We put the IT in city®

CitySmart Blog

Wednesday, January 17, 2018
Dave Mims, CEO

Dave MimsIn the fall, a Georgia city “learned” of a data breach—meaning it was unclear when the data breach actually occurred. 12 days later after learning of the incident, the city determined that someone gained unauthorized access to personal information on a server. After alerting citizens by letter, the city experienced a backlash that was even reported in the media.

Why? Citizens grew concerned over the lack of information about the incident and the ways the city offered to mitigate the risk. Providing only free credit monitoring for a year and some tips to help citizens protect themselves, the city angered citizens who complained that the response didn’t reassure them that the city was taking proactive steps to protect their personal information.

If your city hasn’t yet experienced a major data breach, it may just be a matter of time. Learning from this incident, your city can implement some best practices that will lessen the risk of exposing your citizens’ personal information to hackers or unauthorized individuals.

1. Practice proper cyber hygiene.

You shower and brush your teeth every day. You change the oil in your car every few months. You clean your house regularly. Similarly, information technology systems require “cyber hygiene”—a series of ongoing tasks and processes that mitigate the risk of a data breach. Three major cyber hygiene tasks include:

  • Antivirus: Enterprise-class antivirus overseen and managed by IT professionals is necessary to block dangerous viruses that employees may download by accident when browsing the internet or checking their email.
  • Software patching and updates: Even massive ransomware attacks like WannaCry mostly hurt organizations that did not apply basic, regular software patches. If organizations had simply patched their software, they would not have been vulnerable to WannaCry or many other threats. Applying software patches and updates is one of the most important cyber hygiene tasks that help prevent data breaches.
  • Data backup and disaster recovery: Unfortunately, even your best defenses may get breached. For example, a user may open an attachment or click on a link that unleashes a virus—mistakenly letting a hacker right in the door. In addition to stolen and exposed data, your data may also get deleted, corrupted, or held for ransom by an attacker. To alleviate the risk of permanently lost data, you need a data backup and disaster recovery plan that ensures you can recover your data in a worst-case scenario.

2. Implement strict policies to help you comply with the law.

How is your city specifically protecting citizens’ personal information? Policies around vendor contracts and management, network security, wireless security, physical access security, logical access security, disaster recovery, and application controls (such as data input, processing, and output) are needed to prevent unauthorized users from accessing sensitive information.

It’s not uncommon to encounter cities that don’t have clear policies about authorized access. The result? Situations where too many people have administrative access, passwords are weak, and information is not properly encrypted and secured.

3. Increasing your ability to identify a breach.

The longer it takes to discover a breach, the more scrutiny you will receive when it’s revealed to the public. A data breach can go undetected when an organization does not have a proactive IT mindset that includes:

  • Ongoing monitoring and alerting of systems: A blend of automated software and the oversight of your systems by IT engineers is needed to detect issues such as suspicious activity.
  • Proactive management of applications and systems, vendor access, network access, wireless access, physical access, and user access to ensure that only authorized users are accessing your systems.

4. Transparently notifying your citizens after a data breach.

Many state data breach notification laws require that you contact anyone affected. Laws vary by state but usually you will need to let victims know what happened, what information was breached, and what you are doing to remedy the situation. The Georgia city from our introduction sent out a letter to citizens that described the incident, tips on how to protect themselves, and free credit monitoring.

However, some citizens felt dissatisfied by the city’s response and the media reported as such. For legal, law enforcement, or security reasons, you may not be able to provide all the details people want but you should try to provide as much information as possible.

Especially after the Equifax data breach, people are more wary and distrustful of organizations that seem slack in protecting their sensitive data. Cities are stewards of sensitive citizen information. Many data breaches can be prevented by basic cyber hygiene that follow the steps above along with providing regular ongoing training for your staff. And remember, it’s also essential to have a data backup and disaster recovery plan in case hackers delete or destroy data as part of a breach.

Are you vulnerable to a data breach? Reach out to us today.

Wednesday, January 10, 2018
Sylvia Sarofim, Network Infrastructure Consultant

Sylvia SarofimEven if Uber does not operate in or near your city, its recent revealing of a massive data breach has important lessons to teach cities. Occurring in October 2016, the data breach affected 57 million users—and Uber hid it for more than a year. Even more, Uber paid the hackers a $100,000 ransom to delete the data.

While embarrassing for Uber, this data breach illustrates several important security policy and compliance best practices that apply to cities in a day and age when these kinds of data breaches can happen to any organization.

1. It’s the law to report a data breach within a specific time period and comply with the right notification requirements.

48 states each have their own data breach notification requirements. Obviously, you will need to follow the data breach notification laws in the state where your city is located. However, if you handle personal data from people in other states, then you must report the data breach to those states too.

Overall, you need a plan in place to respond legally to a data breach within a specific timeframe and with the right information to the state (or states). That plan includes:

  • Knowing what is and isn’t a breach.
  • Notifying appropriate state, federal, and law enforcement agencies.
  • Meeting state-specific reporting requirements
  • Understanding how the data breach happened.
  • Taking steps to correct the vulnerabilities.
  • Notifying people who were affected by the data breach.

