We put the IT in city®

CitySmart Blog

Tuesday, October 17, 2017
Ryan Warrick, Network Infrastructure Consultant

Ryan WarrickToday, all of government—including local government—is a target for hackers. Wired recently reported the results of a study done by SecurityScorecard that ranked government 16 out of 18 industries for cybersecurity. According to Wired:

The analysis of 552 local, state, and federal organizations [...] found that the government particularly lags on replacing outdated software, patching current software, individual endpoint defense (particularly when it comes to exposed Internet of Things devices), and IP address reputation...

In this post, we want to focus on modernizing and patching software. These two items were the reason that the WannaCry ransomware virus devastated so many organizations earlier this year.

If patching could prevent so many hacking attempts, then why don’t organizations (including local government) do it more often. According to a Computer Weekly article, patching is viewed as too costly and resource-intensive:

For those organizations where patch management is currently ad hoc at best, developing a policy and framework may seem like another cost that they can do without. However, continuing with ad hoc patching, as and when time and resourcing allows, is wholly inadequate if the organization is to be protected from threats exploiting known vulnerabilities.

The risks and dangers from failing to proactively manage technology patches and updates are simply too great to ignore. Here are five major reasons you need to patch.

1. Information Security

First and foremost, patch to shore up security flaws that are inevitable in any software. Vendors release patches when they discover security flaws and vulnerabilities in their software that hackers can exploit. Without patching, you are more susceptible to viruses, malware, hackers, ransomware, malicious websites, and malicious email attachments.

When discussing WannaCry back in April 2017, we said:

Microsoft released a Windows security patch in March 2017 that prevented WannaCry from affecting an organization. According to CNN, “The ransomware is spread by taking advantage of a Windows vulnerability that Microsoft (MSFT, Tech30) released a security patch for in March. But computers and networks that hadn't updated their systems were still at risk.”

Without applying basic, routine patches, you’re increasing the risk of getting hit by the next major cyberattack.

2. System Stability

Patches also help fix bugs and issues that can affect productivity. Like maintaining a car, software needs tuning and repair. Patches help keep your technology “car” in good driving shape. Otherwise, you may notice your systems slow down to a crawl, crash, or be visited by the blue screen of death. In some cases, not applying patches can actually damage your software configuration and/or data, ruining your investment and interfering with employee productivity.

3. Software Performance

In addition to helping your software simply function, patching also leads to new features and improved performance. Especially today, software vendors continually add updates, features, and functionality that help make your work easier. For example, your word processing software might add features like autosaving or collaborative editing that would assist you in your day-to-day work.

4. Threat of Data Loss

When software breaks, malfunctions, or gets hacked, you risk data loss. Not patching threatens access to valuable data that—without proper data backup and disaster recovery—may get permanently lost. This is especially a risk when you use outdated software that’s not supported any longer by the original software vendor. It’s not unusual to see cities using software that is 8-10 (or more) years old and hasn’t been supported by the software vendor for a long time.

In addition, even having a data backup and disaster recovery solution in place may not work effectively with older, unpatched software. That’s why modernizing and regularly patching software also affects your data backup and disaster recovery strategy.

5. Compliance

If the above four reasons don’t convince you, then compliance should. Plenty of existing and proposed federal and state laws are requiring cities to follow basic cyber hygiene—including patching—to protect sensitive and confidential information. While citizens can choose to share information with businesses, they don’t have any choice about sharing information with cities. As a result, cities absolutely cannot be lax in their protection of that information. Otherwise, lawsuits, public outrage and embarrassment, job termination, and other consequences are possible results from such poor cyber hygiene practices.

While seemingly extremely tactical, patching is a part of compliance as cities make sure they are securing and protecting the information of citizens. As we noted in a recent post:

Federal and state compliance is getting serious. In May 2017, the President signed a cybersecurity executive order requiring departments and agencies to follow the same cybersecurity standards and best practices placed upon the private sector. And Arkansas signed SB138 into law in March 2017. Arkansas cities can now lose their charter from noncompliance with IT-related accounting practices.


To protect your city, you need IT support that helps you guard against cyberattacks by keeping your computers patched, protected, and healthy. Otherwise, you introduce a great deal of risk to your city that can lead to some dangerous consequences.

Are you patching regularly? Are you struggling with the budget and resources to handle this task? Reach out to us today.

Tuesday, October 10, 2017
Dave Mims, CEO

Dave MimsBeginning as a city built up around the SAM (Savannah, Americus, Montgomery) railroad line in 1891, Lyons has grown into a bustling part of the Vidalia Micropolitan Statistical Area while also serving as the county seat for Toombs County. Today, this family- and business-friendly city boasts an award-winning downtown with plenty of events, restaurants, shopping, and entertainment that attracts people from all over the South.

As Lyons continues to grow and serve citizens, its technology backbone needs to support all these efforts. Yet, the city began to reassess its technology costs and support structure—suspecting that it may have been paying too much to too many vendors for uncertain results.

Challenge

In 2015, the City of Lyons began a study to examine its technology costs. At the end of the study, the city uncovered two important insights:

  • Too many vendors: The city had many different vendors that all played some part in managing and overseeing its IT infrastructure. Roles such as troubleshooting, backup and recovery, document management, email, web hosting, telecom auditing, and product management were all split up among these different vendors. Plus, the city also paid three ISP companies each month for various services.
  • Liability risks: The city lacked proper document management and vendor management and, in some cases, did not meet federal or state compliance regulations. For example, the city’s email component was not compliant with open records and security laws. These deficiencies left the City open to liability claims and lawsuits on top of the day-to-day struggles that Lyons encountered with lackluster support from vendors.

It was clear that Lyons needed to make a choice about its technology future. While hiring a full-time lT person seemed tempting, the city’s size, budget, and staffing model did not allow for this option. Instead, the city reached out to vendors that could provide IT services that addressed the city’s challenges.

Solution

After evaluating many vendors, the City of Lyons eventually chose Georgia Municipal Association’s “IT in a Box” service and began working with Sophicity in January 2016. According to Jason Hall, City Manager of Lyons, “What impressed us most with Sophicity was the fact that they seemed to understand more than the others how a city functioned.”

