We put the IT in city®

CitySmart Blog

Wednesday, July 26, 2017
Adrian McWethy, Account Manager

Adrian McWethyIn a document entitled “Protection of Personal Information: Security and Incident Investigation Procedures and Practices for Local Governmental Units,” Kentucky’s Department for Local Government (DLG) lists six important goals to include in a policy that aims to protect personal information. According to the DLG, a city’s policy should “minimize the risk of disclosing personal information and [set] practical guidelines for effectively responding to security incidents.”

The six goals that Kentucky’s DLG says should form part of a policy are to:

  1. Identify vulnerabilities.
  2. Eliminate or mitigate those vulnerabilities.
  3. Recognize when an incident has occurred.
  4. Notify appropriate personnel in the event of an incident.
  5. Respond to information security threats.
  6. Recognize events that require special handling due to their potential impact or special reporting due to legal or other concerns.

Even if you’re not a Kentucky city, similar laws exist in other states around protecting personal information. These six goals also form a set of best practices that any city security policy should aim to cover.

So how can you go about tackling these six areas? Here are a few tips.

1. Identify vulnerabilities.

How do you make sure you are able to proactively identify vulnerabilities? Before jumping to a tactical level, it helps to set a policy showing that you’re aware of the potential for vulnerabilities related to:

Clarifying your policy around these areas will help you identify gaps in your security that could lead to a cyberattack. We’ve linked to blog posts that tackle these policy areas in more detail.

On a tactical level, you need proactive, ongoing IT monitoring and maintenance of your applications and systems to identify vulnerabilities as they arise.

2. Eliminate or mitigate those vulnerabilities.

Once identified, you need tools in place to eliminate and mitigate vulnerabilities. Those tools may include:

  • Enterprise-grade antivirus and antispam software: Cities need enterprise-grade antivirus and antispam software—not consumer-grade or free software. Enterprise-grade software can be customized and monitored by IT professionals who will use it to help eliminate and mitigate cyberthreats.
  • Patches and upgrades: Many cities still do not regularly patch and update software. Vendors create patches and updates to fix security vulnerabilities. Those patches and updates need to be applied soon after they are released by a vendor.
  • Vendor management: To be sure that your software is safe to use, IT professionals can talk technically with vendors about eliminating or mitigating vulnerabilities.
  • Data backup: In a worst-case scenario, having data backup can mitigate the loss or corruption of data.

3. Recognize when an incident has occurred.

The City of Miami Beach, Florida recently experienced an incident where criminals stole $3.6 million—and the city did not notice it for six months! It’s a good example of what happens when your city simply doesn’t pay attention and fails to recognize when a security incident occurs.

Cities need IT professionals who proactively monitor and maintain your systems with:

  • 24/7/365 automated software that provides updates about the health of your system.
  • Human oversight to flag potential problems.

Otherwise, a security incident could occur that you don’t learn about for days, weeks, or months.

4. Notify appropriate personnel in the event of an incident.

This step touches on two areas that you need to flesh out:

  • Information security policies, procedures, and best practices. Once outlined, you can rely on these documents to follow a specific process after an incident. Sometimes, this means following the law (such as with a data breach). In other cases, it may just mean reviewing best practices on how to handle something like a virus once a machine is infected. If something happens, you’ve got a plan—and it helps to have experienced IT professionals on hand who can act fast.
  • Disaster recovery. A disaster recovery plan encompasses a much wider area than an information security policy, but a city’s disaster recovery plan needs to account for information security. In a worst-case scenario such as a fire, flooding, theft, or natural disaster, what happens if data is lost or destroyed?

5. Respond to information security threats.

Basically, this step is all about carrying out your plan. It’s best if:

  • Experienced, trained IT helpdesk staff tackle the problem: Proactive IT support engineers will immediately know about and respond to the problem. Reactive or inexperienced IT support will be too slow to respond and you risk more problems as a result.
  • Get your data backup ready: In the case of a virus, ransomware, or other form of data loss related to a cyberattack, be ready to respond by reverting to a previous snapshot of your data. You may lose a few minutes, hours, or days of data, but you will recover quickly. Without ongoing data backup, you risk permanent data loss.
  • Get your city staff ready: Members of your city staff may play a part in responding to a threat. Your public information officer may need to let citizens know about a data breach. Your city attorney may need to follow certain legal procedures in the aftermath of a security incident. Law enforcement may need to get involved if data is stolen.

6. Recognize events that require special handling due to their potential impact or special reporting due to legal or other concerns.

We can’t list every single event that would need special handling, but a few common ones may include:

  • A website hack, defamation, or denial of service attack. You may need to work with the website hosting provider on the issue or inform citizens about when to expect the website to return to full service.
  • An email security issue. Perhaps from an unauthorized breach, improper use of a personal email address for city business, or an unencrypted email with confidential information, an email incident may involve special handling.
  • An open records request issue. If you feel you are not able to respond to an open records request because of a technology issue, then you may need an IT professional to examine your email or document management systems to see if you can comply.
  • A video archiving issue. Especially for public safety, video can run into many technical issues because of storage, accessibility, or security issues. Because of the complexity and confidentiality of the data, you need to handle it carefully.

In the document cited at the beginning of this post, Kentucky’s DLG says, “Each [Local Government Unit] LGO is responsible for ensuring that employees and others with permissive access to, or who may access, personal information are familiar with the policy and all such persons or entities shall be aware of what constitutes an incident. Each LGU shall ensure that employees are aware that compliance with this policy is mandatory. LGUs have the responsibility to enforce this policy.”

