offsite data backup not offsite data backup? The following story offers an
example—and a warning—to cities.
A city was
already backing up its data onsite using an extra server. If the server failed
at city hall, the other one would take over to restore the city’s data.
However, some department heads urged the city to also consider an offsite data
backup plan in case of a major disaster. The city manager researched some
options and brought in a few IT experts to talk about possible solutions.
outside IT experts reinforced and reiterated the idea of creating both an
onsite and offsite data backup plan, the city took a shortcut. The city manager
didn’t like the idea of sending data off to a data center. He viewed it as
unnecessarily expensive. Plus, he wanted control—to “see” the data when he
wished. And so the city nixed the idea of offsite data backup located far away from
As a result,
the city worked around these parameters to build an “offsite” data backup plan.
Working with their local IT vendor, the city set up a backup server in a
building they owned located just down the block from city hall. The city
manager argued that this building was separate from the city hall building and,
thus, “offsite.” If something destroyed city hall, this server would contain
all their data. Problem solved.
Or was it?
One day, a
huge EF3 tornado descended upon the city. With winds upward of 150 miles per hour,
the tornado destroyed many buildings in a swath of downtown. As the city
assessed the damage, they discovered that the tornado destroyed not only city
hall but also all buildings on that block—including the “offsite” building that
stored the city’s backed up data.
data permanently lost, the city found itself at a crippling disadvantage at the
very moment when citizens needed city hall and public safety operating at full
capacity as soon as possible after the disaster. And even beyond the disaster,
the city would have to deal with permanent data loss affecting its operations
for a long, long time.
scenario seem unlikely? That’s what all cities, businesses, organizations, and
people often think...until after the disaster strikes. With increasing numbers
of tornadoes each year in the United States that grow bigger and more
devastating, it’s not unlikely that your city may face this threat—or any other
at the errors in our story and how your city can avoid them.
not mean down the block. It does not even mean two blocks away. True offsite
data backup means many many miles away. When your data is stored in a
geographic location far away from your city, it’s likelier to be protected from
a localized disaster such as a tornado.
recommend that you send offsite data to at least two data centers (for example,
one on the East Coast and one on the West Coast). It takes some time to set up
the technology and the automated data transference to these data centers. But
once set up, the offsite data backup runs without the city having to do much of
anything. And if a city block is destroyed, your data is safe and accessible
from multiple data centers. Your city can start operating within hours of the
disaster while you are in the process of ordering new servers.
might be cheaper to set up another server in a building down the block. It’s
also cheaper to buy health insurance with high deductibles that don’t cover
serious medical conditions. In each case, the costs are astronomical when a
disaster hits. Cheaper isn’t better and it’s a poor tool to judge a data backup
solution’s ability to mitigate risk.
cost of losing your data? How will your community be impacted if all city records
are lost? That’s the cost you should assess. From there, you can make a better
case for investing in a disaster recovery solution that mitigates risks by
storing data in a geographical location far from your city.
to “see” and be near where your data is stored doesn’t mean it’s more secure. A
server inside your city can lack the most basic security protection and be more
open to hackers than your offsite data backup locked down with the highest
security standards in a data center far away. Focus on security and an ability
to recover from a disaster, not proximity to your data.
this city did not think through the consequences of a disaster. They didn’t think
through scenarios such as a tornado that can affect a wide area. Not prepared
for a probable worst-case scenario, the city found itself completely without
its data or a plan if it lost its data. Instead, it assumed that a disaster
destroying both buildings was so unlikely that they didn’t have to worry.
a disaster recovery plan needs to include proper offsite data backup. We
recommend that any offsite data backup plan considers:
Questions about your offsite data backup and disaster recovery plan? Reach out to us today.
wanted wireless access for guests and employees. Easy, right? The city manager told
a trusted non-technical employee to “make it happen.” Going to the nearest
popular retail electronics store, the employee picked up a wireless router that
seemed to do the trick. The wireless router box said it covers 12 devices, so
the employee picked up two routers to cover the city’s 20 computers.