By using GMA’s IT in a Box service, Lyons addressed many of its challenges. The services within IT in a Box included:

  • Vendor management: The city did not have to worry any longer about frustrating calls with vendors about software issues or hardware procurement. In addition, Sophicity reduced costs by reducing the number of total vendors.
  • Document management: City records were now protected, and staff could easily apply record retention schedules.
  • A highly available and dependable email system: The city switched to hosted email on its own city domain that included email archiving, shared calendars and contacts, and 50GB of mailbox storage per user.
  • Help with open records requests: The city was now better prepared for Open Records Requests, and Sophicity helps the city process them.
  • Data backup and offsite data backup storage: Lyons received unlimited offsite data backup storage and retention for disaster recovery and archiving. No longer did staff have to worry about data backup with Sophicity’s real-time monitoring and quarterly testing.
  • 24x7 helpdesk: Sophicity provides 24x7x365 support to city staff in the office, working from home, and on the road. Experienced senior engineers address any IT issue — ASAP.
  • Server, desktop, and mobile management: Sophicity now proactively keeps computers patched, protected, and healthy to guard against cyberattacks—taking this task off the plates of non-technical city staff.
  • A new city website: Lyons received a modern fresh website design with Sophicity hosting the website and managing the content. Plus, city staff can now also edit and update website content themselves.

Results

Hall noted many beneficial results after Sophicity implemented GMA’s IT in a Box.

  • Data backup saved the day: After a major failure of two workstations, Sophicity got the city back up and running within 24 hours while providing city staff with alternative access to documents while those workstations were in the process of being replaced. During this incident, the city experienced no loss of data and they are now confident of their data backup when considering any future worst-case scenarios.
  • The city now easily responds to open records requests: Within just a few days, Sophicity was able to provide the city attorney with some emails that were required during a lawsuit. Hall says, “We would have been at a loss before our partnership with Sophicity.”
  • Sophicity found $900 per month savings from renegotiating telecom and internet contracts: Sophicity reassessed the city’s telecom and internet contracts, which led to a renegotiation of $900 per month in savings. And Sophicity not only reduced costs but they also increased internet bandwidth—leading to faster, higher quality internet service. Hall says, “Sophicity’s technical knowledge when speaking with potential internet service providers allowed us to get superior products for minimal cost.”
  • Modernized hardware for a low price: Sophicity modernized the city’s aging hardware while also carefully negotiating prices that are beneficial for a local government. Aware that cities need to be good stewards of taxpayer dollars, Sophicity also made sure that the city had the hardware needed to improve productivity and citizen services.
  • Cost and productivity improvements with existing software vendors: Sophicity worked with the city’s financial and public safety software vendors to accelerate troubleshooting and find workarounds to ongoing issues that saved the city time and money.
Regarding Sophicity's day to day troubleshooting, their knowledge and timing are impeccable. Most of the time their IT staff can take control of our workstations and fix problems within minutes. More complex problems that require onsite staff are handled in short order. The staff is very pleasant and patient to work with each time we call. We receive calls from them to check up on us from time to time once an issue is resolved. Response time to emails and chats is almost immediate. We are very happy with our choice and feel that the service provided is well worth the monthly fee. - Jason Hall, City Manager of Lyons

Contact Us Today

If you're interested in learning more, contact us about IT in a Box.

About Sophicity

Sophicity provides the highest quality IT products and services tailored to city governments. Among the features Sophicity delivers in "IT in a Box" are a website, data backup, offsite data backup storage, email, records/document management, video archiving, help with information security policy and compliance, Microsoft Office for desktops, server and desktop management, vendor management, and a seven-day a week helpdesk. Read more about IT in a Box.

Wednesday, October 04, 2017
Brian Ocfemia, Technical Account Manager

Brian OcfemiaCities—even smaller cities—eventually get to a point when they realize that information technology (IT) needs careful handling by professionals. Non-technical city staff can only do so much with IT, and liability concerns make it essential to hire professionals to address areas like data backup, cybersecurity, and compliance.

However, cities often have limited budgets and want to make sure they invest that money appropriately. A tempting solution is to hire a full-time IT employee. That way, a city will have someone onsite every day to handle IT problems and concerns.

We’re not against the hiring of full-time IT professionals. Sometimes, that can make sense for a city. However, we’ve found through many years of experience that the disadvantages usually outweigh the few advantages for cities.

One of our customers—a city with a population of about 4,500 people—recently told us that they faced the choice between hiring a full-time IT person or contracting with a vendor. When assessing the two choices, many disadvantages cropped up for the full-time option.

Salaries Too High for City Size, Budget, and Staffing Model

While salaries obviously vary around the country, for simplicity’s sake we’ll look at a median salary across the United States. According to PayScale, the median salary for a systems administrator is $60,843. Let’s round the salary down to $60,000 to simplify our example.

That means a city would have to budget around $60,000 plus about $18,000 for employee benefits. The systems administrator (or any other IT-specific role) would be limited to specific roles and responsibilities—meaning that person would lack knowledge about other IT areas. That’s $78,000 a year for an IT employee who is limited in knowledge.

Not only is $78,000 per year expensive but it also conflicts with staffing models appropriate for smaller cities. A full-time person on site for 40 hours per week may be overkill if a city only has a small amount of IT systems, hardware, and software.

One Person’s Limited Bandwidth Hurts You in Multiple Ways

Nowadays, IT is not a 9-to-5 profession. Think about public safety operating 24/7. Think about city council meetings taking place in the evening after business hours. Think about employees traveling, working from home, or in the field. For such a high demand area, a 9-to-5 job just won’t cut it—even if you add some on-call hours or overtime requirements to the job.

Some simple scenarios show how the problem can get worse:

  • What if they get sick?
  • What if they go on vacation?
  • What if they decide to leave your city for another job?

In each situation, you’re stuck. Data backups not getting done. Problems going unresolved. Liability increasing. Over time, it’s easy for a limited resource to get bottlenecked. If a member of your city staff has an issue—even a simple issue—they may have to wait a long time until your IT employee gets to it.