Again, while your state may be more or less strict compared to Kentucky, it’s clear that laws increasingly point toward greater accountability related to cybersecurity vulnerabilities. Having a plan for dealing with security vulnerabilities will be good for your city—no matter the law in your state.

Wondering if your city can effectively handle security vulnerabilities? Reach out to us today.

Wednesday, July 19, 2017
Sarah Northcutt, Account Manager

Sarah NorthcuttMunicipal bonds. One of those long-standing, tried and true ways that your city can fund important projects including downtown development, infrastructure, and schools. As you know, many factors can lower your bond rating such as financial instability or signs of poor management. When your bond rating goes down, it’s harder and more expensive to borrow money.

So why are we, an IT company, talking about municipal bonds in a blog post? Recently, Standard & Poor's (S&P) and Moody’s said they will soon start taking cybersecurity into account when they evaluate the ability for local governments to borrow money.

According to Reuters, “S&P Global has begun to quiz states, cities and towns about their cyber defenses, and some credit analysts are starting to factor cyber security when they look at bonds. Moody's Investors Service is also trying to figure out how to best evaluate cyber risk.”

The article goes on to state that while this currently isn’t part of the three key rating agencies’ processes, signs show that it will eventually happen:

“[Court Street Group analyst Joseph Krist] expects others to follow suit. ‘We went through this with getting munis to ... disclose more pension information. Those were frankly long and painful processes. It just has to get to a critical mass.’”

Both the WannaCry and the most recent Petya global cyberattacks are electrifying lawmakers to take action about cybersecurity. Rules and regulations will only increase and become part of the evaluation process for things like your city’s ability to borrow money.

In other words, not taking care of your cybersecurity means the same level of perceived instability or negligence surrounding a poor financial situation at your city.

Your city remains a big target for cybercriminals. Generally, cities can be easy targets and keepers of valuable, sensitive information. If you want your city to remain able to borrow money at a low interest rate, then you must address the following cybersecurity areas.

1. Prepare for the worst with data backup and disaster recovery.

An essential part of a cybersecurity plan is to assume the worst will happen. When ransomware infects your servers, what happens to your data? You need to be able to access and continue your operations within hours or days. That means having a data backup and disaster recovery plan that accounts for both onsite and offsite backup that’s tested regularly.

2. Proactively fend off viruses, malware, and ransomware through enterprise-level antivirus software.

If a city uses free or consumer-grade antivirus software, then it’s in trouble. Your city needs to use an enterprise-grade antivirus and antispam solution that’s monitored, maintained, and updated by IT professionals. When you use free or consumer-grade antivirus software (often “maintained” by non-technical employees), you are taking on risk—potentially significant risk—by not having expertise and experience on hand to deal with these critical and fundamental systems.

3. Patch and upgrade software to eliminate security vulnerabilities.

Hackers are successful with viruses, ransomware, and malware by exploiting security vulnerabilities in software. That’s why software vendors constantly release patches meant to not only fix bugs and add enhancements but to also shore up security vulnerabilities. Many of the most devastating WannaCry and Petya attacks resulted from organizations not patching their software. You need to regularly patch and upgrade software when needed. The WannaCry and Petya ransomware also exploited computers still using obsolete, outdated software not supported any longer by the vendor. By upgrading software, you ensure it’s supported, patched, and secured.

4. Create cybersecurity policies and procedures for your city.

Many states such as Arkansas and Kentucky include laws and best practices related to local government audits and oversight. In Arkansas, a city can now lose its charter if it’s not following appropriate cybersecurity policy. Your city needs policies that address:

Regular self-auditing with the help of your IT vendor and third parties will help you ensure that you are complying with the law.

5. Train users regularly.

Because cybersecurity threats grow more sophisticated over time, you need to keep users up to speed. Take the time to train them about:

  • Malicious emails and how to know if an email is legitimate.
  • Malicious websites and how to avoid them.
  • Why employees must not use unapproved software or download games and quizzes from the internet.
  • How viruses work and what they can do to your city.
  • How modern forms of viruses such as ransomware work.

Employees especially need to know how their actions can lead to a devastating cyberattack, why they must follow policy, and what consequences can happen to them if they don’t. Many employees like to use their work computers like they use their home computers, but they must understand that certain restrictions aren’t aimed personally at them. These policies are in place to help your city avoid a devastating cyberattack.

Worried about the state of your cybersecurity? Reach out to us today.

Wednesday, July 12, 2017
Dave Mims, CEO

Dave MimsDocument management is an important part of a city’s information technology backbone, and many cities might not realize how much it can help streamline a complex, routine activity such as preparing for City Council meetings. We recently chatted with Bob Schwartz, City Manager of Oxford, Georgia, for some insight about how he uses IT in a Box’s document management feature to make preparing a City Council meeting as easy as possible.

Talk about some of the ways you use the IT in a Box document management feature to prepare for a City Council meeting.

The City Clerk and I use the document management feature to prepare our City Council meeting agenda, and it helps us in several ways. First, the two of us can work with common folders in a centralized place. She can put documents into the folder that relate to the City Council meeting agenda such as copies of the minutes from the last meeting for the councilmembers to approve. I may put in a memo that explains a proposed ordinance or some activity the city has done. We each add to the agenda folder as we go, and it’s an easy way to assemble the documents we need for the agenda.