Back at city
hall, the employee tinkered around until they set up both wireless routers—one
on the first floor and another on the second floor. Following the instructions
to set it up, the employee got it working. People could now hop on a wireless
network with their laptops, smartphones, and tablets.
For a few
weeks, employees enjoyed the perks of wireless. So easy! They didn’t even need
their on-call IT vendor to help set it up. City council loved the internet
access at meetings. Employees could now access their desktop and documents
while meeting in a conference room. Guests could now access the internet. How
One day, a
representative from the state’s bureau of investigation informed the city of a
data breach. An unknown person hacked into the city’s server using a stolen
password and collected sensitive information about taxpayers. That information
appeared on an online black market for sale. Not only must the city now inform
taxpayers that they are at risk for identity theft but the city may also need
to pay for identity theft protection services for hundreds of taxpayers.
This event hit
the city administration like a bolt of lightning. They thought through the
repercussions. Loss of citizen trust. Bad media exposure. Money lost. What
caused the data breach? When they performed an IT audit to figure out what
happened, the answer became obvious.
unsecured wireless router—the one their trusted employee set up “so easily.”
A recent study from Kaspersky Lab
confirms that this situation is all too common. They estimate that about one in
four Wi-Fi hotspots lack even the most basic security. We find that cities
often don’t realize the gaping security holes their wireless routers pose.
at the errors committed in our story.
A city is
not someone’s house. It’s a government entity that conducts important business,
serves citizens, and carries out the law. You need business-class equipment
that includes enterprise-level wireless routers. These kinds of routers are
better equipped to handle the demands and complexity of your city. They will
provide better coverage, security, and scalability as your city grows.
what the back of the box claims on the consumer-grade wireless router, you need
an IT professional to configure this equipment. Just setting it up out of the
box is not good enough and you risk leaving open gaping security holes.
Configuration involves a complex array of settings that only IT professionals
thoroughly understand. They will make sure your wireless router is set up
securely (such as making sure you encrypt information) and restricts who can
access your wireless network (such as from a “guest” network).
we see too many instances of a Wi-Fi hotspot secured with a default administration
password (such as “admin”). With such a weak password, even an amateur hacker
can access your most sensitive city information.
story, the city doesn’t use proactive IT support. If they depend on reactive IT
support, then security breaches could take place and the city wouldn’t know for
weeks or months. With proactive support, IT professionals will monitor your
network environment and make sure it’s patched, secure, upgraded, and healthy.
city’s wireless routers secured? They are one of the most common hacker targets
because 25% of hotspots have pretty much zero security. Unfortunately, that 25%
applies to cities.
haven’t assessed and addressed your wireless security, then it’s just a matter
of time before you’re hit with a data breach. Deal with this problem as soon as
assessing your wireless security? Reach
out to us today.
small city with a small public safety department. Budgets are always tight and
so they have used the same server they purchased back in 2003. Plus, both the
police chief and the one-person IT vendor who they call on an hourly as-needed
basis know this server well. They are used to it like the feeling a person gets
when they sit in their favorite comfy chair.
extended support from the hardware vendor ended years ago. That means the
operating system no longer gets security patches and bug fixes on a regular
basis. The as-needed IT person checks the server every now and then for issues and
makes sure nothing really bad happens to it.
that became a harder job as time went on. Even in good times, the police
officers all complained how their computers (which access the server) are so
slow. The server froze a lot and the police chief often reset it. When the
problems got really bad, they called the IT person who would inevitably fiddle
around with the server until it started working again. The billable hours for
this IT person kept increasing month by month, but the police chief thought,
“It’s probably still cheaper than getting a new server.”
One day, the
server just...stopped working. The police chief called the IT person and
assumed the usual fiddling would get it back up. Well, the IT person fiddled...and
fiddled...and fiddled. Nothing. The server became as useless as a stone.
worry,” said the police chief. “We back up to an external hard drive every day.
