gave a presentation at the 2016 Arkansas Municipal League Annual Convention
about cyberthreats. As part of a three-hour training session entitled “Working
in a Social World” that featured Arkansas cities (including Gravette,
Fayetteville, and Mayflower) sharing various social media successes, I ended the session with some
caution about cyberthreats. Cyberthreats threaten the technology that underpins
many of these social media successes—and my observations were tailored to
complement the overall discussion.
Overall, I addressed how to protect cities from cyberthreats. A
cyberattack does more than just shut down a city’s IT operations. Today, we see
incidents where hackers and some “hacktivists” hold a city’s information for
ransom. These attacks can be very dangerous to cities and need fending off.
Check out my entire presentation here. In it, you’ll read in more detail about:
Based on real cities, I provide examples that accurately represent what
we often see at cities. Cyberattacks are costly, destructive, and embarrassing
When you subscribe to IT in a Box:
Questions about your ability to fend off cyberthreats? Reach out to us today.
attempted a $90,000 transaction from my machine. What do I do?
sink in. As the finance officer, city clerk, treasurer, or city manager, how
would you feel? What would you do? How did it happen? Where would you look?
person, externally or even internally, attempts to steal money or data from a
city, investigators will start looking for information to help them find the
culprit. So, what information will lead them to finding the person who
committed the crime?
your city may not have the right policies in place to not only prevent
unauthorized access to information but also to track who accesses it, what’s
accessed, and when it’s accessed. That leaves your city with security holes
that open you up to hacking, theft, and even fraud.
What can you
do as a city to make sure only authorized users have access to sensitive
information? Look carefully at the following areas.
with making sure your systems and software allow you to set different levels of
permission for different users. For example, some users may not need access to
payroll information. Modern technology systems allow for granular user
permissions within servers, websites, and applications. If you don’t set these
permissions appropriately, you risk users looking at information that they
should not access—and they may possibly misuse, change, or delete that
information. Users should only be able to access information relevant to their
overlooked, it’s important for cities to physically secure important technology
like servers. An unauthorized person should not have physical access to your
servers or be able to walk into your server room as if it’s the breakroom. All
it takes is one disgruntled employee to steal information or damage your computer
equipment and hardware (which may lead to permanent data loss). Secure rooms
with servers so that only authorized employees can access them. Require use of
a key fob or similar security checkpoint.
to physical access, wireless access is another common security hole. Cities are
at risk when they leave wireless access open and unencrypted, or if they use
weak or well-known default administrative passwords for securing wireless
devices. Hackers can easily hop onto your network through these access points
and begin sniffing around your most sensitive information right from the parking
lot. You need to keep your wireless access password protected with a strong
password, encrypted, and limited to authorized users.
employees sometimes need access to a city application through a secure remote
connection to a server. But it needs to be logged and tracked. Too many cities
don’t track and monitor who logs on and when they log on. This creates security
problems. If you don’t know the identity of someone logging in, or even that
they’re logging in at all, then how do you know that it’s an authorized user?
By tracking remote access, you make sure that only authorized users are
accessing your servers and applications.
authorization vulnerabilities that cities face are not just addressed by technology.
They begin to get addressed by setting policy. Cities need to set the right
policies and work with their technology staff and vendors to implement
training, processes, and technology to meet these policies. If your current
technology systems cannot handle these demands, you may need to modernize your
technology in order to accommodate current security requirements and best
practices for government data.
Questions about how to begin addressing these gaps? Reach out to us to further discuss these areas.
you get in one morning to work and you’re checking your billing records in a
city database. You discover that three important billing records are missing.
Gone. No one is supposed to delete those records. You have a serious situation
on your hands. Was it an accident? A data breach? You need to figure that out.
So, what do
you do next?
One of your
next steps is for your IT staff or vendor to check the logs. What are the logs?