Second, the document management system warns us if we're both trying to edit the same document. That forces one of us to back out so that only one person can edit at a time. Before we had this document management system, two people might edit the same document at different times—making it harder to reconcile all the edits and different versions later. It's an easier editing process to have one person work on a document at a time, and the document management system enforces that rule. This leads to better collaboration. I'll just tell the City Clerk, "Let me know when you're done and then I'll give that document an edit."

This is a process we go through every two weeks because we have two Council meetings a month. It’s now just second nature to put our information into the document management system, let the City Clerk take a final look at it, and assemble the agenda. When we’re done uploading and preparing our information, she emails the agenda to the Council. Then, everybody gets to look at it.

In fact, we've set up the agenda in the document management system so that councilmembers can look at the files but only the City Clerk and myself can edit the files. Setting up permissions—who can edit and who can just review—along with restricting access so that only one person can edit at a time helps keeps documents accurate and clean. Occasionally, a councilmember may look at a draft version of the agenda before we’re finished and say, "How come that's on the agenda?" Then, you can either explain it or say, "It's not finished yet. It may change later." However, we make it clear that an agenda is in draft form rather than a finalized form.

Third, we also use the document management system’s calendar function to schedule our meeting room so that we can't schedule a meeting when someone else is already using it. While it's not a heavily used meeting room, it still makes sense to reserve it through this tool instead of assuming the room will be open. That’s another way the document management tool helps streamlines the process of a small but important logistical detail of preparing for a City Council meeting.

Why is this document management feature better than other alternatives?

Well, without any document management tool, we would email documents back and forth. In that scenario, it’s hard to tell what’s the latest version, who’s editing what document at what time, and if two people are editing it at the same time. There’s a lot of potential inefficiency there and room for mistakes.

On the flip side, there are fancier and more elaborate programs to prepare an agenda and those might work when there are many people contributing and collaborating. For a smaller city like ours, the IT in a Box document management feature is perfect. We only have a couple of people contributing and collaborating, so we don’t need a specialized agenda preparation package. Sophicity’s tool works just fine.


Bob’s experience with the document management feature reflects the needs of smaller cities with a few people on staff who still need to collaborate over often complex City Council agendas. Having uncertainty related to documents and grappling with a chaotic process through email just adds problems that you don’t need—or have to put up with.

A document management solution like the one Bob discusses also helps cities:

  • Protect city records in a safe location.
  • Apply record retention schedules. Automated tasks can be set within the document management system to follow your record retention schedules and apply them to documents.
  • Scan paper files to free up file cabinets and floor space. This also eliminates the risk of permanently losing paper files in a fire, by flooding, or by theft.
  • Easily search for documents based on their content as well as data fields. This especially helps when you need to respond to open records requests.

Want to learn more about how document management can help your city prepare for City Council meetings? Reach out to us today.

Monday, July 10, 2017
Victoria Boyko, Software Development Consultant

Victoria BoykoDespite the perceived importance of ADA-compliant websites, many city websites do not comply with best practices that help disabled people access content. While ADA, W3C, and other organizations provide detailed guidelines and best practices, very few enforceable laws exist to keep cities accountable. Plus, even if a website designer follows all ADA best practices, a city employee may upload content to the city's website that doesn’t meet these requirements.

While some signs exist that the Department of Justice may create enforceable ADA-related website regulations in 2017, it’s not definite at this time. But that doesn’t mean your city should ignore ADA-compliant website best practices.

By making your website ADA-compliant, you:

  • Help extend your website services to disabled people.
  • Improve the overall functionality of your website.
  • Anticipate following future laws and regulations that may be expensive to correct later.

If you haven’t thought about ADA compliance for your website, then where should you start? While existing guidelines cover a lot of technical ground, here are some best practices that should be easy to tackle with the help of your website designer and whoever creates and uploads content to your website.

1. Describe images with text.

Many people just upload an image to a website as quickly and simply as possible. However, there should be an option on the back end of your website to provide alternative text (or “alt text”) for an image. For example, if you place a picture of city hall on your website then the alt text may say “Picture of city hall on a sunny day.” If someone is blind or cannot see very well, they may use a screen reader tool that describes all images on a page. When you fill out the alt text, you make images “readable” and accessible to people with vision problems.

2. Provide alternate ways to access video and audio content.

Videos and audio files (like podcasts) have become more and more embraced by cities. But what if someone can’t see a video? Or what if someone can’t hear the audio? Provide alternate ways for people to access the content. For example:

  • Offer closed-captioning for videos with audio content. Some video services will do this automatically for you (although it’s a good idea to spot check the quality of the closed-captioning) or you can do it manually.
  • Offer transcripts for videos and audio files.
  • In some cases, a summary description may be sufficient for visually-heavy videos with little spoken word or a lack of heavy substance.

3. Provide a clean, simple navigation and website structure.

If your website is a structural mess, then it will be even worse for people with disabilities who try to navigate it with screen readers or keyboards alone. Your website’s information architecture (meaning the way your webpages are structured and organized) needs to be as simple and clean as possible. For example, you wouldn’t want to clutter your homepage with a dozen things about your city’s history while barely mentioning or providing links to your most important city services.

4. Work with your designers to ensure that people can adjust colors and font sizes with ease.

Many disabled people with vision problems often need to adjust the contrast and sizing on their computers to see what’s on their screen. While the design specifications for ensuring ADA compliance are complex, most modern websites allow disabled people to adjust contrast and sizing. If you’re not sure about your city’s website (especially if you haven’t modernized it in a long time), then ask someone with website design experience to help you assess this aspect of accessibility.