Or at least mostly every day.” The IT person tried to recover the server’s data
but found that the files were incomplete and some were corrupted. The backup wouldn’t
As the IT
person told the police chief that the data was lost, for good, a sinking
feeling entered his stomach. Now, his job—and the public’s safety—was
completely at risk. Lost evidence and records, risks to active investigations, how
to respond to citizen and press requests, and thinking about what would happen if
a lawyer calls were only a few of the things that came to his mind as he
envisioned the horror of the next few weeks and months.
chief’s approach to using and maintaining a server offers up several lessons to
help you avoid this nightmare. Use this story and the following error checklist
to see if you’re headed for a disaster related to server failure.
skirt by in life using a 2003 car. But your city flirts with significant danger
by using a 2003 server. In this story, the public safety server is so old that
the vendor doesn’t even support it anymore. That means it can’t be
professionally fixed, secured, or updated. It’s not a matter “if” it will break
down, but “when.” And “when” can be any day if it’s over five years old. Your
city needs to budget for and replace server hardware every 3-5 years.
to get by. In this story, that’s the attitude the public safety department
takes toward the server that holds its most important data. At home, do you handle
an ant infestation just enough to get by? “Hey, there’s only a dozen ants
crawling in my bed tonight. That’s good enough.” Of course not. Through many
methods from cleanliness to spraying, you proactively prevent ants from
entering your home.
By just band-aiding
the server when it acts up, the public safety department is always barely
warding off an inevitable disaster (and racking up unpredictable billable hours).
Instead, all servers need to be managed, monitored, patched, and later upgraded
when they reach end-of-life. Proactive IT maintenance will also alert you if a
server is showing signs of a likelihood to fail in the future—preventing a
disaster before it happens.
Why do you
use technology in the first place? To help you perform your job better. If a
car can’t get you to work, it’s not much use. If a server interferes rather
than helps with work, then it’s not much use. Slow computers, frequent memory
and storage limits, and an inability to use modern applications are all signs
that your equipment needs replacing before it fails.
worst-case scenario, the server fails and your data is lost. Data backups can
have problems and there are many reasons why data backups encounter possible
issues. The city in our story did not test their data backups and assumed they
were working. Even if a city does cling to an old server that’s soon to fail,
they need to back up and test the backup on a regular basis to ensure that they
can recover the data in case of a failure.
For a variety of reasons, sticking with an old server until it dies is not wise. Information security risks, slowed productivity, wasted billable hours, and lost data are only a few of the pitfalls. Modernize your technology and switch to a proactive IT support vendor to ensure that your servers don’t just fail one day and cripple your city.
a city employee who works in the finance department opens their email in the
morning. As they check their email, they see one message that seems to come
from the city manager. Without thinking, the employee clicks on a zip file
attachment assuming that it’s an important set of documents related to a
meeting that day.
employee is not technically savvy, so they are not too alarmed when they see
something downloading onto their computer. A window pops up that says to accept
something. The employee clicks “yes.”
seconds, a chill goes down their spine. Something is wrong. Multiple pop-up
windows appear on the person’s computer screen and a new program seems to be
running in the background. The employee tells their supervisor, and the supervisor
places a call to their reactive IT support vendor who says they might be able
to stop by tomorrow.
A day passes
while the employee manages to continue doing work that involves accessing
software on the city’s financial server. But the employee’s computer continues
to slow to a crawl until they can’t use it anymore. The city manager persuades
their IT vendor to send someone over today instead of tomorrow.
A junior IT
support person arrives and pokes around on the employee’s computer. “Yep,
there’s a problem,” they confirm. Figuring it’s a virus, they restart the
computer and go into “safe mode” to try to eliminate the virus. Plugging into
the financial server to make sure it’s working properly, the junior IT support
person now gets a chill down their spine.
access any data on the financial server because it’s also infected with the
ensues. The junior IT support person calls a senior IT support person. By then,
it’s too late. Both the server and the employee’s computer had not been patched
in a while, and so many recent security patches had not been applied. Plus, the
city runs a free version of some antivirus software that’s only updated when
the IT vendor sends someone on site.
goodness there’s a data backup of the server,” says the city manager. But when
the IT support vendor tries to restore the financial data from the
backup...that backup doesn’t work. At all. “But we’ve been backing it up
manually at least once a week,” says the city manager.
tested the backup?” asks the senior IT support person.
the city manager. Everyone now realizes a nightmare scenario became real. The
city’s financial data is lost. Permanently.
variation of this story is all too common for many cities. The good news?