Let’s learn a bit of Logging 101 and then look at some critical problems a city
can have by neglecting proper logging practices.
a lot of the technical aspects of logging and just focus on the important
business aspects for your city. First, logging has two primary purposes.
staff and vendor depend heavily on logging for information to diagnose
technical issues. That’s why you might hear an IT engineer say, “Let me look at
the logs” when a problem is reported. Those logs often provide clues to the
root of a problem.
logging for most systems requires some technical background. The detail level
can vary. For example, some systems log a literal play-by-play of every little
thing that goes on. It can track that John Doe opened an application, entered
his password successfully, successfully launched the application, accessed a
specific module in the application, etc. Others provide more basic information
such as that John Doe opened the application, closed the application, etc.
look at two problems related to logging that may lead to critical security problems.
back to our example in the introduction. Let’s say you call in an IT vendor to
investigate and they report to you that there have actually been 42
unauthorized billing record deletions over the past six months.
you’ve got yourself a problem. The unauthorized deletions are a data breach—whether
or not it’s an internal employee making mistakes or an outside hacker doing it
on purpose. More importantly, it’s clear that your city hasn’t had someone
overseeing the logs. You’re capturing important security information but you’re
not reviewing it.
returning to our example in the introduction, let’s imagine you don’t have
logging enabled. That means you have little to no information about who may
have deleted those billing records—and when. It’s like having a bank without
security cameras or a court proceeding without recording or transcribing it. If
something goes wrong, you can’t go back and figure out what happened.
IT staff or vendor will need to use logging for technical diagnostics, they
should also reassure you that logging is enabled to:
you simply lack important information that helps you diagnose and get to the
bottom of data breaches and other security issues.
Questions about your logging and information security? Reach out to us.
Even if it’s
not yet law to audit data backups at your city, you will sooner or later be
held more accountable. It’s inevitable. Cities increasingly store critical,
essential, and sensitive electronic information, and so expectations about the
quality of data backup will only grow. In fact, some states already require
local governments to demonstrate proof of rigorous data backup for critical
and/or specific kinds of information.
Law or not,
it’s beneficial in every way for you to make sure your data backup is
comprehensive and stands up to an audit. What do you need to keep in mind to
shore up data backup gaps? Here are five critical areas.
still don’t properly store data backup offsite. They may think that an
“offsite” location such as an employee’s house, another city building, or a
data center several blocks up the street will suffice. But full disaster
recovery means you need to account for disasters that can threaten your entire locale
such as a hurricane, tornado, or flooding. As a result, you need to consider
offsite locations far away from your city. For example, some cities store data
offsite both in East Coast and West Coast data centers.
IT staff or vendor can help with planning, a majority of your plan will rely on
city policies and needs rather than technology decisions. For example:
to these questions will influence how you approach your data backup strategy.
Why do so
many cities fail at their data backup? It’s not because they don’t have any
data backup in place. It’s because they don’t test it. Testing is an absolutely
crucial step to make sure that your data backup works. By testing at least once
per quarter, you will identify major problems (such as failures to restore data)
and minor problems (such as a backup missing certain kinds of data).
recovery addresses information essential to running your city. You need to
clearly identify the data and information that you can’t live without. That
way, after a disaster hits you can focus on the most essential operations first
to get them up and running. If you don’t identity this data, your recovery may
be slowed as information gets restored that isn’t helpful or crucial to city
want your city to remain operational through any technology incidents or
disasters. In case things go wrong, you want to think through situations
ranging from a server failing to how teams may work remotely after a disaster
hits city hall. It also helps to make sure you have IT staff or a vendor with
multiple engineers at your disposal who can recover your city’s data in case
your primary IT point of contact is incapacitated for some reason.
you want to make sure you recover your most critical data as quickly as possible
after a disaster and remain operational. Remember, your citizens will rely on
you even more heavily during a disaster. You need to make sure you’ve got the
data to help them.
Questions about your data backup? Can you recover your critical data after a disaster? Reach out to us today to chat about your data backup and disaster recovery.