5. All content should be accessible by keyboard alone.

Some disabled people cannot use a mouse and click on website content such as buttons or links. They need to rely only on a keyboard to get to it. If you have content on your website inaccessible by keyboard, then make it accessible as soon as possible. You should also consider adding a “skip navigation” link so that keyboard users can skip the often long navigation tabs (the ones seen on every page). That will save those people from wasting a lot of time.

6. Avoid flashing images.

Luckily, most modern websites avoid flashing images because they look tacky. However, if you are tempted to use them then consider that they may cause seizures in some people.

7. Follow writing best practices.

Write simply, clearly, and concisely. This is a good best practice anyway but it also helps disabled people who need information stated as clearly as possible. Rambling text, typos, and bad grammar prevent you from communicating to your audience. Consider hiring a professional writer to write your content if you’re unable to ensure a high writing standard.

8. If you hyperlink text, then make sure it’s descriptive.

“Click here” is not descriptive. “January 5, 2017 City Council Agenda” is descriptive. When disabled people use screen readers, they often look for links to take them to another webpage. Make the text you hyperlink contain a specific description instead of something vague.

9. Post website documents in an accessible format.

Unfortunately, screen readers cannot always read PDF documents. When publishing documents on your website in PDF, Word, or other formats, make sure they pass an accessibility test or post the documents in an alternative text-based format such as HTML or RTF (Rich Text Format).

If the thought of converting tons of PDF documents to HTML or RTF horrifies you, then talk to your IT staff or vendor. You may be able to find a tool that can convert your PDFs to accessible HTML. Then, it’s a matter of going through the PDFs you offer on your website and creating accessible HTML versions of each document.

10. Avoid cutting and pasting pre-formatted content to your website.

When city employees upload content to websites, we often find that they make the mistake of posting pre-formatted content. For example, people may cut and paste content from a Microsoft Word document to the city’s website. The problem? Microsoft Word content contains a lot of HTML code that makes sense when you’re working in Microsoft Word—and not so much sense when you transfer it somewhere else. That’s why what looked great in your word processing software can look awful on your website.

Usually, cutting and pasting into Notepad first (a free application that comes with nearly all computers) and then cutting and pasting the Notepad version into your website’s content management system will remove junk formatting and convert your words into clean, plain text.


Following these best practices will give you a good head start for making your website ADA-compliant. For more detailed best practices, refer to the following resources.

Website Accessibility Under Title II of the ADA

Web Content Accessibility Guidelines (WCAG) 2.0

Need help assessing the ADA compliance of your website? Reach out to us today.

Monday, July 03, 2017
Nathan Eisner, COO

Nathan EisnerRansomware strikes again—or is it really ransomware? Just over a month after the global WannaCry ransomware attack, a new vicious virus dubbed “Petya” has been infecting computers worldwide in over 65 countries (including the United States). Most of the computers infected (about 80%) were in the Ukraine, but the virus still spread itself far around the world by attacking vulnerable servers and computers.

Petya 101: Getting You Up to Speed

While similar to WannaCry, Petya has some important differences and distinctions.

  • Petya is a variant of ransomware but does not give you a chance to get your files back. Ransomware is a type of virus that encrypts your files and documents. The criminal then asks for a ransom within a specific time period (such as 72 hours). If you pay, then they (may) decrypt your files. If you don’t, you permanently lose access to those files. However, Petya encrypts your files like ransomware but doesn’t give you a chance to get them back. According to The Verge, “It looks like the program’s creators had no intention of restoring the machines at all. In fact, a new analysis reveals they couldn’t; the virus was designed to wipe computers outright.”
  • Petya originated from a leak of National Security Agency (NSA) data that indicated a security vulnerability in Microsoft Windows operating systems. Like the WannaCry ransomware cryptoworm, hackers stole information about this Windows vulnerability from the NSA and used it to create the Petya virus.
  • Petya had its biggest impact on June 27, 2017 and experts conjecture it may have been a nation-state attack on Ukraine disguised as ransomware to throw the media off the scent.

Why Your City May Be in Serious Danger from a Similar Attack

While the damage from this recent cyberattack was mostly limited to the Ukraine, Petya was still a sophisticated attack with a wide reach, mostly hitting organizations that did not follow three important technology best practices. These kinds of cyberattacks are not going away—and your city may be a ripe target for the next one.

This is important for cities to realize: It’s likely that your city has a good chance of experiencing a devastating WannaCry- or Petya-like cyberattack that leads to permanent data loss if you don’t follow the three best practices below.

1. Failing to regularly patch your software.

Microsoft released a Windows security patch in March 2017 that prevented Petya from affecting an organization. According to Inc., Petya “exploits an old vulnerability in Microsoft Windows for which Microsoft issued a patch (to fix the vulnerability) several months ago. The sheer number of parties infected within the last 24 hours likely testifies to the failure of so many organizations to consistently patch their systems.”

Yet, so many organizations—including cities—do not patch their software on a regular basis. Excuses are plentiful. City staff have too much on their plates. Reactive IT vendors do not get paid to do proactive IT maintenance. Nothing appears broken, so why fix it. It’s not a priority. Et cetera.

But when you don’t regularly patch, you miss out on security updates. Software vendors plug holes that hackers can exploit. When you don’t apply patches, it’s like leaving a back door open in your house. Organizations that did not apply the March 2017 Microsoft patch left this back door wide open.