Cities can easily prevent a devastating virus attack by addressing some of the
errors committed in this story.
reference in the story to free antivirus software? Many cities try to save
money by installing a free, consumer-grade version of antivirus software on
computers. This is a mistake because consumer-grade antivirus software is not
sophisticated enough to protect city data at the server level. That usually
leaves servers unprotected and computers reliant on employees making the
support people in our story weren’t getting paid to do ongoing, proactive IT
support. Thus, they only updated the antivirus software when the city called on
them for an onsite visit. Plus, it appeared that they did not have a process in
place for regularly updating the antivirus software and testing the city’s data
backups. Experienced IT professionals need to regularly audit antivirus
software to confirm that it’s installed on every machine and that virus
definitions (which help detect nearly all known viruses) are up to date.
have thought we’d mention this error first. However, your employees cannot be
the front line for preventing viruses. We all occasionally make mistakes by
clicking on a malicious email attachment or website. That’s why you need a
strong foundation in place—business class antivirus software, regularly tested
data backups, and proactive IT support—to stop as many viruses as possible from
activating. And even if an employee clicks on something malicious, you need to be able to recover from a virus that has been activated.
virus can still get through strong defenses, employee training is a must.
Train your city staff about common sources of viruses such as email
attachments, websites, online software, and games. With training, you can make
your employees more aware about online threats that are easy to avoid if they
know how to spot them.
about a virus crippling your city? Reach out to us today.
Before you start reading this post, take our short password
If you said “yes” to any of these questions (or feel as a
supervisor that your employees would answer “yes”), then you’ve got a security
risk on your hands.
Why? First, simple passwords are easier to crack. Nowadays,
even inexperienced hackers have access to automated password cracking software.
This software can easily crack short, common, and simply constructed passwords
Second, writing down or sharing passwords with co-workers
may give others unauthorized access to data and applications. What if a
disgruntled employee sees your password on your desk? What if someone you think
is a trusted employee uses the password you share with them to gain access to unauthorized
Finally, even saving passwords on your web browser (like you
do at home) is not wise when working for a city. All it takes is an
unauthorized person to sit at your computer or a hacker to gain access to your
device to access sensitive information on applications that you use.
So, what do you and your employees need to do? Implementing
the following best practices will help plug these security gaps.
This is an easy security tip
but you need to make sure employees follow it. If they have trouble remembering
their passwords, then suggest they write them down on a piece of paper and keep
it in their wallet or purse—like how they protect their driver’s license,
credit cards, and money from public view.
Many employees often use passwords on their
desktop computers but it’s easy to forget to set up a password on laptops,
tablets, and smartphones. Mobile devices are perhaps even easier from which to
steal information. A thief or disgruntled employee can steal a smartphone in
seconds and quickly gain unauthorized access to city email and applications.
Protect all devices with passwords.
Instead, use strong passwords such as long
passphrases (like “The brown fox is 2fast!”) or complex passwords consisting of
a mix of letters, numbers, and special characters. Strong passwords go a long
way toward preventing hackers from getting into city applications. And if your
password is one of the top 25 worst passwords below (according to Splashdata),
change it NOW!
You may do this at home so that you can easily stay logged
into your favorite websites and applications. However, you don’t want to do
this at your city. If someone gets access to your device, then they can gain
access to unauthorized information without even needing to crack a password.
Enforce a policy at your city that employees cannot save passwords on even
their most frequently used applications.
Yes, this annoys employees but it helps with security. The
longer a password is in use, the more likely that hackers will be able to crack
it. The more you change passwords, the more difficult you make a hacker’s job.