An IT Employee’s Experience Will Be Varied and Inconsistent

Typically, your $78,000 will go toward someone with limited experience. Often, IT employees will lack municipal experience and not understand how cities work. There are also many areas of IT. It’s impossible to find someone experienced in everything such as network and systems support, data backup and disaster recovery, server management, software upgrades and maintenance, hardware upgrades and maintenance, website hosting and maintenance, document management systems, email software, open records requests, policy and compliance, and video archiving.

Attracting and Retaining IT Talent Will Be Tough

For many smaller cities, a dearth of local IT talent can affect hiring. Many IT professionals gravitate to a handful of highly populated metro areas. If you’re more than an hour outside one of these areas, it can be tough to find, attract, and retain IT professionals who are constantly bombarded by IT recruiters. You’re always competing with the market, even if you’re lucky to hire a very talented IT professional in your area.

Advantages of Contracting with a Vendor

Contracting with an experienced IT vendor is often a great alternative to a full-time employee because:

  • You can receive 24/7/365 support from municipal-experienced IT engineers for less than the cost of a full-time employee. On cost alone, the comparison between what a full-time employee can accomplish versus what a vendor can accomplish is not even close in terms of both financial investment and getting things done.
  • A 24/7/365 vendor doesn’t take a break. They won’t get sick, go on vacation, or leave you suddenly because they got offered a better job. That leads to ongoing IT stability and continuity.
  • A team of municipal-experienced IT engineers covers all aspects of IT. Instead of relying on the knowledge of a single person, a vendor’s team will cover all aspects of IT from data backup to website hosting, from video archiving to document management. It’s like having the IT expertise that only large companies used to enjoy.

The customer mentioned above eventually chose us after making these evaluations. It made more sense from a cost and knowledge perspective to go with us. When you face a similar dilemma, make sure you weigh your options carefully.

Ready to increase your IT support? Reach out to us today.

Tuesday, September 26, 2017
Nathan Eisner, COO

Nathan EisnerAfter struggling with technological limitations related to in-car cameras for many years, the City of Auburn moved to body cameras in 2013. However, the city’s body camera video technology introduced new problems such as where to store all that data and the expense related to that storage. After three years of using cloud storage, the City of Auburn moved to an on-premise system to save on fees. Coupled with Sophicity’s video archiving solution, the city’s new system saved them money—freeing up funds to purchase more body camera units.

In this Q&A, Auburn, Georgia’s Police Chief Carl Moulder and Lt. Chris Hodge talk about these technology challenges and how Sophicity’s vendor management (which is part of IT in a Box) helped them resolve these issues.

Before you implemented body cameras, what technology issues did you have to think about and anticipate to make the implementation a success?

We had in-car cameras for several years before replacing them with body cameras in early 2013. The in-car camera had serious limitations for video recording all police action, and the audio capability often failed when officers entered a residence or building. With the move to body cameras, we had to consider the increased storage needs of video/audio data because officers would be videoing all police action. The decision was made to use cloud storage. Our policy had to be revised and updated, but that was not a large task.

After three years of cloud storage, the decision was made to convert to in-house storage of the video/audio data. This also required the purchase of a new camera system. To successfully make the transition from our current cloud services provider, we had to procure our own server with enough storage to house videos of the size and capacity we produced. We also had to consider software that would enable us to upload and manage the videos without compromising chain of custody and evidence requirements.

From a technology standpoint, what was the most important thing you were looking for in a body camera system?

We wanted to move away from a cloud-based storage system and integrate a self-storage system within our own network. This saved on cloud storage fees, which were considerable, and allowed us to invest more money into the acquisition of more body camera units that could be assigned to an individual officer. Before, officers had to share body cameras because we didn’t have enough to go around.

What unexpected technology challenges came up when you implemented body cameras?

We experienced issues with cameras not communicating with the docking station, which in turn inhibited videos from uploading properly. The managing software is a crucial element for self-storage and maintaining videos. When this wasn’t syncing correctly, we experienced hardships. Manufacturers must understand how critical it is that their whole system (camera, software, docking station, storage medium, managing software) work flawlessly, as it’s better to not have a system than to have a system that doesn’t work.

How did IT in a Box’s vendor management and video archiving components help you with your body camera technology?

Our IT vendor was very instrumental in helping our department determine the best system for our needs while understanding our size and budget. Their assistance was critical in the implementation of the new software and cameras as well as the migration of existing videos to our new in-house server. Our vendor had the unenviable task of organizing thousands of videos into a manageable and retrievable arrangement. Without this structure, we would be unable to efficiently retrieve and disseminate these videos to the appropriate parties. Our IT vendor continues to work with us to ensure that our system functions correctly and efficiently, recommending upgrades as needed.

For other cities either implementing body camera technology or already using it, what technology advice would you give them?

Focus on getting quality software that will manage the videos. While the camera capabilities are important, without an efficient managing software the in-house storage endeavor will fail. I highly recommend involving your IT provider from the very beginning. They can keep you from making huge IT-related errors. Again, I believe it’s better to not have a system at all than to have a system that doesn’t work properly.


A few important points are worth noting from this interview:

  • Transitioning to a new technology requires research and assessment to determine the right fit. All body camera technology is not the same. The City of Auburn leveraged Sophicity to help determine the right technology and software for the city’s needs and budget.
  • Technical problems will inevitably arise with new hardware and software. When this happens, it’s best to have an experienced IT partner on hand to work with the hardware and software vendor on issues ranging from implementation to migrating data from one system to another.
  • Ongoing monitoring and maintenance is critical. Sophicity monitors and maintains the city’s body camera technology, software, and data to proactively watch out for any problems. Sophicity also upgrades and patches software while ensuring that the systems work.
  • A city’s technology partner can help ensure compliance with the law. Body camera video data contains sensitive, confidential information and it’s often needed for investigations. That information needs to be handled with care like any open record. Body camera video data needs to be stored, findable, and accessible.
  • Storage costs can be brought down by examining creative solutions. For the City of Auburn, it made sense in their situation to bring their data storage back in-house to lower storage costs. They also complemented that strategy with IT in a Box’s video archiving feature which helped the City of Auburn archive data into the cloud. That solution provides them unlimited storage at a fixed cost and protects that data as part of their disaster recovery strategy.