2. Failing to back up your data.

Because the Petya virus encrypts your data and offers you no chance of getting it back, then there’s a high chance of permanent data loss if you don’t have an appropriate data backup and disaster recovery solution. This means your data backup needs to be completely separate from your files and information. After all, you don’t want a virus to infect your backups too. Your data backup solution should include an onsite and offsite component, and it should be tested regularly.

3. Failing to modernize your technology and get rid of legacy systems.

This issue has become so prevalent across federal, state, and local government that proposed legislation such as the Modernizing Government Technology (MGT) Act specifically addresses IT modernization. In 2017, there is no longer a “nice-to-have” argument about modernizing technology. Instead, modernized technology and cybersecurity are increasingly seen as one and the same thing. Recent attacks like WannaCry and Petya are now referenced by legislators pushing IT modernization bills—and they see these cyberattacks as both a national security and citizen privacy/protection issue.

For cities, it will become more and more negligent to cling onto old legacy hardware and software that uses obsolete, unsupported, and unsecure technology. While budget is always a concern, the costs of a cyberattack—financially, legally, and politically—can be far worse. States such as Arkansas have even passed laws threatening to revoke a city’s charter if they don’t comply with the law through using appropriate, secure technology.


Yes, the Petya virus is scary for any organization that fails to implement basic IT best practices such as patching, data backup and disaster recovery, and keeping technology modernized.

If your city isn’t following the three best practices above, you are at risk for a ransomware attack. Reach out to us today with any concerns.

Wednesday, June 28, 2017
Brandon Bell, Network Infrastructure Consultant

Jabari MasseyA recent report from an antivirus company pointed out that software not kept up-to-date is one of the biggest cybersecurity risks. In an article talking about this report, ITProPortal highlights common forms of software that are usually outdated. Quite often, they include well-known but free software such as PDF readers or media players that people often download because they or their employer don’t want to pay for software.

For cities, not updating software poses many dangerous cybersecurity risks. Using the ITProPortal article as a great starting point, we will delve deeper into some of these risks—and why you need an experienced IT vendor managing and overseeing your software.

Risk #1: Letting employees use unauthorized and/or unmanaged software.

We recently wrote a post about the risks of employees downloading unauthorized software at cities. To quickly recap, you don’t want employees downloading their own software because:

  • They will not necessarily reliably patch and update it.
  • They may not know the difference between malware and a legitimate software application.
  • They will not be able to get reliable IT support for the software they download.
  • They may be breaking the law or city policy by the way they exchange or store data with the software.
  • They will not necessarily be able to retrieve data if it’s lost.
  • Unauthorized people may have access to data.
  • The software may conflict with your systems.

As you can see, even if you’re okay with employees downloading whatever software they want, these risks still apply. That’s because employees will not necessarily vet software properly, exposing you to malware or security holes such as a backdoor for hackers to enter your systems.

Risk #2: Relying on employees to update authorized software.

Okay, so let’s say your IT staff or vendor has completely authorized the use of certain software. They chose it and installed it. That’s great. But sometimes they may take the approach of letting employees update it. Maybe employees prefer to do it, or maybe your IT staff or vendor likes to dump a little tedious work off their plate.

Not good! It’s still a risk to rely on employees to update authorized software. First, employees are notorious for not updating software. And for good reason. It’s not their primary job or responsibility, and they have enough to worry about. Second, even if employees do update it themselves, many things can go wrong. Sometimes a technical reinstall of the software is needed, sometimes an update fails, and sometimes an employee may click the wrong option and mess up their computer. And third, employee productivity slows way down when they have to deal with software updates, some of which can take a long time.

Instead, your IT staff or vendor needs to manage, install, and regularly update all authorized software to ensure security, quality control, and compatibility with your systems.

Risk #3: Uncertainty of getting proper IT support.

If you don’t have IT staff or a vendor managing your software updates, what happens when a technical problem occurs? Does a non-technical employee submit a support ticket to the software vendor? What do you think the quality of response will be (if any) if the software is free?

Vendor management is a crucial aspect of professional IT support—and that includes handling updates and technical issues with vendors of your authorized software. Let IT professionals handle technical issues related to updates.

Risk #4: The chance your employees might not comply with policy and the law.

We mentioned this point briefly in Risk #1 but it’s worth expanding on here. If employees resist and rebel against efforts to only use authorized software, then the potential for law-breaking may wake them up. If this seems a bit extreme, then ask yourself if you’re comfortable with your city employees doing the following three things:

  • Knowingly or negligently downloading unknown software that may contain a virus or malware that exposes citizen data and confidential information to a hacker.
  • Using software that stores data outside of authorized channels, possibly giving unauthorized people access to private and confidential data.
  • Storing data through software that isn’t properly backed up or archived, risking permanent data loss and/or an inability to respond to an open records request.

Software management and maintenance needs to include an awareness of policy and compliance with the law. Otherwise, your risk and liability increases through negligence.


So, what’s the status of your software? Is it up-to-date, authorized, and in full compliance with the law? If you have any uncertainty, reach out to us today.

Wednesday, June 21, 2017
Dave Mims, CEO

Dave MimsRecently, I gave a presentation at the 2017 Arkansas Municipal League Annual Convention about cybersecurity. As part of a training session entitled “Information Security and Data Recovery: Why It Matters” that also featured a presentation about disaster recovery by the Arkansas Continuity of Operations Program (ACOOP), I ended the session with some caution about cyberthreats, increasing federal and state cybersecurity legislation, and the need to comply with cybersecurity best practices.