Examples of state data breach notification laws include:

Talk to your city attorney, finance officer, and information security officer for more details about how your city is (or isn’t) equipped to respond to a data breach.

2. Don’t pay criminals.

Uber made a rookie mistake when they paid hackers $100,000 to delete the exposed data. Why would you ever trust the bad guys? They targeted you, stole from you, hold your property hostage, and demand a ransom. And yet they promise to put things back like they were, clean up their mess, and close the door on the way out - never to cross your path again. Right! Do you really think that criminals will delete information like you ask and never sell it on the black market? The federal government and law enforcement agencies recommend to never pay criminals. We’ve talked about this issue a lot with ransomware. It’s tempting to try getting your data back by paying a ransom and hoping the criminals will unencrypt your data. However, it’s not guaranteed. Even if it works, how do you know your data hasn’t been altered, resold, etc. And know, you’re funding criminal activity. The better response? Rely on your data backup and disaster recovery—and make sure you can recover your data in a worst-case scenario.

3. Maintain proactive security best practices.

Hackers threatened to expose sensitive data if Uber didn’t pay up. How did that data get exposed in the first place?

According to KnowBe4: “Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. […] If you read between the lines, that could very well be a simple credentials spear phishing scheme, done with some crafty social engineering, or perhaps careless developers leaving internal login passwords lying around online.”

To prevent similar issues, you need proactive security best practices in place that include:

  • Authorization policies: Who gets access to sensitive information? Where is that information stored? Who manages access? In Uber’s case, a GitHub coding site exposed sensitive information to unauthorized people. It was easy for hackers to then use that information to break into a more hard-to-access server.
  • Password policies: While we can’t confirm exactly what happened, it’s likely that passwords were stored on an unsecured third-party site. In the past, we’ve talked about password security risks related to human error such as writing passwords on sticky notes and leaving them exposed to public view on your desk. Sharing or storing passwords in unsecured online locations is just as, or even more, dangerous as leaving them laying on a desk. Employees need to protect passwords like they would protect their social security numbers or banking information.
  • Third-party access policies: When vendors or contractors work with you, what city information can they access? How do they access it? Data breaches can just as easily result from third parties, so it’s essential to create policies around how vendors, contractors, and outside users can access your systems and data.

4. Teach employees about “spear phishing” techniques.

You may have heard about phishing—when hackers try to use spam emails or other methods to get you to click on a dangerous website link or file that contains a virus. With spear phishing, a hacker specifically targets a high-level person in your organization. For example, we recently interviewed Stephanie Settles, the City Clerk and Treasurer at Paris, Kentucky, who was targeted in a spear phishing attack. The hacker cleverly imitated the city manager and even used his language mannerisms. Luckily, the odd requests from the “city manager” raised red flags with her that stopped her from transferring thousands of dollars to the criminal—but other cities might not be so lucky if they are caught unaware.

5. Teach employees about social engineering techniques.

When sophisticated criminals specifically target a city, they often use advanced social engineering techniques. That means they know how to act and manipulate you into giving up information. For example, let’s say you’re busy and stressed as you take many phone calls during the day. What if a “support engineer” calls you up and says they need your password to fix the “software issue”? The “software” is a system you (or your staff) uses and the support engineer sounds like he knows what he is talking about and comes across very personable—joking and making you laugh a couple of times. To be helpful, you give the password over the phone. Later, you find out that it wasn’t your support engineer at all. Instead, you allowed a hacker into your network—giving him or her the entry point they needed to breach your system.

Even if employees want to be helpful, they must follow strict procedures over the phone. That means even if a trusted employee or trusted vendor calls up wanting your password, say ‘no’. Again, say ‘no’. You must follow a policy and a process to provide them authorized and secure access to the system they want, and it won’t be by providing them your password.

Learn from Uber. If you haven’t created detailed security policies or reviewed yours in a while, then take the time to make sure your risk of a data breach is minimized. If you need help, then reach out to a vendor with municipal experience related to proactive cybersecurity best practices, policies, and compliance.

Are your security policies not in the best shape? Reach out to us today.

Wednesday, January 03, 2018
Michael Chihlas, Network Infrastructure Consultant

Michael Chihlas Free software. It sounds like a great bargain. However, a recent incident shows the dangers of freeware. Back in September, CCleaner (a common free software) experienced a major security flaw. When CCleaner pushed out a software update for its customers, the software update contained malicious code that could be used by hackers to control a person’s computer.

At first, this seems like a problem that any city—even if they work with IT professionals—could not have avoided. After all, a legitimate company pushed out the update. What can you do about such a situation?

Actually, there are quite a few lessons to learn from this situation—although the lessons are subtle compared to the warnings we would typically give about avoiding viruses or malware. Yet, the security issues and liability from using freeware may be just as serious.

1. If IT professionals aren’t monitoring, patching, and updating your software, then how will you know there is a problem?

If non-technical city staff use freeware software like CCleaner, then how will they know a security issue exists? If they are not keeping up with professional technology security news about software vulnerabilities, then they may not know about this issue for a long time. However, IT professionals will know about such issues within minutes or hours because they get the alerts and understand the implications.

2. If you do know about an issue, then...now what?

Okay, let’s say non-technical city staff find out about a problem with a software update. Now what? What will they do to make sure that hackers will not exploit this security vulnerability, control your city employees’ computers, and steal confidential or sensitive information?