We know—another annoyance! But
think about it. Let’s say an employee uses the same password for five different
software applications that give access to confidential information at your
city. If a hacker or disgruntled employee gets one password, then they have
access to all five applications. Mitigate the chance of a data breach by
requiring different passwords for each application.
Cybersecurity continues to evolve. In the future, passwords
may go away and get replaced by different forms of authentication. But in the
meantime, passwords are here to stay and they often represent a gaping security
hole for hackers. By following the best practices outlined above, you will make
your city’s cybersecurity much stronger.
Questions about the state of your city’s cybersecurity? Reach out to us today.
tree in the proverbial forest that no one hears when it falls, do you think
that anyone “hears” your city website in a forest of internet information? In
many cases, probably not. That’s unfortunate because city websites already have
a few advantages that other businesses and organizations would love to have.
city websites seem nonexistent and disappear on the internet when people search
for them. Remember that most people will look for your website on a search
engine such as Google or Bing. To show up on the first page of search results,
your website must follow a few best practices and show constant activity to
prove to these search engines that your website is trusted, useful, and
How can your
city website emerge from the internet forest? Here are a few tips.
are a city, many organizations want to link to your website. If people are
researching for city-related information on another website, then you want your
city’s website listed there to help people find you. Examples of websites where
you want your city’s website listed are:
isn’t a self-service feature to upload your own website link, then reach out to
the organization and ask if you can provide a link to your city’s website. Many
of these organizations will be more than happy to oblige. Make sure you focus
on reputable websites. Don’t reach out to sketchy, suspicious, or little-used websites
and online directories that may harm rather than help you.
Twitter. YouTube. Use them if you can. Many of your citizens and other people
interested in your city use these social media sites all the time. Share timely
information such as emergency alerts, news, press releases, events, and photos.
Any urgent or newsworthy information will be useful to people and they are
likely to share it.
share your links on social media, it helps your website feature more
prominently on search engines. Don’t be afraid to ask people to share posts on
social media by including a “call to action” (such as “Tell a friend!”).
advantage for cities is that they are automatically of interest to media. When
newspapers, magazines, and industry publications report on news or write up
stories about you, make sure you provide your website link for them to feature
on their websites. Media outlets are usually highly reputable sources on the
internet. When reputable media publications link to your website, the search
engines will see it as a sign to display your website higher up in search
links, you must give links. If there are pages on your website where it would
be useful to provide links to other websites, then do it. For example, you
might provide links to tourist attractions or websites that help people find
jobs. Linking to another organization’s website makes it more likely that they
will reciprocate and link back to you. However, don’t abuse the sharing of
links. Make sure each link provides useful information to people.
engines don’t like dead or stagnant websites. Those kinds of websites disappear
in search results. That’s because Google or Bing considers those websites as
not useful or vital—rather like an abandoned house. If you want people to find
and link to your website, then you need to provide a stream of timely, useful
content for people. That can help supply your social media feeds with new
information and keeps people coming back to your website in anticipation of new
these five tips and you will begin to see your city’s website rise in
visibility on search engines, social media, and other organization’s websites.
This process can take a while but the steady investment of time is worth it.
After all, you want your website to be seen. These tips will help you make it
about getting your city website more visible and out there in the world? Reach out to us today.
In Part One, we talked about warning signs such as lack of data backup, aging hardware, and non-technical staff handling IT issues. In Part Two, we discuss five more warning signs that may lead your city toward a disaster.
One of the most overlooked security risks is simply not
knowing the total amount of hardware and software you own. And even if you do
know that you own something, you may not know where it’s located. You can only
secure what you can locate.
Disaster: On a
two-year-old spreadsheet that lists 20 laptops, you can only track down the
location of 17. You had not updated this spreadsheet in a while and you are not
sure if a former employee walked off with the laptops. Because the laptops
contained sensitive information, you may have a potential data breach on your
of asset management includes monitoring and maintaining any “live” hardware,
software, and networking equipment. If you’re not using an asset anymore, then
it needs to be decommissioned by an IT professional. Asset management also
includes technology-related warranties, licenses, and upgrades.