I reminded cities that cybercrimes affect all cities, not just big ones. Federal and state compliance is getting serious. In May 2017, the President signed a cybersecurity executive order requiring departments and agencies to follow the same cybersecurity standards and best practices placed upon the private sector. And Arkansas signed SB138 into law in March 2017. Arkansas cities can now lose their charter from noncompliance with IT-related accounting practices.

No longer a recommendation, cybersecurity compliance is now becoming a very serious requirement with real implications.

Check out my entire presentation here. In it, you’ll read in more detail about:

What? - What do I need to know?

  • Passwords
  • Virus Attacks
  • Data Backup
  • Security Updates
  • Physical Security
  • City Websites

How? – How have some real cities been impacted?

Based on real cities, I provide examples that accurately represent what we often see at cities. Cyberattacks are costly, destructive, and embarrassing for cities.

  • City #1: Virus initiates $90,000 transaction!
  • City #2: Virus deletes financial data!
  • City #3: Virus hacks city website!

Help! – Where is help!

  • The Arkansas Legislative Audit requirements
  • The Top 10 most common Arkansas Legislative Audit Issues
  • Some new Legislative Audit considerations
  • New laws that show the federal and state government getting serious about cybersecurity
  • IT in a Box - a review of the latest IT in a Box developments that help resolve these issues
  • How IT in a Box drives Legislative Audit compliance

Takeaways

  • Is your city at risk from a cyberattack? Data loss? Unauthorized access (external or internal)? Erroneous changes? Website?
  • Is your technology dated? Unlicensed? Unsupported? No longer maintained? Still using paper?
  • Are you frustrated with anything (or even all things) IT?
  • Are you unable to meet legislative audit compliance?

When you subscribe to IT in a Box:

  • Cyber protection is provided and proactively managed.
  • IT needs are addressed and technology is proactively kept modern.
  • Legislative Audit compliance is met in Arkansas and proactively maintained.

Questions about your ability to fend off cyberthreats? Reach out to us today.

Wednesday, June 14, 2017
Dave Mims, CEO

Dave MimsIf you’re a mayor, councilmember, city manager, city clerk, police chief, or other person with a prominent role at your city, then this kind of story is your worst nightmare.

 

Front Page News 

 

Don’t let your city be the “YOUR CITY” in the story above. This story represents what’s becoming a common, often publicized occurrence for local government entities around the United States. Just a few recent examples in the news include:

  • Licking County, Ohio: A ransomware virus crippled government operations (including the county’s 911 system) as employees did not have access to computers and phones for a week.
  • Cockrill Hill, Texas: A ransomware virus led to the loss of “all bodycam video, some photos, some in-car video, and some police department surveillance video…”—which negatively impacted active criminal investigations.
  • Bingham County, Idaho: A virus infected the county’s data backup servers and knocked “the entire system offline.”
  • Springfield, Florida: The city let their old website domain name lapse. An individual bought the old domain name and turned it into a porn site—offending citizens who still checked the old website link.

Sadly, some simple preventative technology measures could have spared these cities and counties major pain, embarrassment, and unpredictable costly expenses.

If our newspaper story above strikes a chord with you, it’s not too late. But you need to act before a disaster happens—and not after you wind up in the paper as front page news. If you are an elected official, you create great risk for your community by not taking proactive steps. And if you are a hired professional or staff member of the city, you additionally jeopardize your position by not taking proactive steps.

So what can you do? Plenty—but here are three of the most basic technology fundamentals that you need.

 

1. Proactive Cyber Protection

Too many cities still reactively deal with technology. Usually, the excuse is cost. But think about preventative care and maintenance in other areas of your life. Personal health through diet, exercise, and physicals. Cars through service checkups. Houses through constant upkeep such as cleaning, maintenance, and repairs.

Technology is no different. If you never take care of servers and computers on an ongoing basis, then you will experience the inevitable crises. Software won’t work. Computers will freeze. Your website will go down. Even if you have an hourly IT person or vendor come in every now and then, it’s not enough because you never address the root cause of your technology problems.

Plus, a lack of proactive IT monitoring and maintenance risks two especially bad disasters:

  • Permanent data loss: If non-IT staff is trying to handle data backups, if you aren’t testing your data backups, and if you don’t have an active offsite data backup solution, then you’re at risk of permanent data loss.
  • Data breach: You think you’re saving money from not paying for proactive IT support? Then just wait until you experience the cost of a (preventable) data breach. The legal repercussions are costly and immense. If you’re not using proactive IT support, then your cybersecurity is likely weak—whether from unmonitored consumer-grade antivirus software or poor server configuration. And cities are ripe targets for hackers.

In a vendor, you’re looking for experienced engineers who will constantly monitor, manage, and maintain your technology. A combination of monitoring tools, ongoing patches and updates, and senior IT professionals looking for red flags and problems before they happen will significantly reduce the chance of a crisis.