Exploring body camera solutions? Having issues with your existing body camera technology? Reach out to us today.

Wednesday, September 20, 2017
Dave Mims, CEO

Dave MimsEquifax is a multi-billion-dollar Fortune 1000 company that just experienced one of the biggest data breaches in history. This data breach potentially affects nearly all American adults. Media publications, Congress, and the public are currently in angry attack mode.

If you’re a small- or medium-sized city (or even a larger city), it may seem like there’s nothing much to be learned when comparing yourself to such a giant company like Equifax. Yet, there are three important lessons you can learn from the Equifax data breach that makes this a good time to review your current cybersecurity efforts.

1. The Equifax data breach stemmed from the company failing to patch software. What is your patch management strategy?

You know the story of David and Goliath. That’s how Equifax got taken down. Despite its size and revenue, hackers found one small security vulnerability in software that Equifax failed to patch—even though the vulnerability was well-known in the security community. The result? Hackers stole the PII (personally identifiable information) of 143 million people.

According to Ars Technica, hackers exploited “a Web application vulnerability that had been patched more than two months earlier. [...] [The company’s] disclosure strongly suggests that Equifax failed to update its Web applications, despite demonstrable proof that the bug gave real-world attackers an easy way to take control of sensitive sites.”

Similarly, a lack of patch management became the reason why so many organizations were affected by the WannaCry ransomware virus earlier this year. Unfortunately, many cities still don’t proactively apply patches to software and systems. By failing to patch, cities are inviting a data breach with wide open arms.

We’ve written a lot about patch management in the past, but a few reminders include:

  • Creating a policy and procedures that require proactive patch management on a regular schedule.
  • Relying on IT professionals to oversee patch management. Non-technical employees may get distracted and/or apply patches incorrectly.
  • Applying patches to all machines regardless of location. This includes patching remote machines (such as servers hosted someplace other than your city buildings) and devices (such as laptops and smartphones that employees use at home or while traveling).

2. The Equifax data breach showed a stunning lack of responsibility at a fundamental level to protect people’s personal, sensitive information. Do you see the safekeeping of citizen data as a critical responsibility?

What makes people especially angry about the Equifax data breach is that we have no choice about Equifax acquiring and using some of our most personal data. They are not a typical services company where we opt in to share our personal information. Equifax collects our information whether we like it or not.

Yet, Equifax failed as stewards. According to Forbes, Equifax had a history of shoddy security practices that led to lawsuits, issues with PINs, security vulnerabilities, and smaller data breaches. Think about it. Equifax had not only a business incentive but also a responsibility to protect our data. Congress is now voicing that they will be looking at this situation.

Now, think about your city. It’s not a business where customers voluntarily offer up their personal information. They have no choice about you stewarding their personal, sensitive information or records that impact their families, properties, communities, or schools. Are you properly protecting and securing this data that you manage on behalf of your citizens?

Some signs that you are failing at your stewardship include:

  • Unpatched software
  • Old technology (especially more than 5 years old)
  • Unsupported software
  • Lack of data backup and disaster recovery
  • Reactive IT support
  • Lack of or poorly managed antivirus software
  • Poor passwords and user authorization procedures
  • Uncertainty around where your website is hosted

3. With more scrutiny and awareness about cybersecurity, the law becomes stricter. Are you following (or are you ready to follow) cybersecurity laws, regulations, policies, and government cybersecurity best practices?

2017 has been one of the most active Congressional sessions with passed and proposed cybersecurity legislation. For example, the Modernizing Government Technology (MGT) Act would require government agencies to follow basic IT best practices—known as cyber hygiene—to prevent cybersecurity attacks. At the state level, a good example is Arkansas’s SB138 that says cities can lose their charter if they do not comply with IT-related accounting practices.

Additionally, we’ve noted that poor cybersecurity may also affect your ability to borrow money. If you’re negligent about your cybersecurity, then your municipal bond rating that financial institutions and insurance firms use as part of their calculations will likely take a big hit in the future. Borrowing money is essential for city operations, and failing to take basic cybersecurity steps may affect your city’s finances in the future.


If there is one overarching lesson from Equifax, it’s that cybersecurity is just becoming too big to ignore. For many years, cities and other organizations have pled technology ignorance, lack of budget, or that they had no need for proactive technology support. 

Those times are over. Equifax failed in their stewardship, and time will show the impact to both Equifax as an organization and to the millions of people whose data they failed to protect. Individuals and families may now fall victim to identity theft. Your city must not fail in its stewardship of citizen information that includes both personal identifiable information as well as city records used to conduct city business for the benefit of the entire community. Your citizens trust you with their information. Can you truthfully say to them that you are protecting their information to the best of your ability?

If you need help with your cybersecurity, reach out to us today.

Wednesday, September 13, 2017
Victoria Boyko, Software Development Consultant

Victoria BoykoWith more than 2 billion monthly users, Facebook is the third most popular website in the world. Because so many people spend time on it, Facebook has become an important place for cities to communicate information and help bring people to your city’s website. City departments often have their own Facebook pages that are individually managed, and those pages can be a fun, easy way to reach out to people.

However, Facebook pages can be plagued with security risks just like your city’s website or systems. For example, imagine a terminated city employee hijacking a city department’s Facebook page and not turning control of the page back over to the city. What would you do? And what could have been done to prevent this situation from happening?

While this situation is bad, we can easily imagine worse scenarios. If someone takes over your page, they can embarrass your city, spread misinformation, and use your page for a different purpose (like political extremism). That kind of hijacking can be a major liability to your city, and so you need to secure your Facebook pages.

How do you secure a page that’s hosted by Facebook that you don’t have direct control over (like your servers, software, or website)? Here are seven security tips that you can apply today.