Imagine someone arrived at your house every week to make
continual bare bones fixes to your roof, floors, or plumbing. You barely keep
leaks, pests, and the outside elements at bay. Would you consider that a proper
home? Instead, if a major problem occurs then you likely eliminate it once and
for all by addressing the root cause. Yet, many cities put up with reactive IT
support that never fixes the root cause of serious problems.
After a lot of publicity, you offer a new payment system on your city’s website
for citizens. Within weeks of its debut, the website continually crashes. For
months and months, your reactive IT support vendor makes temporary fixes but
the root problem keeps occurring. Citizens grow frustrated and complain to city
council about wasted taxpayer dollars going to online services that don’t work.
Ongoing, proactive IT support not only more quickly addresses technology issues
but it also involves IT professionals implementing modern technology and best
practices to eliminate issues before they occur. In the case of our website
example, a proactive IT support team might upgrade an aging website or revisit
what vendor hosts the website.
Network hardware helps ensure that your technology is
secure, connects you to the Internet, and ties together technology between various
city buildings and departments. When IT professionals don’t oversee the setup
of firewalls, switches, routers, and other networking equipment, then you can
open yourself up to major security threats.
non-technical city employee buys a firewall and sets it up. While the employee
has a bit of amateur technology savviness, they improperly configure the firewall.
Ports are open that allow hackers to easily gain access to city servers and
Trained IT professionals need to configure all network hardware so that it
works properly and keeps you secure. Then they need to monitor, maintain,
upgrade, and replace network hardware as part of your ongoing technology
While related to the reactive IT support point above, this
problem still often appears even when some “proactive” IT vendors serve cities.
Technology monitoring and maintaining includes patching, upgrading, and threat
employee keeps complaining that their computer has gotten slower and slower and
slower over a period of six months. The IT vendor checks some type of
diagnostics and says things look fine. They even suggest that the Internet
service provider might be having issues. One day, the employee clicks on a
malicious website by accident and gets a virus that leads to a data breach.
After a virus cleanup and audit, an IT professional notices that the computer
had not been patched in six months—including various important security patches
that would have prevented the virus from getting accessed or downloaded.
Ongoing patching, upgrading, and threat monitoring allows IT professionals to
detect anomalies and address problems before they become disruptions. Keeping
technology updated often fixes major security and functionality issues.
Servers in offices where anyone can wander in. Computers
left on so anyone can sit down and access sensitive information. Wireless
routers left out in the open. These are signs of weak physical security for
technology. Often overlooked in lieu of information security, data breaches
related to physical security are just as important to prevent.
After hours, a disgruntled employee sits down at another employee’s computer to
steal confidential personnel information about staff on the city’s payroll. The
data breach is later deduced through security camera footage.
recently talked at length about physical security policies. At a high level, you need to lock up core
technology (such as servers and networking equipment) in secure rooms, escort
any visitors, and require employee computers to lock after a few minutes and
request a password to log back in.
Use these 10 warning signs (including those from Part One) as a self-assessment to see if
you’re headed for a disaster. If you notice any weak points, don’t wait to fix
them. Waiting until a technology disaster is like leaving your door unlocked at
home or going without car insurance. The costs of a technology-related disaster
at a city can seriously harm your operations, employees, citizens, and bottom
Reach out to us today if any of these warning signs worry you.
until a disruption or disaster should not be the moment when you take action.
Think about how you act proactively when dealing with many aspects of your life.
technology at a city often gets treated like a beater car you’re driving into
the ground, a person never exercising and eating whatever they want, or a house
that you just let decay and rot over time with minimal upkeep. Why?
times, we see cities only take action when a disruption or disaster hits.
That’s way, way too late. Let’s look at some scenarios that might strike a
chord with your city. If any of these scenarios speak to you, then you need to
If you have
data backup and you’re not regularly testing it, then you may be in for a
Disaster: Your city has some kind of data
backup process but rarely or never tests it. A server fails containing all of
your financial data. You grab your tape, external hard drive, or other form of
data backup and attempt to restore the data. It doesn’t work. It’s gone.