 

2. Data Backup

Cities often make critical mistakes with data backup that involve the following:

  • Lack of any data backup at all: This doesn’t require much analysis. Obviously, it’s dangerous and negligent not to back up data.
  • Lack of professional, automated data backup: This includes cities that rely on outdated, manual, and/or inefficient forms of data backup such as tape backup, external hard drives, thumb drives, or other kinds of media. You may even rely on non-technical city staff to manually handle these backups around their already busy schedules.
  • Lack of proper offsite data backup: Even if cities maintain proper onsite data backup, they are often not prepared for a worst-case scenario such as a fire, tornado, or flooding. If city hall is destroyed, their data may be permanently lost because it’s not backed up offsite at a faraway location.
  • Lack of testing. And even if cities maintain proper onsite and offsite data backup, we’ve seen many failures to restore data. Why? Cities assumed the data backups were working, but they weren’t. They failed to test them on a regular basis—and so the data backups failed the city when they needed them the most.

Data backup and disaster recovery—including onsite data backup, offsite data backup, and regular testing—is essential to help you:

  • Avoid permanently losing critical data essential to city operations.
  • Prevent viruses and ransomware from holding your city hostage.
  • Follow the law when responding to open records requests instead of claiming that an email or document “disappeared.”
  • Continue serving citizens even after a technology incident (like a server failure) or a disaster.

 

3. IT Engineers Experienced with Municipalities

Technology problems don’t respect normal business hours. Just ask your public safety department or city councilmembers during evening meetings. Once just a luxury for large organizations, a 24x7x365 helpdesk staffed with IT engineers experienced with municipalities is achievable in 2017 for a reasonable cost.

You may already believe you’re receiving adequate support, but watch out for three problems:

  1. Vendors claiming to provide you 24x7x365 support, but they are just installing software agents on your machines to detect problems. If a problem occurs, there is often no one to answer the phone and additional costs. 
  2. Vendors providing weak support by staffing their helpdesk with inexperienced, junior-level technicians or cheap offshored support that doesn’t provide much help. Plus, they usually know little about the nuances of municipalities such as IT problems with city hall or public safety.
  3. Vendors that may provide 24x7x365 helpdesk support but it’s not bundled into your monthly fees. As a result, you receive unpredictable, costly bills every month when you experience the inevitable problems that require you to call helpdesk support.

While many more areas of your technology may need addressing, your city absolutely needs to deal with these three aspects. They are essential. They impact your everyday operations and have a high likelihood of leading to a data breach or permanent data loss.

If you’d like to begin the process of modernizing your technology (and staying off the front page of your local newspaper), then contact us today.

Tuesday, June 06, 2017
Ryan Warrick, Network Infrastructure Consultant

Ryan WarrickFor as long as you’ve used email over the course of your life, you’ve also had to deal with spam email. Like weeds in a garden, spam seems like an inevitable part of using email. Why is it so hard to stop spam? That’s a great question, and it takes us into some important aspects of email that can give anyone a headache. While spam is here to stay (for now), there are some ways to lessen the “weeds” in your email garden.

3 Reasons Why Spam Is Hard to Stop

Spam is hard to stop mostly because of flaws with underlying email technologies combined with the persistence of professional fraudsters.

1. Email addresses are easy to spoof.

Have you ever received a spam email from one of your friends or colleagues? Or an email that seems like it comes from a familiar company? Spammers can set up servers and use software that help them create emails appearing as if they come from a legitimate email address.

While some progress has been made with ways to combat email spoofing, many email service providers and organizations hosting their own email servers don’t use these methods. Plus, spammers often stay ahead of the game by using better and better email spoofing technology and techniques.

2. Email filtering is never an exact science—and always a problem.

In a perfect world, every single legitimate email would land in your inbox and every single spam email would land in your spam folder. But that’s nearly impossible due to the imperfections involved in filtering emails. When emails get filtered, they are filtered automatically based on rules both automatically and manually set up.

The good news? Most spam never even makes it to your spam folder, so email service providers keep getting better with filtering. But for those less obvious spam emails that make it to your spam folder, it’s not uncommon to find legitimate ones. That’s why you need to occasionally check your spam folder to make sure you’re not missing legitimate messages—and also why an occasional spam email may make it into your inbox.

3. Spammers keep adapting as technologists improve antispam techniques.

Recently, the US Justice Department coordinated with Spanish law enforcement to arrest Peter Yuryevich Levashov—a Russian spammer whose operation infected approximately 100,000 computers around the world. According to Wired, “Levashov had long run the Kelihos botnet, a global network of infected computers that collectively flooded email inboxes worldwide with spam, stole banking credentials from infected users, and spread malware across the internet.”

We include this example to show that professional fraudsters are often behind most spam. As a form of organized crime, these fraudsters run sophisticated operations and know what they’re doing. That’s why it’s hard to eliminate spam entirely. These criminal professionals constantly evolve their spam techniques, learn what works and what doesn’t, and adapt.

3 Ways to Weed Out Spam

Despite these issues, it’s still possible to help weed out spam and lessen its impact. Here are three things you can do.

1. Use an enterprise-grade antispam solution.

Depending on the email solution you use, your antispam may not be up to the task of combatting spam—especially if you’re relying on a consumer-grade or manual solution. With an enterprise-grade email solution monitored and maintained by IT professionals, you will have much stronger antispam capabilities that keep you more secure.

2. Train users not to open or click on suspicious attachments.

Even the best antispam solution can’t stop a city employee from clicking on a suspicious email attachment. In 2016, the Verizon Data Breach Investigations Report noted that “30 percent of phishing emails get opened.” If 30 percent of your employees are likely to open a spam email, then you need to offer training and communications about the dangers and liability of opening suspicious email attachments.