Part of addressing such an issue means having an underlying understanding of the issue as a foundation and then the experience, processes, and tools to both quickly resolve and mitigate the risk moving forward.

3. What problems are you hiding by using freeware?

Do you realize the risk to your systems, records, data, finances, and citizens’ identifiable information that your city manages when you rely upon non-technical employees to perform computer maintenance? This is a great risk in today’s world.

Consider additional freeware tools other than CCleaner that your city may be relying upon for:

  • Antivirus: Employees in charge of their own antivirus software is a big risk, as employees may not keep antivirus definitions up to date.
  • Data Backup: You cannot guarantee that backups are occurring without IT professionals monitoring and testing them.
  • Email: To lessen liability, your city needs an enterprise email system with its own domain name (such as mayor@mycity.gov) instead of using a free service.
  • File Sharing: What processes are in place to ensure compliance? In other words, are only authorized users sharing authorized information in a secure transmission of data?

4. Is your freeware meeting policy and compliance standards?

Overall, enterprise software that is maintained by IT professionals helps ensure that you are following city policies and meeting compliance standards. Otherwise, your seemingly innocent use of freeware may break the law in multiple ways or increase your liability because of:

  • Risk of permanent data loss
  • Exposing confidential and sensitive information to unauthorized users
  • Installing viruses and malware onto your computer
  • Risk of untracked data changes or (even worse) fraud

With freeware, you’re increasing the likelihood of a data breach, compliance violation, virus, ransomware, malware, or data loss. Cities serve an important role—no matter how big or small the city—by safeguarding and protecting sensitive, confidential information. Don’t let a “bargain” like freeware compromise your stewardship of citizen information.

Worried about freeware, or wondering how to modernize your software? Reach out to us today.

Tuesday, December 12, 2017
Victoria Boyko, Software Development Consultant

Victoria BoykoQuick! Name the top three websites in the world!

You probably guessed Google as number one. Number two? YouTube. Number three? Facebook.

Why is it significant that YouTube and Facebook are number two and number three? It’s because content today is driven so much by video—and video is easier to create than ever before.

What led to this video explosion? A few things:

  • Fast, cheap broadband internet access nearly everywhere
  • Faster, more reliable Wi-Fi access in more places
  • 4G mobile coverage replacing slower 3G coverage
  • Smartphones and tablets that easily record video
  • Easy to use services (like YouTube or Facebook Live) that allow non-technical users to upload videos

One great benefit of this video explosion is the ability to easily stream videos live. As a city, you’ve probably already tried live streaming or want to explore this content option more. If so, we’ve got a few tips and best practices to keep in mind as you get those video cameras recording.

1. You’ve got lots of flexibility with budget and technical complexity.

Video is accessible to you no matter what your budget and technical limitations. Some aspects that you can adjust include:

  • Cost: Free tools exist such as the camera built into your smartphone or tablet combined with a free platform like Facebook or YouTube. As you go up in price with hardware or software, you can increase the quality of the video or technical capabilities.
  • Video quality: Obviously, a smartphone held by a non-technical employee will record video—but it may not meet you or your viewers’ expectations. Plenty of hardware and software exists to up the quality as much as you want—from more expensive video cameras to specialized video streaming software.
  • Technical complexity: Depending on how technical you want to get with video and what resources you have available (such as knowledgeable city staff or a video vendor), you can keep your recording simple or produce incredibly complex videos with multiple shots, high definition, or streaming that goes out to multiple social media channels at once.

2. You’ve got a lot of video add-ons that will delight people.

With modern tools (including free tools), many add-ons help make your video more exciting and engaging. Features may include the ability to:

  • Stream live as an event is happening.
  • Allow people to make comments about the video while it’s playing. You can even interact with those people and answer their questions. However, you want to be careful and perhaps turn this feature off depending on your policies (such as dealing with cursing, hateful comments, etc.).
  • Broadcast the video in people’s news feeds if they are followers of your city on a social media platform.
  • Notify people when the video starts broadcasting live.
  • Allow people to view the video later if they missed the live broadcast.

3. You can integrate video cameras and streaming software with social media platforms.

Modern video equipment and software usually integrates well with social media platforms. Some aspects to review with your video professional are:

  • Video equipment: Do you want to record the video professionally? Will you need to set up multiple cameras for multiple angles? Are you just using a smartphone or tablet? If so, is it set up properly to capture video and audio so that people can see and hear the event? Have you done a test?
  • Hardware: A cheap laptop or aging desktop may not be able to handle the demands of video software and storage. Video software takes up a lot of memory and CPU, and the storage of videos may require a server or cloud storage option.
  • Software: Free or low-cost video software may quickly hit limitations. A technical discussion about video streaming software goes beyond the scope of this article, but a video professional will probably look at elements such as encoding, HD capabilities, streaming capability (so that videos don’t freeze or get choppy over a bad internet connection), APIs (code that connects your software to social media platforms), graphics capabilities (such as overlaying someone’s name on the video when they’re talking at a city council meeting), or how many total viewers can view your video live.
  • Internet bandwidth: High-speed broadband is essential for live streaming, preferably through a wired connection. If you must use WiFi, then make sure you use a high-speed internet connection. And if you must use your smartphone or tablet without WiFi, then make sure you’ve got a 4G connection.