In last week’s blog post, we discussed
five benefits related to VoIP. But let’s say you’re already sold on switching
over from your existing landline system. You might wonder, “What do I need to
While VoIP technology ultimately lowers
costs and increases the amount of your features and flexibility, you might face
an uphill battle depending on the current state of your technology.
To see if you’re ready for VoIP, let’s take
a look at three key areas that you may need to modernize.
The most important technology for ensuring
that VoIP works similarly to your landline is your Internet service. You need
good, reliable, high speed Internet in order to take advantage of
data-intensive VoIP services. Remember, VoIP uses an Internet connection to
transmit data—so it needs to be fast and reliable.
Here’s a quick reality check for your
city depending on what type of Internet service you have now.
You need to take a look at the age and
quality of your data network infrastructure such as your switches, firewalls,
routers, cables, and related hardware and software. Basically, these technologies
are like the highway and gatekeeper for all of your Internet data—making sure
it moves through quickly and yet keeps out any unauthorized intruders.
When we tell cities that they need to
update data network infrastructure before switching over to VoIP, it can seem
like a “gotcha” moment. However, you need the right data network infrastructure
to handle the VoIP data that will be routed to your employees’ computers, headsets,
and phones. Without new or modern data network infrastructure, you risk garbled
phone conversations and dropped calls—just as if you had a bad Internet
will reduce hardware and maintenance time. But you still need seasoned IT
professionals to help support your VoIP system. First, the switchover project
will involve a lot of complexity. Especially if you need to modernize your
Internet service and data network infrastructure, then you’ll need experienced
engineers helping you through this transition. Second, after you’re
transitioned over these IT professionals will need to handle VoIP issues and
problems just like any technology you use. If there are issues with your
Internet, data network infrastructure, or users making calls, then you need
responsive IT support to ensure that problems are dealt with quickly.
the move to a VoIP phone system is usually worthwhile (and in time will pretty
much become the norm as traditional landlines fade away), it’s still a monster
of a project. The technology upgrades, implementation of the VoIP system, and
user adjustment involves a lot of moving parts and pieces. But remember, the
benefits are powerful—and the investment definitely is worth it.
switching over to VoIP? Reach out to us today with any questions.
You may have
heard of VoIP and perhaps even already use it. It’s an abbreviation for Voice
over Internet Protocol (VoIP). That’s a fancy way of saying that you make phone
calls over a data network—usually the same connection that gives you Internet
access. So why has VoIP become the predominant technology used for business
revolution started because data networks (such as fiber) have a much higher
capacity to handle data and a greater flexibility to add phone lines and
features when compared to traditional phone infrastructure (such as copper).
should a city choose to move to a VoIP system after using a reliable traditional
landline system for so long? It’s because VoIP isn’t just a nice-to-have
anymore. Instead, this service brings clear bottom line benefits to your city.
landlines may be historically reliable, but they are becoming quite expensive.
First, just the monthly cost of a traditional landline tends to be higher than
a VoIP system. But traditional landlines also saddle you with extra costs when
adding lines, adding features, and maintaining PBX hardware. And as time
progresses, it is going to become increasingly difficult to find support and
replacement equipment for traditional phone systems as they become more
obsolete. Across the board, your VoIP costs are lower. That means lower monthly
costs and no maintenance costs if your VoIP service is hosted in the cloud—and no
long distance charges!
features are one of the biggest pains of traditional landlines. Depending on
what you want, extra features often cost way too much money or they just aren’t
available. With nearly every VoIP system, you get a plentiful variety of handy
features such as call transferring, call forwarding, conference calling,
voicemail-to-email, and softphone capability (meaning you can make phone calls
over your computer like Skype)—all included for no extra cost.
need absolute control over your phone system, there’s no reason to host your
VoIP system onsite. That means it will be hosted in the cloud. Sure, you’ll
still need to buy some handsets. Otherwise, you’re hardware free—no servers or
PBX systems onsite. No more worry about maintaining phone-related hardware.
Think of this technology like an app on your phone. It’s all just data.