1. Follow password best practices.

Password best practices are not only good for Facebook pages. They are applicable to all accounts across all systems and applications. Best practices include:

  • Using a password on all devices—including smartphones and tablets.
  • Using passphrases (preferred), but at a minimum using complex passwords.
  • Using two-factor authentication. For example, to log in you will enter 1) your username/password, followed by 2) a code sent to your mobile device.
  • Changing passwords regularly.
  • Not writing passwords down—especially where they are visible to others.
  • Not using obvious passwords (such as "password" or "123456").
  • Not allowing apps or browsers to cache/save passwords.
  • Not using the same password across systems, apps, and websites.

2. Change your password today.

Yes, we’re reiterating some of the points above. If you haven’t changed your password in a while or if it’s an incredibly weak password, change it today. Plus, changing your password today immediately eliminates risks if other people (ex-employees, hackers, etc.) have stolen your current password.

3. Take advantage of the “Setting Up Extra Security” section of Facebook’s Security and Login settings.

If you go to your Facebook page’s Settings, you will see a tab for Security and Login. Go to that tab and you will see a section called “Setting Up Extra Security.” Two important features are there that you should use.

  • Get alerts about unrecognized logins: If an unauthorized user or an authorized user from an unusual location attempts to log in to your Facebook page, then you will receive an alert. In many cases, these alerts will clue you in to a security problem.
  • Use two-factor authentication: We mentioned this under our password best practices, but Facebook allows you to easily set this up. A login to your Facebook page will require a user to enter both a password and a code sent to their mobile device.

4. Limit and manage authorized users.

Don’t just create one account and give everyone administrative access. Limit who uses your Facebook page and give them specific roles by:

  • Going to Settings on your Facebook page.
  • Going to Page Roles.
  • Under “Assign a New Page Role,” you can type in the name or email address of a user and assign them a role such as Editor, Moderator, or Admin.

Once set up, make sure you manage the list of authorized users and review it regularly. Otherwise, terminated employees or other unauthorized individuals may have access to sensitive information. Eliminate any user who is no longer authorized to make changes to your Facebook page.

5. Apply the above best practices to your email software.

Your Facebook page security will mean nothing if your email security is poor. A city might create a generic admin email address used by many people to make it easy for them to log into a Facebook page account. Instead, have everyone use individual email addresses and make sure those email addresses are protected by strong password best practices, suspicious activity alerts, and two-factor authentication. Strong email security at your city prevents unauthorized users from accessing your Facebook page.

6. Check the “Where You’re Logged In” section of Facebook’s Security and Login settings.

Make a habit of occasionally checking the “Where You’re Logged In” section of Facebook’s Security and Login settings to see if any suspicious devices are logged into your account. Each user will be identified by the type of device, browser, and location. It’s especially a red flag if someone unknown is logged in from an unusual location such as another country.

7. Use the Verified Badge for Government option.

We’ve written previously about the benefits of acquiring a Verified Badge for your city’s Facebook page. It makes your page the official, approved page for your city or city department. As we noted in a previous blog post, with a Verified Badge “you now have more authority to shut down damaging or slanderous Facebook pages. If someone operates a Facebook page that pretends they are your city or if they are misleading people about your city, then it’s easier as the owner of the official, verified version of your city’s page to work with Facebook to shut down misleading unofficial sites. Until you receive your verified page badge, you may have to work harder to prove to Facebook that another site is unofficial and shouldn’t be representing your city.”

If you need some help getting a Verified Badge, this post provides some good guidance.


Facebook pages may seem simple because they are so quick to set up, but take them seriously from a security standpoint. In the wrong hands, a hijacked Facebook page can do your city a lot of harm. Apply the tips above in order to secure your Facebook page from hackers and hijackers.

Need help securing your social media pages? Reach out to us today.

Wednesday, September 06, 2017
Dave Mims, CEO

Dave MimsWhile a spam email may occasionally trick your city employees, it’s safe to say that normal spam emails are full of red flags. The writing is terrible, the email address looks obviously wrong, or the information requested from you is bizarre. Immediately, you flag that email as spam because you’ve seen through the amateurish scam.

But because cities are big targets for cybercriminals, you might occasionally become the subject of a sophisticated, targeted email scam—so sophisticated that it’s really, really hard to know if the email is spam.

If you don’t believe this situation could happen to you, meet Stephanie Settles, City Clerk and Treasurer of Paris, Kentucky—a city with a population of a little under 10,000 and a staff size of 125. In other words, it happened to a city that’s probably around your size.

After sharing her story at a recent cybersecurity presentation, about a fourth to a third of the room said they had received similar emails. In this interview, Settles talks to us about what happened, how she ended up detecting the complex spoof email, and how cities can stay vigilant against similar attacks.

So, you received a spoof email but didn’t know it was a spoof at first. Talk about what happened.

I received an email from my “City Manager.” You’ll soon see why I put that title in quotes. Coincidentally, the real City Manager left my office 15 minutes prior to me receiving the first email from “him.”

My City Manager was leaving town for a training session and we were making sure things had been processed and paid before he left. I had told him I was going across the street to pick up a sandwich for lunch and would be right back, and that if he needed or forgot something to let me know.

After I returned with my sandwich and sat at my desk, I received this email.

Email asking if Stephanie in the office

I was thinking, “Oh, he must have forgotten something.” Remember, I was helping him process paperwork and payments before he left. The timing of this message made total sense. So, I responded to the email. Nothing seemed abnormal at this point.

Email confirming Stephanie in the office 

Then I received the following email from “him.”

City manager email requesting wire transfer

Again, if I looked at this quickly, the message still seemed legitimate. The real City Manager always addresses us by our first names. It would not be unusual for him to request a transfer considering we were paying bills that day. So, I responded back.

City clerk email agreeing to do a wire transfer 

When “he” sent the following email, the red flags started.

City manager email with suspicious wire transfer details

At this point, I noticed that the account name looked suspicious and the dollar amount seemed iffy. At our City, multiple signatures are required to spend over $9,000. But the language still sounded like my City Manager—especially the part about sending me an invoice and supporting documents for proper coding. He uses that language in his emails.

However, I was ready to tell him that I could not complete this request without proper approvals. It’s when I began to respond to this email that I 100% knew it was a spoof. Look at the email address for the “city manager.”