4. Beware of a few live video streaming pitfalls.

Be careful of a few video pitfalls that may impact your decision to live stream your events.

  • Make sure you have your own copy of the video. Yes, it’s very convenient to simply embed videos on your website from YouTube, Facebook, and other sources. However, it’s ideal to create a standalone video (preferably as an MP4 file) that you own, store on your own servers or video storage solution, and can publish on your own website if you desire. If your video only lives on a platform that you don’t own or control, then you are subject to the whims of that company and may have ownership issues with your video in the future.
  • A live video stream is not the official record of your city council or other city business meetings. Videos do not replace open records laws concerning city council meetings and other meetings involving city business. You still need to publish minutes and follow all laws relating to documenting city meetings.
  • No easy way to integrate minutes and agendas with live streaming platforms. Unless you are using sophisticated software, the free or inexpensive tools today do not have options for integrating the use of agendas and minutes with live streaming. When people later watch the video, they may have trouble finding parts of the meeting that interest them.
  • Possibly disable comments. We live in an era when people will say anything to stir up trouble and “troll” your social media platforms. You may want to disable the comment feature for live streaming videos. If you want to give citizens a forum for engaging, then you may consider blocking specific users who are vulgar, hateful, or harassing.
  • Make sure you deliver a minimum quality live video streaming experience. It’s embarrassing if you’re live streaming a city council meeting and no one can hear what anyone is saying or the footage is blurry. If you are going to live stream, then make sure you meet a minimum video and audio quality threshold.
  • Follow requirements. For example, Facebook Live has a 4-hour video limit and a title length requirement for what you name your video. Knowing requirements like these will help you anticipate problems such as the video suddenly cutting off or failing to work because the title is too long.

Live streaming video holds a lot of exciting potential for your city as it becomes more mainstream. By following the tips and best practices above, you’ll make sure that the video experience you broadcast connects with your audience.

Questions about using live streaming video? Reach out to us today.

Tuesday, December 05, 2017
Adrian McWethy, Account Manager

Adrian McWethyOne great result of modern technology is that it’s easier than ever to set up a website. 20 years ago, you would need a webmaster who knew how to code and host your website on a complicated server. Today, there are so many free website and content management system platforms that you can set up in a short time. Because the cost is so compelling, many smaller organizations, businesses, and even cities go this route to set up a very low-cost website.

That approach leads to significant security risks. For example, a recent SC Media article points out that WordPress websites (which are quite popular) are prone to ransomware attacks from criminals specifically targeting them. Why go after WordPress websites? It’s not because there is anything bad about the platform. Instead, it’s because criminals know that many of these sites are set up by non-technical people who will not know how to configure, manage, code, and update their websites to eliminate security issues.

If you took a low-cost approach to get your city’s website up and running, you may be at risk. To perform a quick assessment, ask yourself the following questions.

1. Where is my website hosted and what do I know about the hosting provider?

Free or cheap website hosting providers may not adhere to strict security standards, leaving your website at risk. Are they regularly providing security updates? Are they monitoring for security vulnerabilities? Where are they hosting the servers? Within sovereign U.S. borders? Is the information hosted in a country where security and compliance laws might differ from the United States? Will they allow for a third party to scan your website for security vulnerabilities? If you’re not sure of the answers to most of these questions, then you might want to reexamine where you’re hosting your website. In some cases, less reputable vendors can even go out of business or sell their platform to another vendor who may not have your best interests in mind.

Another common situation with cities involves a single employee acting like a webmaster who holds all of your information hostage. If that employees leaves, gets fired, or even dies, then you may not be able to access your website. Cities that host their own website in-house on a server may also not follow security best practices if they have limited or reactive IT resources at their disposal.

2. Who manages your website’s security?

If you’re thinking “I need to manage my website’s security,” then you’re in trouble. Website security involves a lot of aspects including:

  • Permissions: Who gets administrative access? Who gets to upload and edit content? Who gets review-only permissions?
  • Password management: Are you enforcing strong password best practices that help prevent hackers from accessing your website? Too many stories still occur where a hacker gets into a website because an organization’s password is something simple like “123456” or “admin.”
  • Technical backend security: We won’t go into technical details here, but hackers have many ways they can take advantage of poor website configurations to attack your website through everything from uploading malicious files to using your error messages to discover ways to hack your website. You also need IT professionals to assess and vet any third party plug-ins to your website.

3. How is payment information secured on your website?

It’s likely that you allow citizens to pay for tickets, fines, utilities, licenses, or other services online. How is payment information secured when citizens share it with you? In order to comply with PCI DSS standards, you need to secure and encrypt payment information when it’s entered, in transit, and in your hands. Otherwise, it’s easy for hackers to steal credit card information, banking information, and personal details such as birthdays or a physical address.

4. Who is regularly patching and updating your website software?

Technically, this may seem part of #2 above. But in light of the WannaCry ransomware attack and Equifax data breach this year, it’s important to specifically highlight patching and updating software. A failure to patch software led to many organizations losing data to ransomware this year - especially a shame because patches existed for many months that could have prevented those attacks.

