We put the IT in city®

CitySmart Blog

Wednesday, July 19, 2017
Sarah Northcutt, Account Manager

Sarah NorthcuttMunicipal bonds. One of those long-standing, tried and true ways that your city can fund important projects including downtown development, infrastructure, and schools. As you know, many factors can lower your bond rating such as financial instability or signs of poor management. When your bond rating goes down, it’s harder and more expensive to borrow money.

So why are we, an IT company, talking about municipal bonds in a blog post? Recently, Standard & Poor's (S&P) and Moody’s said they will soon start taking cybersecurity into account when they evaluate the ability for local governments to borrow money.

According to Reuters, “S&P Global has begun to quiz states, cities and towns about their cyber defenses, and some credit analysts are starting to factor cyber security when they look at bonds. Moody's Investors Service is also trying to figure out how to best evaluate cyber risk.”

The article goes on to state that while this currently isn’t part of the three key rating agencies’ processes, signs show that it will eventually happen:

“[Court Street Group analyst Joseph Krist] expects others to follow suit. ‘We went through this with getting munis to ... disclose more pension information. Those were frankly long and painful processes. It just has to get to a critical mass.’”

Both the WannaCry and the most recent Petya global cyberattacks are electrifying lawmakers to take action about cybersecurity. Rules and regulations will only increase and become part of the evaluation process for things like your city’s ability to borrow money.

In other words, not taking care of your cybersecurity means the same level of perceived instability or negligence surrounding a poor financial situation at your city.

Your city remains a big target for cybercriminals. Generally, cities can be easy targets and keepers of valuable, sensitive information. If you want your city to remain able to borrow money at a low interest rate, then you must address the following cybersecurity areas.

1. Prepare for the worst with data backup and disaster recovery.

An essential part of a cybersecurity plan is to assume the worst will happen. When ransomware infects your servers, what happens to your data? You need to be able to access and continue your operations within hours or days. That means having a data backup and disaster recovery plan that accounts for both onsite and offsite backup that’s tested regularly.

2. Proactively fend off viruses, malware, and ransomware through enterprise-level antivirus software.

If a city uses free or consumer-grade antivirus software, then it’s in trouble. Your city needs to use an enterprise-grade antivirus and antispam solution that’s monitored, maintained, and updated by IT professionals. When you use free or consumer-grade antivirus software (often “maintained” by non-technical employees), you are taking on risk—potentially significant risk—by not having expertise and experience on hand to deal with these critical and fundamental systems.

3. Patch and upgrade software to eliminate security vulnerabilities.

Hackers are successful with viruses, ransomware, and malware by exploiting security vulnerabilities in software. That’s why software vendors constantly release patches meant to not only fix bugs and add enhancements but to also shore up security vulnerabilities. Many of the most devastating WannaCry and Petya attacks resulted from organizations not patching their software. You need to regularly patch and upgrade software when needed. The WannaCry and Petya ransomware also exploited computers still using obsolete, outdated software not supported any longer by the vendor. By upgrading software, you ensure it’s supported, patched, and secured.

4. Create cybersecurity policies and procedures for your city.

Many states such as Arkansas and Kentucky include laws and best practices related to local government audits and oversight. In Arkansas, a city can now lose its charter if it’s not following appropriate cybersecurity policy. Your city needs policies that address:

Regular self-auditing with the help of your IT vendor and third parties will help you ensure that you are complying with the law.

5. Train users regularly.

Because cybersecurity threats grow more sophisticated over time, you need to keep users up to speed. Take the time to train them about:

  • Malicious emails and how to know if an email is legitimate.
  • Malicious websites and how to avoid them.
  • Why employees must not use unapproved software or download games and quizzes from the internet.
  • How viruses work and what they can do to your city.
  • How modern forms of viruses such as ransomware work.

Employees especially need to know how their actions can lead to a devastating cyberattack, why they must follow policy, and what consequences can happen to them if they don’t. Many employees like to use their work computers like they use their home computers, but they must understand that certain restrictions aren’t aimed personally at them. These policies are in place to help your city avoid a devastating cyberattack.

Worried about the state of your cybersecurity? Reach out to us today.