Prevention: Every city needs a combination of
both onsite and offsite data backup to recover from both small events (like a
server failure) and bigger disasters (like a tornado). Then you need real-time
monitoring to identity issues and (at a minimum) test your data backup quarterly.
cities still find themselves in situations where a third party webmaster is the
only person with knowledge about the city’s website hosting. Another common
situation is when the city surprisingly learns the vendor is no longer
available or not even there.
Disaster: A webmaster gets angry at the city
and holds the website hosting information hostage. The city cannot access its
website on the back end to make changes or regain administrative control. In
this situation, the angry webmaster could even shut the website down.
Prevention: IT professionals can help cities
acquire and manage a city domain name, set up website hosting with a reputable
service provider, and give administrative access to authorized city staff to
avoid “hostage” situations.
long-lasting physical assets, technology assets often have relatively short
lifespans. Hardware and software often needs replacing every three to five
years because it gets old and outdated, is no longer supported by the vendor, and
Disaster: A 15-year-old server critical to
running city operations fails (such as your accounting and financial system).
Prevention: Cities need to follow a hardware
and software lifecycle management policy that mandates modernizing technology
(such as upgrading servers at least every five years).
consumer-grade antivirus software isn’t adequate for protecting a city. Plus,
it’s often “maintained” by individual employees who don’t keep the software
up-to-date on their computers.
Disaster: An employee clicks on an email
attachment that seems like it comes from their boss. Because the antivirus
software hasn’t been updated for a few months, the email attachment initiates a
virus that gives a hacker access to sensitive city information. A massive data
Prevention: Cities need enterprise-grade
antivirus software that’s monitored and maintained by IT professionals. This
ensures that it’s always up-to-date and preventing as many virus threats as
As a way for
cities to save money and quickly handle operational items, non-technical
employees sometimes step in to handle IT problems. But that lack of expertise
makes their actions risky and dangerous—even if they have good intentions.
Disaster: A non-technical employee sets up a
wireless router incorrectly. Through the security holes in the router, a major
data breach ensues when hackers are able to access confidential information on
the city’s network.
Prevention: Trained IT professionals need to
handle the intricacies of technology—from data backup to configuring hardware
such as a wireless router. Just because you can buy consumer-grade equipment
from a retail store doesn’t mean that it’s appropriate for your city.
In Part 2,
we’ll talk about five more disasters that are waiting to happen. If you feel
vulnerable and you don’t want to wait to fix these vulnerabilities, then reach out to us today.
your city relies on applications to perform various jobs. Your employees may
use basic applications such as a web browser or a word processor to perform
common tasks. Other people with more specific duties may use specialized
applications such as accounting software or a records management system.
what kind of application you use, the security of that application must be rock
solid to avoid a data breach. Never simply assume an out-of-the-box application
is secure or that a software vendor has made the right security choices for you.
While application security is a complex topic, we present five important areas
that your city must consider with its policies.
even includes what your software application vendors may access. Just because
they sold you accounting software doesn’t mean that the vendor’s employees can
look at all of your city’s payroll data. Work with your IT staff or vendor to
oversee user access and authorization—including for third party vendors and
necessary, you need applications to encrypt data. Even a basic web browser
should encrypt web pages containing sensitive information. When creating
documents and reports (such as PDFs), an application should allow you to encrypt
particularly sensitive information so that unauthorized users cannot read it.
And of course, any sophisticated application dealing with financial, public
safety, or other sensitive and confidential data needs encryption.
A chain is
only as strong as its weakest link—and that is true of applications. It doesn’t
matter if your financial application’s security is airtight. If it’s connected
to another application within your city or to a third party application, then
security holes within those other applications and increase the risk of a data
breach for your application. Make sure your IT staff or vendor assesses where
your applications are connecting and ensures that your information is treated
with the same care when it’s exchanged with another party.
a citizen getting access to an application through your website or an
entry-level employee accessing basic information to do their job, those people should
not be able to destroy or disrupt applications. For example, let’s say an
employee accesses a part of your document management system to “view” the
employee handbook to see information about paid time off or sick leave. Since
they only have “view” rights and privileges, they should not be able to delete or
make changes to the document such as increasing the city's paid time off or sick leave policies. Only
the person with “edit” (or greater) rights should be allowed to alter the
document. And only trained IT professionals and software vendors with
authorization should be able to access the “guts” of your applications to
configure and administer them.