Websites inevitably contain bugs and security vulnerabilities that need patching on an ongoing basis. In addition, software updates improve your website’s performance and give you access to new features that will enhance how you use the software. If you’re not keeping up on patching or your website software doesn’t provide regular updates, then your website may be at risk.

5. Do you have a backup plan if your website data is lost?

Like any repository that stores data, there is a risk of permanently losing that data. That means you need a data backup and disaster recovery plan in case something goes wrong. If you host your website onsite, then you will need both an onsite and offsite data backup and disaster recovery plan. Otherwise, a fire, flood, or tornado could completely eradicate your website.

Even if you’re using a website hosting provider, you need to ensure that they have a data backup and disaster recovery plan. They can still lose data from human error or a disaster at a data center. What are their contingency plans? If they can’t answer you with confidence and specificity, then you might want to consider another hosting provider.

Going the free or cheap route with a website involves consequences that might become more costly in the long-run. Make sure your website is hosted, managed, secured, patched, updated, and backed up so that it continues to run and keeps your citizens’ information safe.

Questions about the security of your website? Reach out to us today.

Tuesday, November 28, 2017
Victoria Boyko, Software Development Consultant

Victoria BoykoIn the bustle of day-to-day activities, it’s easy to neglect your city’s website. As time passes, a website can grow old and stale rather quickly. However, your citizens—through both desktop and mobile devices—grow accustomed to the ease and usefulness of modern websites. To at least a modest degree, you need to meet these expectations for citizens and people interested in possibly relocating their home or business to your city as they research online.

Fortunately, there are many actions you can take to make your website more useful and modern either with your existing website or in a redesign. These five action items will clean the dust off your current website and make it a much fresher experience for people.

1. Make your website readable and accessible on mobile devices.

In the world of websites, something called “responsive design” has become common. That term means a website that adapts to a variety of device screens. Have you ever had the experience of looking at a website on your smartphone or tablet that looks like a tiny, hard-to-read, exact replica of the desktop website? That kind of website is not responsive.

Other websites seem to fit just right for your handheld device and look different than a desktop version of the website. Those are responsive websites that adapt and adjust to the size of your device.

If you are considering a redesign of your website, responsive design should be in the mix. In fact, Google now rewards responsive, mobile-friendly designs in its search results while penalizing unfriendly websites. You want your website to be found on search engines, so responsive design is a must.

2. Reexamine how you organize information on your website.

Another technical but visible aspect of your website is the “information architecture.” That simply means the way that information is organized on your website. For example, the Sophicity sitemap shows how the information is organized and architected on our website. Two common problems with websites include over-organization (where you have many, many different sections and links) or under-organization (where you haven’t really bothered to organize your information except for a few minimal categories).

Jonesboro, Georgia has an excellent information architecture that doesn’t overwhelm or underwhelm. Categories such as Home, Mayor & Council, Departments, Community, Visiting Jonesboro, and Contact Us are useful to website visitors. Plus, there are only a handful of important links underneath each category. Users expect to find information easily on modern websites without having to spend time hunting it down or trying to sift through a ton of information—and users will have an easy time on Jonesboro’s website.

3. Make it easy for people to find contact information and get to a next step.

We’ve written in the past about “calls to action” which is just a technical term for getting people to interact with your website and do something. Calls to action should be easy to spot and may include paying, signing up for something, clicking on a link, searching for a word/phrase on your website, or following you on social media. Make it easy. People shouldn’t have to struggle while trying to do something specific on your website. That includes finding contact information like a physical address for city hall, phone numbers, and email addresses of city staff.

4. Maintain credibility with an accurate, quality website.

In 2016, we wrote a post titled “6 Easy to Fix Website Mistakes That Are Making Your City Look Bad.” Those mistakes included broken links, outdated information, misspellings, and poor grammar. You may say these issues don’t matter much, thinking that “hardly anyone” checks out your website.

Would you allow garbage to pile up in wastebaskets, dirt and dust to collect on the floors, and misinformed employees to give the wrong information to people who visited you because “hardly anyone” comes to City Hall? No. That’s because you’re proud of your city and you want to provide excellent service for citizens—whether your city has 100, 1000, or 10,000 citizens.

A website is your online version of City Hall. Taking some time to make that website a welcoming, useful, and (yes) even enjoyable experience is something that will make your city look good to citizens, to people possibly wanting to move to your city, and to businesses wishing to explore cities where they may set up shop or expand.

5. Make sure search engines can find your website.

Earlier this year, we asked “If your website is in the middle of a forest, will anyone hear it?” In other words, when people search for your city on search engines, does your website come up high in the search results. There are many small but important things you can do to ensure that search engines find your website and keep you visible such as updating your website frequently with useful information or providing links to other resources that also link back to you. If you type in your city’s name into a search engine and your website doesn’t show up, look at what does show up. Citizens will likely click on those links rather than your website. Are you comfortable with that?

Applying these few tips as you plan out a website refresh or full redesign will make your website much more useful, friendly, and findable for people. Use this list as an assessment to see where you can improve.

Need some extra help with your website? Reach out to us today.

