opt in to share our personal information. Equifax collects our information whether we like it or not.

Yet, Equifax failed as stewards. According to Forbes, Equifax had a history of shoddy security practices that led to lawsuits, issues with PINs, security vulnerabilities, and smaller data breaches. Think about it. Equifax had not only a business incentive but also a responsibility to protect our data. Congress is now voicing that they will be looking at this situation.

Now, think about your city. It’s not a business where customers voluntarily offer up their personal information. They have no choice about you stewarding their personal, sensitive information or records that impact their families, properties, communities, or schools. Are you properly protecting and securing this data that you manage on behalf of your citizens?

Some signs that you are failing at your stewardship include:

  • Unpatched software
  • Old technology (especially more than 5 years old)
  • Unsupported software
  • Lack of data backup and disaster recovery
  • Reactive IT support
  • Lack of or poorly managed antivirus software
  • Poor passwords and user authorization procedures
  • Uncertainty around where your website is hosted

3. With more scrutiny and awareness about cybersecurity, the law becomes stricter. Are you following (or are you ready to follow) cybersecurity laws, regulations, policies, and government cybersecurity best practices?

2017 has been one of the most active Congressional sessions with passed and proposed cybersecurity legislation. For example, the Modernizing Government Technology (MGT) Act would require government agencies to follow basic IT best practices—known as cyber hygiene—to prevent cybersecurity attacks. At the state level, a good example is Arkansas’s SB138 that says cities can lose their charter if they do not comply with IT-related accounting practices.

Additionally, we’ve noted that poor cybersecurity may also affect your ability to borrow money. If you’re negligent about your cybersecurity, then your municipal bond rating that financial institutions and insurance firms use as part of their calculations will likely take a big hit in the future. Borrowing money is essential for city operations, and failing to take basic cybersecurity steps may affect your city’s finances in the future.


If there is one overarching lesson from Equifax, it’s that cybersecurity is just becoming too big to ignore. For many years, cities and other organizations have pled technology ignorance, lack of budget, or that they had no need for proactive technology support. 

Those times are over. Equifax failed in their stewardship, and time will show the impact to both Equifax as an organization and to the millions of people whose data they failed to protect. Individuals and families may now fall victim to identity theft. Your city must not fail in its stewardship of citizen information that includes both personal identifiable information as well as city records used to conduct city business for the benefit of the entire community. Your citizens trust you with their information. Can you truthfully say to them that you are protecting their information to the best of your ability?

If you need help with your cybersecurity, reach out to us today.

Wednesday, September 13, 2017
Victoria Boyko, Software Development Consultant

Victoria BoykoWith more than 2 billion monthly users, Facebook is the third most popular website in the world. Because so many people spend time on it, Facebook has become an important place for cities to communicate information and help bring people to your city’s website. City departments often have their own Facebook pages that are individually managed, and those pages can be a fun, easy way to reach out to people.

However, Facebook pages can be plagued with security risks just like your city’s website or systems. For example, imagine a terminated city employee hijacking a city department’s Facebook page and not turning control of the page back over to the city. What would you do? And what could have been done to prevent this situation from happening?

While this situation is bad, we can easily imagine worse scenarios. If someone takes over your page, they can embarrass your city, spread misinformation, and use your page for a different purpose (like political extremism). That kind of hijacking can be a major liability to your city, and so you need to secure your Facebook pages.

How do you secure a page that’s hosted by Facebook that you don’t have direct control over (like your servers, software, or website)? Here are seven security tips that you can apply today.

1. Follow password best practices.

Password best practices are not only good for Facebook pages. They are applicable to all accounts across all systems and applications. Best practices include:

  • Using a password on all devices—including smartphones and tablets.
  • Using passphrases (preferred), but at a minimum using complex passwords.
  • Using two-factor authentication. For example, to log in you will enter 1) your username/password, followed by 2) a code sent to your mobile device.
  • Changing passwords regularly.
  • Not writing passwords down—especially where they are visible to others.
  • Not using obvious passwords (such as "password" or "123456").
  • Not allowing apps or browsers to cache/save passwords.
  • Not using the same password across systems, apps, and websites.

2. Change your password today.

Yes, we’re reiterating some of the points above. If you haven’t changed your password in a while or if it’s an incredibly weak password, change it today. Plus, changing your password today immediately eliminates risks if other people (ex-employees, hackers, etc.) have stolen your current password.

3. Take advantage of the “Setting Up Extra Security” section of Facebook’s Security and Login settings.

If you go to your Facebook page’s Settings, you will see a tab for Security and Login. Go to that tab and you will see a section called “Setting Up Extra Security.” Two important features are there that you should use.

  • Get alerts about unrecognized logins: If an unauthorized user or an authorized user from an unusual location attempts to log in to your Facebook page, then you will receive an alert. In many cases, these alerts will clue you in to a security problem.
  • Use two-factor authentication: We mentioned this under our password best practices, but Facebook allows you to easily set this up. A login to your Facebook page will require a user to enter both a password and a code sent to their mobile device.

4. Limit and manage authorized users.

Don’t just create one account and give everyone administrative access. Limit who uses your Facebook page and give them specific roles by:

  • Going to Settings on your Facebook page.
  • Going to Page Roles.
  • Under “Assign a New Page Role,” you can type in the name or email address of a user and assign them a role such as Editor, Moderator, or Admin.

Once set up, make sure you manage the list of authorized users and review it regularly. Otherwise, terminated employees or other unauthorized individuals may have access to sensitive information. Eliminate any user who is no longer authorized to make changes to your Facebook page.

5. Apply the above best practices to your email software.

Your Facebook page security will mean nothing if your email security is poor. A city might create a generic admin email address used by many people to make it easy for them to log into a Facebook page account. Instead, have everyone use individual email addresses and make sure those email addresses are protected by strong password best practices, suspicious activity alerts, and two-factor authentication. Strong email security at your city prevents unauthorized users from accessing your Facebook page.

6. Check the “Where You’re Logged In” section of Facebook’s Security and Login settings.

Make a habit of occasionally checking the “Where You’re Logged In” section of Facebook’s Security and Login settings to see if any suspicious devices are logged into your account. Each user will be identified by the type of device, browser, and location. It’s especially a red flag if someone unknown is logged in from an unusual location such as another country.

7. Use the Verified Badge for Government option.

We’ve written previously about the benefits of acquiring a Verified Badge for your city’s Facebook page. It makes your page the official, approved page for your city or city department. As we noted in a previous blog post, with a Verified Badge “you now have more authority to shut down damaging or slanderous Facebook pages. If someone operates a Facebook page that pretends they are your city or if they are misleading people about your city, then it’s easier as the owner of the official, verified version of your city’s page to work with Facebook to shut down misleading unofficial sites. Until you receive your verified page badge, you may have to work harder to prove to Facebook that another site is unofficial and shouldn’t be representing your city.”

If you need some help getting a Verified Badge, this post provides some good guidance.


Facebook pages may seem simple because they are so quick to set up, but take them seriously from a security standpoint. In the wrong hands, a hijacked Facebook page can do your city a lot of harm. Apply the tips above in order to secure your Facebook page from hackers and hijackers.

Need help securing your social media pages? Reach out to us today.

| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 |