City clerk email with incorrect city manager email address 

The email address—with the “ceo01144” name—clearly did not match our City Manager’s email address. Then, I made some comparisons with a normal email from him.

Typical city manager email with no red flags

In a normal email, my City Manager typically does not reply to emails from his cell phone. Typically, he logs into his computer and replies to emails. Now, I know that if I see something from him that says “sent from my iPhone” that it is a spoof email.

What made this spoof email so tricky to spot?

Most importantly, the timing, language, and request made it seem like a normal email. Some secondary factors also made it tricky to detect that it was a spam email:

  • The emails contained a photo of the real City Manager.
  • The top of the emails referenced the correct email address.
  • The real City Manager always begins his emails with the person’s name he is addressing.
  • The City’s email disclaimer was at the bottom of the emails.
  • The emails came into my inbox grouped into the same “real” inbox for our paris.ky.gov email domain instead of appearing in my inbox from a new email address.
  • Each email that the “City Manager” used to reply to me was a new email. In other words, each time he responded to me, he began an entirely new email thread. Normally, a discussion like this would just form one long email thread as we responded to each other.

Why is this kind of an email a security concern?

Let’s say that I couldn’t detect that this email was spam. Then, a criminal could have obtained access to the city’s bank accounts or other sensitive and personal information. That kind of information in the wrong hands has the potential to cripple a city and interfere with our servers and processing systems, harming our data integrity.

Plus, cities can be vulnerable because we’re often so busy and distracted. For example, I was so busy that day that I decided to take a working lunch at my desk. I spotted the red flags, but imagine someone less experienced or more distracted than me. It shows, with one slip, how easy a spammer can trick someone if they’re not paying attention.

What are some ways that cities can prevent against this kind of email spoofing attack?

This seemed extremely targeted, malicious, and criminal. For someone to go to the extent of retrieving someone’s photo, spoofing an email address, imitating the person’s language, and targeting me with a request that’s not terribly unusual means that’s it’s all but identity theft.

Even with such a sophisticated attack, there are many ways that cities can prevent a spammer from gaining access to your sensitive information by following a few tips:

  • Change your passwords frequently.
  • Run full virus scans on a frequent basis.
  • Take notice of the email address when you respond to someone.
  • If in doubt of an email, just pick up the phone and call the person. It’s better to be safe than sorry.

On top of that, we consider Sophicity’s IT in a Box as an extra layer of security—our security blanket, if you will—to help protect our data. They keep antivirus and antispam software running and up to date, software patched and updated, and our hardware secured. They also help make sure that our employees are educated about spotting phishing emails, not clicking on malicious links or attachments, not sharing sensitive or confidential information with an untrusted person, and knowing who to call when something like this happens.


Concerned about your readiness in the face of a sophisticated spoof email? Reach out to us today.

Wednesday, August 30, 2017
Mark Holbrook, Technical Account Manager

Mark HolbrookCompliance. One of those necessary operational activities that you know is working when nothing bad happens. When compliance doesn’t work, you open the door to significant risk. Maybe you violated open records laws like the city of Chicago and have to pay out $670,000 in lawsuits. Maybe an employee opened a spam email and hackers gained access to that employee’s email account, exposing sensitive and confidential information that the city was supposed to protect. Or maybe you lose eight years of criminal evidence from a ransomware attack, possibly affecting the sentences of defendants as lawyers present evidence for and against their cases.

Even if your lack of compliance seems less startling than the repercussions of these stories, it’s still an issue that opens you up to serious liability claims and lawsuits. Before we started working with one of our current city customers, they discovered that they were not meeting federal or state compliance regulations in several areas. For example, the city’s email was not secure and compliant with open records laws.

We’ve talked a lot in the past about the legal consequences of poor technology infrastructure and support. In this post, we want to highlight how specific areas of compliance can be impacted by your technology.

1. Tax information

Information related to property taxes, municipal income taxes, and other kinds of taxes that cities collect from citizens needs to be protected under law. Much of this information is considered confidential or sensitive (such as social security numbers). Also, the IRS requires that cities keep Federal Tax Information (FTI) secure according to Publication 1075. Secure data transfer, recordkeeping, secure storage, authorized access, and computer system security are all covered under federal law. According to the IRS, “The [Internal Revenue Code] defines and protects the confidential relationship between the taxpayer and the IRS and makes it a crime to violate this confidence.”

2. Public safety information

Too many public safety departments still have a shaky IT foundation with aging technology, obsolete software, and poorly maintained systems. This leaves open many security holes and risks the loss of critical information. At a federal level, there are strict Criminal Justice Information (CJI) laws covering information access, storage, and data integrity. Then, each state has laws pertaining to the security of information exchanged with local public safety departments.

For example, “The Rules of the [Georgia Crime Information Center] Council mandate performance audits of criminal justice agencies that access the Georgia CJIS network to assess and enforce compliance with the Rules of the GCIC Council, O.C.G.A. § 35-3-30 through 35-3-40, other relevant Georgia code sections and pertinent federal statutes and regulations.” That’s why our engineers are GCIC-certified to make sure that IT systems comply with the Georgia Bureau of Investigation as well as Criminal Justice Information Services (CJIS).

3. Payment information

Any city that offers payment services for tickets, fines, utilities, licenses, or other services needs to secure and protect payment information. That includes credit card, debit card, banking, and any other data that hackers can steal to commit financial fraud. Complying with PCI DSS standards is a must for cities when they provide payment services. In addition, any technology infrastructure that stores and processes payment needs to be modernized, monitored, and maintained by IT professionals.

4. Personnel information

You obviously know that personnel matters involve some of the most sensitive and confidential information. That’s because personnel information can include personal history, background checks, tests (such as drug tests), healthcare, and work performance. That information must be protected by law, and there are many federal, state, and local laws that you must follow.