Tuesday, November 14, 2017
Nathan Eisner, COO

Nathan EisnerDepending on your state, laws concerning body camera video policy, retention, and open records requests may vary. Last year, we reviewed various state laws and outlined some best practices that would apply no matter where your police department is located.

However, an interesting article from the Kentucky League of Cities (KLC) pointed out some problems that exist when your state law is ambiguous or lacking clear guidance. According to the article:

“...Kentucky is one of the last states to address the need for legislation dealing with when a video recorded with the cameras should be released and who should be able to obtain a copy of the video. The lack of policy could result in fewer departments using the cameras.”

When policies are unclear, assumptions can create liability. As a result, police departments are less likely to use body cameras. Yet, many police departments recognize body cameras as important and it’s probable that a law (such as Kentucky’s House Bill 416) may eventually get passed.

Because we covered best practices in our article last year, there is no need to revisit them here. But, we do want to explore some of the issues and questions raised in the KLC article about body cameras.

1. Clarify body camera video policy to avoid “entertainment.”

In the KLC article, Louisville Police Officer Nick Jilek says, “Unfortunately, in the modern media world the release of body camera footage ends up being passed around social media. Body camera footage should not be used for entertainment purposes, which is what that ends up being, on the nightly news or social media sites.”

Without a clear policy, an open records request may legally expose embarrassing footage to the public. Even if your state lacks clear policies, your city can create body camera video policies around privacy.

2. Define and clarify the scenarios for which footage can be released.

Some states will define when you can release footage. If not, be clear about what situations you’re allowed to release footage and which situations don’t permit it. For example, in Georgia, “The law excludes body camera recordings from public records when they are taken in a place where there is a reasonable expectation of privacy and no criminal investigation is pending.”

3. Define who has the right to view video footage.

Body camera video footage authorization can vary depending on the person requesting it. Is it someone involved in law enforcement? An attorney? A family member of a deceased victim? The media? A citizen? Define rules around who can view what. For example, Arkansas has detailed rules that explain who can see video footage if a police officer is killed in the line of duty.

4. How do you answer time-intensive open records requests?

In the KLC article, Representative Robert Benvenuti (R-Lexington) is quoted as saying, “We cannot create a situation where officers are being pulled off the road to sit for hours and hours editing footage or redacting footage. We need them out on the road, protecting all of us, not sitting behind a desk trying to interpret the Open Records Act.”

However, the reality is that if a law says you must provide the record, then you must provide the record. To prevent the hassle of officers getting tied up in heavy, tedious video editing and redacting, additional staff may have to address this issue. That way, your officers can stay focused on their job while additional staff can help with the video archiving aspects of open records responses.

5. How do you keep costs low?

The KLC article goes on to summarize the thoughts of Campbell County Sheriff Mike Jansen who said “small departments like his worry about the costs. He told lawmakers the expense goes beyond buying the cameras, into storage fees and equipment and hiring additional personnel for editing and answering requests.”

Obviously, storage costs can grow high because of the sheer amount of video footage needing storage. Each police department is different and may require a customized solution that works for them. In some cases, a cloud storage option is best. In other cases, storing data in-house makes more sense. A good option that’s available and popular with cities is video archiving that includes unlimited storage at a fixed cost. That makes it easier to keep costs low and predictable. This solution also forms part of a city’s disaster recovery plan and ensures that video remains available even if a disaster (such as a fire or flooding) hits a city.

Despite the complexity of body camera issues, a well-thought out plan that accounts for policy and technology can alleviate most of your worries.

Questions about your body camera video policies and technology? Reach out to us today.

Tuesday, November 07, 2017
Dave Mims, CEO

Dave MimsA recent article in CSO Online talked about some confusion between disaster recovery and security recovery. The article’s opening sentences state that “Many enterprises blend their disaster recovery and security recovery plans into a single, neat, easy-to-sip package. But does this approach make sense?” Analyzing the differences between the two, the article goes on to outline why it’s important to separate them out.

If we take a step back, this topic represents a bigger confusion about the holistic nature of IT. Information technology sometimes seems like it’s just about computers, software, networks, bits, and bytes. Best practices, policies, people, and other non-technical aspects of IT are often forgotten and too commonly unconsidered, which creates great risk for cities.

Limiting your IT scope will increase risk and liability for your city. Therefore, consider IT like a tripod—and stand firmly upon these three legs to address any real risks you may be overlooking.

1. Proactivity

What’s the easiest way to know if your IT is successful? Proactivity. A reactive IT environment is usually fraught with chaos. There is always a hot fire, issues are always very bad issues, and security risks are wide open. Shifting to a more proactive mindset literally transforms the way cities operate and work.

Proactive IT involves:

  • Policy: If you need a quick reference, we’ve talked a lot about security policies in past blog posts. Policies should cover vendor contracts and management, network security, wireless security, physical access security, logical access security, disaster recovery, and application controls (such as data input, processing, and output).
  • Processes: IT runs more like a machine when you have documented processes. Processes also reduce errors, decrease security risks, and allow for faster learning curves when new people must administer and use your systems.
  • Technology and Tools: IT professionals should use monitoring software that continually assesses the health of your systems and proactively detects issues that need resolving.