One of the
biggest complaints about traditional landline phone systems is the difficulty
of adding new users or a new line. It usually requires someone from the phone
company to arrive onsite and configure your system, leading to more cost and
time wasted while you wait. With VoIP systems, adding new users and lines is as
simple as a click of a mouse. That means you can add users and new lines in
minutes or even seconds.
landlines are isolated in one spot—your handset at your desk. A VoIP phone
system (remember, it’s just data) can follow you wherever you go. For example,
you can install an app on your personal smartphone that acts as a secure
extension of your work phone. Or you can use your computer to make a call. You
can even use any handset in your office as if it’s your business phone. This
aspect of VoIP is especially convenient when you need to make and take calls
while you’re away from your desk or even away from the office.
sold on these benefits, then how do you switch over from a traditional landline
to VoIP? Is it easy or difficult? We’ll talk about moving to VoIP in next
week’s blog post and discuss what you need to have in place.
about your phone system? Contemplating making the switch? Reach out to us today.
A few months
ago, the media was abuzz with reports about Microsoft forcing people to upgrade to Windows 10. If you either read some of these articles or even
experienced Windows 10 upgrade notifications popping up more and more on your
computer, you may be confused and a little frustrated. That’s understandable,
especially when something seems forced upon you.
mean you must upgrade? What should you do? Here are a few tips for cities about
how to handle what may seem like an intrusive Windows 10 upgrade.
This may seem like an odd first tip.
However, it shouldn’t be left up to non-technical employees what to download
and install on their computers at a city. Employees are not IT experts, and it
can be hard to figure out if software updates are going to cause harm to a
computer. IT professionals need to control what software and updates get
installed so that no harm comes to any computer.
One major reason you need IT professionals to decide
whether you should upgrade or not is because of software compatibility. For example,
you don’t want to upgrade to Windows 10 and then find out your accounting
software doesn’t work properly. And when you call that software vendor, they
might not be able to help you because they aren’t supporting their products on
Windows 10 yet.
non-technical employees or inexperienced IT staff attempt an upgrade but mess
it up somehow, then you are at risk for losing data during the upgrade process.
An experienced IT professional will ensure that your data is properly backed
up—onsite and offsite—to ensure that you can make a full data recovery if
something goes wrong with a Windows 10 upgrade.
say some employees want to upgrade to Windows 10. However, anyone with very old
computers (especially over five years old) may not be able to upgrade because
they don’t have enough memory or processor speed. Dated systems (such as those
found on older computers) no longer supported by a vendor are always a risk.
Users may need a little time to
adjust to the new Windows 10 interface and settings. While many things will
look and work like past versions of Windows, some of the differences may lead
to a rough adjustment period. You may want to build in time for a short
training session to go over the key differences with employees. In addition,
anticipate that users may have questions about the new features, settings, and
look and feel.
It’s fine if
a city is interested in upgrading to Windows 10, but prepare for it first
because your software vendors may tell you it’s an upgrade at your own risk. Your
line of business applications may not yet provide support for Windows 10. Like
any major operating system upgrade, a variety of unexpected problems can occur
that cause a lot of havoc. Windows 10 is getting a better reputation the longer
it’s around, but it’s still a good idea for IT professionals to manage any
installation and make sure you’re not breaking software or losing data.
Do you have additional questions about Windows 10? Reach out to us today.
surface, this might seem like an obvious headline. Of course unlimited offsite
data backup storage is awesome. It’s unlimited! Isn’t that the only benefit
worth talking about?
the “unlimited” aspect alone isn’t enough of a reason to compel every city to
move in this direction with offsite data backup. So, if you haven’t considered
unlimited offsite data backup storage, here are some benefits that go beyond
the simple fact that it’s “unlimited.”
As you can
see, many bottom line benefits result from moving to an offsite data backup
solution that includes unlimited storage. And remember, you’re not doing real
offsite data backup if you’re storing your data nearby—even at different
buildings within city limits. You need to store your offsite data backup in
geographically dispersed locations around the country to ensure full recovery
in case of a major disaster.