5. Open records and FOIA requests

By law, your city must respond to open records and FOIA requests. Yet, many cities sometimes delay responding to those requests by claiming they can’t find the information. Sure, some cities may have poor email, document management, or paper filing systems that make tracking down information troublesome. But open records laws become more unforgiving with each passing year. Searchable email, records/document management systems, and databases need to give cities access to information quickly. Data backup and disaster recovery expectations mean that you can’t just “lose” information. And you must adhere to specific retention, archiving, and disposal schedules. Not modernizing your technology or backing up your data properly opens you up to fines, lawsuits, and unflattering front-page news stories.


These are five major areas within your city operations where complying with the law relies heavily on policy, best practices, and technology. At a minimum, you need:

  • Adopted policies and training
  • Basic cyber hygiene (such as regularly patching software, enterprise-grade antivirus, and IT professionals monitoring and maintaining your systems)
  • Data backup and disaster recovery
  • Modernized hardware, software, and infrastructure
  • Physical and information security policies and procedures
  • A secure, reliably hosted website
  • Disciplined vendor management

Worried about complying with the law? Reach out to us today.

Tuesday, August 29, 2017
Dave Mims, CEO

Dave MimsOn its city website, Oxford, Georgia describes itself as “A City of History, Community, Education, and Trees.” Chartered in 1839, the City of Oxford birthed Emory University in 1836 at what’s now Oxford College—currently home to 25 percent of Emory’s freshmen and sophomore undergraduates. While a self-described quiet community, the city has recently seen a lot of activity with a new City Hall, new maintenance facility, and plans to establish a mixed-use new Town Center District for community activities.

To support all this activity, the City of Oxford needs a strong IT backbone—what City Manager Bob Schwartz (now retired) calls “invisible IT.” “When we supply water to citizens,” says Schwartz. “People never know that there’s a network of pipes, several access points, and an elevated tank. They don’t care—as long as it works. With Sophicity, IT works for us how water works for our citizens.”

Challenge

A few years ago, the City of Oxford found its IT services out of date and unstable. Concerned with the stability and security of their email, server hosting, and data backup, city officials needed to upgrade and modernize their technology.

With a small staff of 15 who use about 20 PCs and a few file servers, the City of Oxford also had to keep track of technically demanding tasks such as data backup, software patching and updating, and hardware issues. At the same time, the city often had technology issues that needed the responsiveness of a full-time IT staff. However, the city’s size did not justify hiring someone full-time and yet they still needed that level of expertise to handle its technology issues.

“At one of my previous jobs,” said Schwartz. “I had a staff of about 60 people, including two IT staff. It was great to just call the IT person and tell them to look at something. We needed that level of IT responsiveness without hiring someone full-time.”

And while a small city, it’s still necessary to have a modern, service-oriented website that’s easy to maintain and reliably hosted. Before Sophicity, the city would hire a part-time student to maintain the website. Despite the student’s help, city staff often wanted to easily edit and update website content but couldn’t. There was also uncertainty about how and where the website was hosted.

On a more tactical level, the city’s previous document management software limited their productivity and inefficiency—especially with routine tasks like preparing for city council meetings. “When we worked on a document we would email it back and forth between ourselves,” says Schwartz. “There wasn’t a central place to store documents and collaborate on them, which made it harder to prepare for activities like city council meetings that required a lot of edits and revisions to documents.”

Solution

Oxford solved these challenges by using the Georgia Municipal Association’s “IT in a Box” service. IT in a Box included:

  • A new city website: Oxford received a modern fresh website design with Sophicity hosting the website and managing the content. Plus, city staff could now edit and update website content.
  • Data backup and offsite data backup storage: Oxford received unlimited offsite data backup storage and retention for disaster recovery and archiving. No longer did staff have to worry about data backup with Sophicity’s real-time monitoring and quarterly testing.
  • Document management: City records were now protected, and staff could easily apply the state’s record retention schedules.
  • A highly available and dependable email system: The city switched to hosted email on its own city domain that included email archiving, shared calendars and contacts, and 50GB of mailbox storage per user.
  • Help with open records requests: The city was now better prepared for FOIA and Open Records Requests, and Sophicity helps the city clerk process them.
  • Vendor management: The city did not have to worry any longer about frustrating calls with vendors about software issues or hardware procurement.
  • 24x7 helpdesk: The city now had the responsive helpdesk it always wanted. Sophicity provides 24x7x365 support to city staff in the office, working from home, and on the road. Experienced senior engineers address any IT issue remotely—ASAP.
  • Server, desktop, and mobile management: Sophicity now proactively keeps computers patched, protected, and healthy to guard against cyberattacks—taking this task off the plates of non-technical city staff.

Results

“IT in a Box” helped Oxford:

Acquire a 24x7x365 experienced IT helpdesk that’s more effective than full-time staff for less cost.

As Bob Schwartz puts it, “It’s almost the same feeling as hollering down the hall to your IT staff and getting them to immediately look at your problem. The only difference is that we dial a number, Sophicity takes over our computer screen, and they often fix the problem then and there.” Schwarz goes on to joke that “It's not as fun as hollering at somebody!” but he continues on a serious note. “There's no reason to holler at Sophicity when their engineers are so nice and helpful.” It may seem small, but even quick help about simple issues like a disconnected copier was a relief to the city after previously struggling with this issue themselves.

Prepare and run city council meetings more efficiently and collaboratively.

The city uses Sophicity’s document management system to prepare city council agendas for meetings. Schwartz and the city clerk can collaborate while working on files without fear of losing information in an email or missing a revision to a file.

“We can add to the agenda as we go,” says Schwartz. “The city clerk will put in copies of the minutes from the last meeting that city council has to approve at the next meeting. I’ll put in a memo explaining a proposed ordinance or some explanation about an activity. The document management system warns us if we're both trying to edit the same document, which avoids messy reconciliation issues.”

Modernize its website and allow city staff to edit and update content.

Instead of a part-time student overseeing the city’s website, Sophicity modernized and redesigned it to give the city’s online presence a fresh look and feel. The current website now offers information about city government, how to contact city departments, news, answers to common questions, and other resources—kept fresh by city staff who can now update and edit content.

Schwartz notes, “You have taught our assistant clerk how to make the less complicated changes, so we’re able to post stuff very quickly.” If the content is a bit tricky to upload, then Sophicity will post it for her.