2. Employee Training

No matter how sophisticated your IT systems and how experienced the professionals who oversee them, your employees must use technology properly and protect themselves from constant security attacks. Ongoing training is essential, especially as security threats evolve.

Training should include aspects such as:

  • Spotting email phishing attacks: Email phishing attacks grow more sophisticated as hackers target specific people within cities to steal money or gain access to confidential, sensitive information. Employees need to know the signs of malicious emails and learn how to be skeptical.
  • Avoiding malicious websites: Employees are human. They like to download games, take quizzes, and visit websites that interest them. However, many websites mislead people to get them to download malware, viruses, and ransomware. While browser security can help block some websites, employees need to be trained on what to watch for as they visit webpages on the internet.
  • Social engineering by phone: Today, hackers are leveraging all means to steal and destroy your data for their financial gain, including the phone. A hacker that’s good at social engineering may trick you into thinking they are a city employee. From there, they may gain information they need to steal an employee’s identity or take over an employee’s email account. Employees must follow strict procedures when vetting people over the phone or email to know when it’s appropriate to give information away.

3. Data Backup and Disaster Recovery

The final leg of the tripod prepares you for the worst. In case of an incident, whether it’s a server failure or a tornado that destroys a building, you need the ability to recover your data. Data backup is also crucial for security incidents such as ransomware where a hacker encrypts your data and demands a ransom from you to get it back. Instead of paying the criminal, you are prepared and able to recover your data.

A good data backup and disaster recovery solution includes:

  • Onsite data backup for quick recovery after less impactful events like a server failure.
  • Offsite data backup for worst-case scenario recovery after a major incident like a natural disaster or a massive virus outbreak.
  • Periodic data backup testing to make sure you will be able to recover your data after a disaster. So many cities do not test their data backups, and those backups may fail when you need your data most.

Use this post to assess if you’ve got the full IT tripod. If you are missing one or more legs, then you might feel a bit wobbly. Make plans to fix those areas as soon as possible. When you do, you will increase your operational capabilities while decreasing security risks and liability.

Need help building your tripod? Reach out to us today.

Tuesday, October 31, 2017
Sarah Northcutt, Account Manager

Sarah NorthcuttIt’s still tempting for cities (especially smaller cities) to roll up their sleeves, purchase some software to fill a basic need, and install it themselves. After all, there can’t be much to worry about. You don’t need IT professionals for that, right?

Wrong. As much as we admire a “go get ‘em” attitude, even the “simplest” software improperly installed can open you up to major security risks. As an example, Bitdefender published a recent article that described how lax security settings led to a sophisticated phishing attack against an Office 365 system that tricked users into giving up their usernames and passwords.

As the article warns:

“...this isn’t the case of a hacker forging your email headers to pretend that the messages they are sending are coming from your business’s servers. They really are originating from inside your company’s email system. A compromised business email system. If you don’t act now to harden your defenses and make it difficult for an attacker to breach your Office 365 system via this technique, then you have a ticking time bomb on your hands.”

This warning applies not only to Office 365 but any software that you may attempt to install yourself. Here are some reasons why you need IT professionals to install, configure, and maintain even your most “basic” software.

1. Advanced administrative capabilities help IT professionals smoothly monitor and maintain software.

Today, quality software includes sophisticated administrative management tools that IT professionals understand how to use. For example, email software may include settings that involve storage limits and antispam filters. Document management software may include settings that involve retention schedules or permissions to access files. There are even administrative tools to manage compliance and user activity. All these administrative tools help IT professionals resolve issues, keep your city secure, and make sure you stay compliant with any laws and policies.

2. Security and privacy settings need careful attention.

When non-technical users set up their own software, it’s typical to find that the security settings are set to default. But also, and all too common, we find that non-technical users have set up full access and administrative rights for themselves and other users. This creates great risk. As a result, security needs to be tight.

IT professionals can navigate advanced security settings to help you with:

  • User access and authorization
  • Password management
  • Two-factor or multi-factor authentication
  • Encryption
  • Monitoring suspicious activity
  • Taking specific actions after a security incident

3. Remote access needs careful attention.

Non-technical people often unknowingly give unsecured, open access to their networks through software. Whether your staff uses their own laptops, smartphones, or tablets to access software, danger exists if sensitive or confidential information gets stored on those devices. Suddenly, you’ve increased your risk of a data breach nightmare.

Solutions like a thin client, application streaming, or a VPN along with device and data encryption need to be considered when giving users remote access. These solutions avoid problems related to data leakage or theft while only giving users access to necessary aspects of the software for their work use.

4. Improper software installation and deployment can lead to security issues.

While this may seem the same as the second point above, it goes beyond simply setting up the software. When you install software, you’re installing it on servers and computers that may be unsecured or configured improperly. And when you deploy software, you are activating it within a network of switches, routers, and firewalls that may have security issues. Many variables exist when software interacts with an IT environment. IT professionals are familiar with such complex environments and can avert security issues related to installation and deployment.

5. Failure to patch and update software leaves you open to hackers.

This year, something that used to get treated as a technical, menial task has become part of front-page headlines in mainstream news publications. Why? Failure to patch and update software is at the root of companies losing data to ransomware (such as the WannaCry attack earlier this year) and even at the heart of the Equifax data breach—one of the biggest and most devastating data breaches ever.