And even if users simply open a spam email to look at it without clicking on anything, it tells the spammers that you opened it. Spammers see an “open” as a sign of interest, and they will send more spam emails your way.

3. Tell users not to share their work email address on the internet.

Many spammers get email addresses off the internet by “scraping” websites. Also, you may get a lot of legitimate but still annoying spam when you share your email address on websites for various reasons (such as shopping online, interacting with businesses, subscribing to online publications, etc.). Many legitimate organizations sell your email address to third parties that will barrage you with marketing emails.


Like weeds, spam will never fully go away but you can take steps to lessen its impact. If you’re struggling with spam and need help with some “weeding,” reach out to us today.

Tuesday, May 30, 2017
John Miller, Senior Consultant

John MillerIn the news, we’ve seen plenty of times when government employees get into a lot of trouble by using software that’s not approved by government entities. From private email servers to encrypted messaging apps, big problems occur when government employees download software outside of IT policy.

As a recent article by Governing points out, the risks of “unsanctioned software” or “shadow IT” ripples all the way down to local government. According to the article:

Security is the biggest problem with shadow IT. Whether the software is American or foreign, it often doesn’t meet the strict security standards set by government cybersecurity protocols. Popular file-sharing apps, for example, allow users to easily upload, store and download files, but they may contain viruses or malware that can spread and infect a state government network.

Plus, it’s easier to install software nowadays. With so much cloud software dominating our lives, city employees usually don’t need to purchase physical software, stick a CD into their computer, and install it. Cloud software is ready to go in seconds and…boom! Employees start using it immediately.

While downloading such software may be fine at the employee’s home, remember that you’re an important government entity—a municipality that needs to protect critical citizen information and comply with important laws.

The Governing article gives a great overview of the problem but doesn’t go into many security specifics about why you need to guard against city government employees who download unauthorized software. Here are 7 questions to ask yourself about this software.

1. Who is patching and updating the software?

Software needs regular patching to fix bugs and security holes along with updates to improve performance. With authorized software, your IT staff or vendor oversees this updating and patching. If an employee downloaded the software, then critical security holes could stay open to attackers for months.

And even if employees think the software automatically updates, it’s not unusual for something to go wrong. Who is checking for this? Who is hoping things will go wrong?

2. How do you know you haven’t downloaded a virus or malware?

Employees mistakenly downloading viruses and malware—including from downloading malicious software—remains one of the leading ways that cities suffer disruption and permanent data loss. This is especially a risk when employees download lesser known software that looks appealing on the surface but is riddled with malware or viruses—giving hackers a back door to your city.

You might say, “But my employees only use well-known software.” Even if that’s the case, downloading software on their own still introduces risk. We told a story a few years ago about a tech-savvy colleague of ours who, while not a IT professional, has been involved in the information technology field for over 10 years. He downloaded what he thought was a well-known internet browser that looked like it was from a legitimate website and ended up downloading a virus. So even for “common” software, don’t take the risk.

3. What happens if your employee needs helpdesk support?

Let’s say your employee runs into a problem with an unauthorized cloud spreadsheet application. The file got corrupted somehow and then they lost access to it. Well...it’s not authorized software. Your IT staff or vendor may try to help, but success is not guaranteed.

Why? When your IT staff or vendor supports authorized software, they have installed it, updated it, patched it, maintained it, monitored it, and established a relationship with the vendor. That’s why they can easily help with authorized software problems. None of that knowledge and support framework exists with unauthorized software. When it runs into problems, you’re pretty much stuck.

4. Are you sure that your employee isn’t breaking the law?

This problem crops up with software that stores documents and communications outside of official city government channels. When you receive an open records request, then what do you do if employees are using personal cloud software like Google Docs, Yahoo email, or a file-sharing service like Dropbox. Bring out the lawyers. You’ll need them.

More importantly, these documents and communications may not follow city government security standards. A state like Arkansas is now legally permitted to take away a city’s charter for such security gaps—and other federal and state laws look like they will eventually follow suit.

5. What happens if you lose data?

While an employee may take the initiative to back up data stored on unauthorized software, don’t hold your breath. It’s probably not happening, not happening frequently enough, or not being tested to make sure they can restore data if it’s lost. By contrast, authorized software is usually backed up professionally and overseen by IT staff or a vendor.

6. Do unauthorized people have access to data?

Government data within applications such as financial software, document management systems, and email is usually locked down and only accessible by authorized users—with user access managed by your IT staff or vendor following strict policy. With unauthorized software, who has access to sensitive data? What if your employee accidentally publicly shares a Dropbox link to documents containing sensitive information? Are you seriously relying on the individual judgment of one employee using unauthorized software rather than locking down authorized software that follows a city-wide policy?

7. What happens when software conflicts with the employee’s machine or device?

On a more tactical level, people often do surprising things when they download software. If they have an old desktop or laptop, they may download new software that the machine or operating system just can’t handle. Then, their computer breaks and guess who they call in a panic? Your IT staff or vendor.


We know. This is a tough problem to solve. It’s hard to police the use of authorized software and root out all unauthorized software. While the problem may never fully go away, you can:

  • Create a clear policy about unauthorized software and the consequences for using it.
  • Provide a reminder about security risks such as data breaches, permanent data loss, and breaking the law.
  • Provide a list of approved, authorized software and a contact number for questions if employees want to confirm the use of a particular kind of software.

Think you have a problem with unauthorized software at your city? Reach out to us today. We can help.

| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 |