Not worry about IT anymore.

Like the old Maytag repairman commercials, the best IT is often “invisible” IT—in the sense that technology just works. Schwartz says, “We haven’t crashed or been subject to ransomware. Our programs and PCs are up and ready to work when we get to the office. And when my PC did irretrievably break, your staff was able to recommend a replacement and restore all my files from your backup copies.”

Schwartz notes there are a lot of stories in the media about cities getting hit with ransomware and viruses. And it’s in that moment that cities realize—too late—that not backing up data and failing to implement proactive IT maintenance leads to permanent data loss, failure to comply with the law, and a loss of citizen trust.

With Sophicity, even if the worst disaster happens there are many protections in place from onsite and offsite data backup to ongoing IT monitoring and maintenance that means the worst isn’t that bad.

“My advice for any city would be to ask themselves, "Who's doing your virus protection? And who's doing your backup? Where is it?" Monthly data backup is not enough. And sometimes you think you’re backing up, but you’re not. You really don't want to wait until ransomware strikes, half of your files disappear, or you can't boot up in the morning. With Sophicity, I don’t have to worry about these problems.” Bob Schwartz, City Manager, City of Oxford, Georgia

Contact Us Today

If you're interested in learning more, contact us about IT in a Box.

About Sophicity

Sophicity provides the highest quality IT products and services tailored to city governments. Among the features Sophicity delivers in "IT in a Box" are a website, data backup, offsite data backup storage, email, records/document management, video archiving, help with information security policy and compliance, Microsoft Office for desktops, server and desktop management, vendor management, and a seven-day a week helpdesk. Read more about IT in a Box.

Wednesday, August 16, 2017
Mike Smith, Network Infrastructure Consultant

Mike SmithWhen cities use too many different technology vendors, too many problems happen. One of our customers talked to us about what it was like before we started working with their city. They previously contracted individual vendors for:

  • Troubleshooting
  • Data backup and disaster recovery
  • Document solutions
  • Email
  • Website hosting
  • Telecom auditing
  • Product management

Add 3 ISP providers to the mix and you’ve got vendor chaos! Because of too many vendors, the city grappled with problems that included:

  • A lack of a comprehensive document management solution
  • No overall, holistic vendor management
  • Uncertainty around federal and state compliance with laws
  • Lackluster support from their vendors—also known as finger-pointing

So why is transitioning from many vendors to one vendor so important for cities?

1. More vendors cost more money.

Each vendor will charge a premium for their service along with onboarding time, installation, upgrades, and maintenance. You’ll pay these costs even if there is overlap in services such as different data backup services for different products.

Generally, too many IT vendors suggest that costs have potentially spiraled out of control. It’s like when an organization is overstaffed with too many people serving in unclear, conflicting roles.

2. Vendors split across many functions lack an in-depth knowledge about your IT environment.

An email vendor wants to make a change to your software that has an unintended consequence elsewhere. Your data backup vendor isn’t aware of rules related to records retention. Your website vendor provides you features and functionality not compliant for local government. In these situations, you experience the result of vendors that make decisions without knowing your environment well.

A vendor that monitors and maintains your entire IT environment will know how to quickly and effectively troubleshoot problems, proactively fend off issues, and keep you in compliance. If they oversee all the different parts and pieces, then they will understand how email relates to compliance or how data backup relates to document management.

3. More vendors lead to chaos.

When you have seven different vendors, who is managing all of them? Often, it’s overworked city staff already strapped for time. Even in a stress-free environment, it’s difficult for non-technical city staff to keep track of issues and to-dos related to seven different technology vendors.

In an environment without someone providing vendor management, mistakes happen. Things don’t get done. Vendors conflict with each other. Balls get dropped. Tempers flare. People point fingers. But when IT professionals oversee vendor management, many of these problems disappear.

4. Different vendors do not back up data consistently.

Your various software systems may have their own data backup and disaster recovery processes. These processes may conflict with each other or add up to an incomplete overall backup of your critical information. Who is testing these backups? What vendors are cooperating with each other?

5. Many task-specific vendors don’t understand city-specific requirements like compliance.

The city mentioned in our introduction noted that their email vendor was not compliant with open records and cybersecurity laws. This left the city open to liability claims and lawsuits. Other task-specific vendors for data backup, document management, and website hosting may also lack in-depth expertise about local government compliance and leave you open to noncompliance risks.

Studies show that many security breaches are the result of third parties. When many vendors are allowed to go into your IT environment without much oversight, they can be setting you up for noncompliance and introducing security vulnerabilities that may lead to a cyberattack. You need IT professionals to oversee vendors and the technology in your environment to make sure you’re able to handle open records requests, authorize access to information, and prevent most cyberattacks.

6. With many different vendors, you can’t see the big picture.

There’s a reason that IT runs best when it’s led and overseen by professionals who understand the business of cities. Someone needs to assess your entire environment and put all the pieces together. That involves planning, coordination, monitoring, maintenance, upgrades, patching, support, procurement, and vendor management.

One of our colleagues recently told us a story about taking a four-hour bus ride between two major cities. At the bus station, the bus was outside but did not depart on time. People waited in line for 45 minutes, the bus driver stood outside, and no one communicated about the reason for the delay. When our colleague asked the customer service person why, she shrugged and said, “I can’t help it. It’s up to the bus driver.” When our colleague talked to the bus driver, he said, “I can’t help it. It’s up to the bus company.” Instead of accountability, there was inexplicable confusion, chaos, and uncertainty related to the departure time.

That’s what happens when too many vendors form a part of your environment. Why is email not working? Why did the website go down? Why can’t employees access documents? It’s often another vendor’s fault. There’s no central point of command.

One IT vendor should holistically oversee everything. For example, your document management system may involve data backup, storage, compliance, features, and functionality. Instead of a document management vendor blaming the data backup vendor, or vice versa, one vendor overseeing everything will be able to handle problems in these two areas simultaneously.


If your city struggles with too many vendors, then there is a better, more cost effective way. Reach out to us today.

| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 |