Software vendors regularly put out patches and updates but many organizations—including many cities—fail to apply those patches and updates. That failure leads to gaping security holes that hackers exploit. Their attacks lead to data breaches and data loss.

Maybe you could go it alone in the old days of technology, but today you need IT professionals to help you set up your software. Despite your natural technical know-how, there are just too many security risks that a non-technical employee may miss when setting up software.

Need help installing, deploying, monitoring, and maintaining your software? Reach out to us today.

Tuesday, October 24, 2017
Brandon Bell, Network Infrastructure Consultant

Brandon BellIn the wake of a natural disaster such as a hurricane, scams are as inevitable as the selfless help offered by generous people. A recent article from GovTech reported on a sharp increase in scams after Hurricane Harvey that led the IRS to issue warnings. According to the article:

[These] criminals often send emails that steer recipients to bogus websites that appear to be affiliated with legitimate charitable causes. These sites frequently mimic the sites of, or use names similar to, legitimate charities, or claim to be affiliated with legitimate charities in order to persuade people to send money or provide personal financial information that can be used to steal identities or financial resources.

This situation reminds us of an ongoing issue that cities must battle all the time: phishing attacks. Today, phishing attacks don’t take place just through email. Criminals also use the phone and social media to get important information from you (like personally identifiable information and even passwords). With that information, they can hack into your accounts, steal identities, or upload viruses and ransomware into your systems.

Employees are at the front lines of these attacks and it’s always good to remind them of ways to spot—and avoid—phishing attacks.

1. If you’re suspicious about an email, then open your browser and go directly to a website instead of clicking on a link.

Let’s say you get an email from a bank and you’re not 100% sure that it’s legitimate. Instead of clicking on the email link, go to the bank’s website directly from your web browser. That way, you will make sure that you are logging into the website legitimately and you can check if the message in the email actually pertains to your account.

Unless it’s extremely obvious that an email is okay, make it a habit to go directly to websites—especially when the information you exchange with them is sensitive. Good examples are banking websites, social media websites, or any websites where you make financial transactions.

2. Question email messages and be skeptical.

We recently published an interview with Stephanie Settles of Paris, Kentucky who successfully detected a whaling attack (an advanced phishing attack where a hacker targets a specific employee, typically a manager or personnel responsible for financial or purchasing decisions, with a sophisticated message to fool them). Her skepticism helped her detect the attack when the supposed city manager’s emails sounded a little off.

Even if an email says that it comes from a person you know, don’t assume it does. Spammers can spoof an email address to make it appear as if it’s coming from a specific person. That’s why examining the email message is so important. Look for misspelled words, broken sentences, irrelevant content, and other red flags. Look at the email address before you reply. Look at the link URL before you click it. And if you have any doubt about an email, contact the person directly to confirm that they sent it.

3. Don’t download attachments unless you are 100% sure they are from a trusted sender.

Email attachments that your co-workers, friends, and family send you as part of your ongoing communications may be fine. However, remain skeptical by following the recommendations above before you open any attachment, click any link, or reply. Especially double check the email address and be on guard for any attachments in emails from organizations or unknown senders. For example, you may receive an email that seems like it’s from a well-known bank that says your statement is ready to review. A PDF is attached, and the email asks you to download it. You do and...your city is now infected with ransomware.

Be very suspicious about emails that ask you to download attachments. Usually, downloading attachments is not necessary to conduct business with a bank, business, or government agency—and it’s not a best practice for these organizations to send you PDFs, zip files, or other documents to download.

4. Be just as wary about social media.

All the above rules apply to social media such as Twitter, LinkedIn, and Facebook. Spammers and scammers use these platforms successfully to trick people, and their tricks may be harder to spot. On Twitter, spammers will often follow you and Tweet messages with spam links that they want you to click. On Facebook, spammers may post spam messages to your wall or send you direct messages with malicious links. And even on LinkedIn, many people that want to “connect” with you are actually false identities. Once you connect, they will attempt to get you to click on malicious links or attachments.

When you’re on social media, stay focused on communicating your messages, don’t click on links or attachments that strangers send you, and delete posts that seem spammy. Follow these 7 tips to secure your city’s Facebook page.

5. Be just as wary about the phone.

As an IT company, why are we giving a tip about answering phones? It’s because hackers use the phone more and more as part of their phishing efforts. As physical and online security has steadily improved over time, it becomes harder for hackers and spammers to pull off a scam through those areas alone. However, they can trick you into giving up passwords or personal information over the phone and then use that information to hack into your website, servers, or bank accounts.

Obviously, cities must answer calls from everyone as part of their service to citizens. Policies need to be in place that govern what information employees can give out over the phone. Just as you need to authorize people to enter your building or access a server, you need to follow an authorization process if someone asks for sensitive information (such as personnel information, a password, or financial information) over the phone.

Spammers and scammers will attack you from all directions. Your city needs to defend against these attacks with strong security policies, procedures, and technology. It helps to train employees and remind them on a regular basis how to spot the signs of a scam so that your city’s security isn’t jeopardized.

Worried about your ability to prevent scammers from infiltrating your city? Reach out to us today.

| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 |