Many of your
applications not only store sensitive data but also help run your city
operations. First, you need a plan to back up your data so that it’s not
forever lost. You can accomplish that through a data backup plan that includes
both onsite data backup (for quick time to recovery after an onsite incident)
and offsite data backup (for disaster recovery). Second, and just as important,
is your business continuity. Some applications—such as your public safety
software or city’s website—may serve such a critical role that you need them up
and running within minutes or hours after an outage. Your application security
policy needs to outline the minimum length of an outage for each application
and a plan for restoring functionality in case of a disaster.
applications often form the lifeblood of a city. Many operational activities
and citizen services are conducted through applications. Because they store and
share such sensitive data, you need to protect those applications. Strengthen
the five areas we discussed above and document your high standards in an
application security policy for your city.
about your application security? Reach
out to us today.
most cities use a form of software for accounting activities. But imagine if your
entire city accounting system is run on a bunch of simple electronic
spreadsheets. You open one up and start entering data. What could go wrong?
just thought about many things.
goodness you have that accounting software instead of a bunch of spreadsheets.
Yet, the Arkansas Division of Legislative Audit reports that “data integrity”
is the number one information security issue they found in the audits they
performed. They define data integrity as the “ability of employees to change
receipt or disbursement information after issuance or to edit or delete records
without proper approval.”
despite using software in many cases, cities still struggle with data integrity
issues like the ones that could happen in a simple spreadsheet. Let’s look at a
few ways to assess, fix, and overcome some common data integrity issues.
state requires an audit or not, it’s helpful to audit your financial systems to
identify data integrity issues. An experienced third party can evaluate overall
processes and issues with who may input, change, and delete data. On a technical
level, the auditor should also look at the underlying rules, code, and logic
that allow for data input.
something will come up in the audit that needs fixing. You may also find that
the auditor recommends modernizing with a new system (especially if an older
system lacks appropriate data integrity measures). Arkansas doesn’t mince words
when it says, “We recommend that application users work with the application
vendor to modify the software to include the data input edits that would
eliminate vulnerabilities.” Whichever route you go, work with experienced IT
professionals and application vendors to oversee any fixes, changes, or implementations
of new applications.
fixing your current application or using a new application, you want to ensure
that it has the proper controls and processes in place to prevent the chance of
data input errors or fraud. For example, once paychecks go out, an employee
shouldn’t be able to change payroll data after the fact or delete the record of
transaction—such as issuing a payment or deleting a record—must require a
higher-level access to accomplish. Too many systems allow any employee at any
authorization level to make changes. That increases the chance of major errors
and increases the risk for fraud. Exceptions will happen, but those exceptions
need to be inputted by authorized people with higher-level access and logged.
day-to-day data input risks lower data integrity if fields aren’t set up and
restricted in appropriate ways. For example, in a payroll application you may
reduce errors if:
integrity is an overlooked area of security. You’re typically on the lookout
for hackers and data breaches, but a lack of data integrity—missing
information, no controls over data, and making it easy to change or delete
data—can sneak up on you and lead to serious problems. Don’t wait until an
audit to find these issues. Address them by taking a hard look at your current
applications with a trained third party and fix any issues that you find.
this three-part series about application policy and security addresses input, processing, and output. You can
use these three articles as a checklist to see if you’re matching up to data
security best practices.
about data integrity? Reach out to us today.
Our Focus | Products | Resources | Company | Contact | Sitemap | Login
© 2009-2017 Mimsware Corporation, all rights reserved. Sophicity®, "We put the IT in City”, and the Sophicity logo are registered trademarks of Mimsware Corporation d/b/a Sophicity.