Questions about unlimited data backup storage? Reach out to us today.
Patch management—what you might know as
the applying of updates to software—is often an overlooked and even neglected
task. Sometimes, cities may be too busy to apply them, don’t want to interrupt
employees, or simply don’t think the timely application of patches is a big
deal. Hey, as long as nothing breaks, right?
However, a recent story in the Atlanta Business Chronicle demonstrates exactly
why patch management is important. Take something as innocent as a wireless
keyboard and wireless mouse that you might use with your laptop. As Urvaksh
“Atlanta-based Bastille has discovered a vulnerability in
wireless mice and keyboards that leaves billions of PCs and millions of
networks vulnerable to remote exploitation via radio frequencies. Using an
attack which Bastille researchers have named “MouseJack,” malicious actors are
able to take over a computer through a flaw in wireless dongles, the company
said in a statement.”
As vulnerabilities are found, vendors
create a fix and make a patch available. But those patches still have to be
deployed or rolled out by your IT staff or vendor. Many patches fix security
holes and bugs in software. Not applying patches means that you are leaving
security holes open for hackers to exploit.
Sometimes, cities turn patching off
because they are afraid that an update will break their software. This is bad
because you’re not fixing security vulnerabilities. As cities (and all
government entities) are continually held to higher cyber security standards, a
simple ongoing task like patch management becomes essential.
Do not think you’re doing patch
management when employees download and install Windows Updates to their
computers. Patch management needs oversight by IT professionals. For example,
what happens if you install a patch and it breaks something in your software?
Would you know how to uninstall it and revert back to a previous state? IT
professionals know how to test and apply patches, understand which patches are
appropriate, and use strict procedures if something goes wrong with a patch.
An amateur sees patches released by a
software vendor and applies all of them. An IT professional knows that all
patches aren’t created equal. Before applying patches, they test them to make
sure nothing breaks or a software flaw isn’t introduced. In our case, we run
vendor patches through a variety of server and desktop configurations to test
for errors. We “green light” those that pass successfully and then install them
on your machines. If a patch creates a problem in our test environment, we
don’t apply it. Instead, we communicate the issue to the software vendor. We only skip
testing when the patch is deemed so critical to your security that it must be
Patch management loses effectiveness when
your employees or IT staff only apply them to machines on your network at your
building and skip machines in other locations. Nowadays, modern patch
management allows IT staff or a vendor the capability to apply patches to
servers and workstations regardless of location. Yes, that means your computer
gets patches applied even if you’re on the road or working from home.
The main takeaway? You need to make patch
management a regular, important part of your IT maintenance. Generally, that
means experienced IT staff or a vendor overseeing patch management as part of
their regular, proactive duties.
Are you patching your servers and computers regularly? Reach out to us with any questions or doubts about your patch management process.
It’s fun to
get excited about ambitious website goals—a new website, a new online payment
function, or a photo gallery highlighting your tourism or downtown development.
Or maybe you’re so focused on day-to-day operational activities that you
haven’t taken a look at your website in a while. Either way, it’s easy to
neglect some obvious things that make your website—and your city—look bad.
your website is often the most common way that people get a first impression of
your city. Whether or not you’ve recently redesigned your website, there are a
few common mistakes that cities don’t realize leave a very bad impression on
citizens, future residents, potential visitors, and businesses.
Here are six
quick, low-budget ways that you can immediately improve your city’s website—no
matter how old or new.
you’re worried about budget for a new website, first take a look at your
current website. Do you have any of the glaring issues listed above? These are
extremely low-budget items to fix that have an immediate, big payoff. Remember,
you’re always on audition. People are researching your website for a variety of
reasons. The difference between getting more tourism dollars, an additional
business relocating to your city, and more residents moving to your city versus
losing them may be that first impression.
Once you fix
the problems listed above, it’s just the beginning of really harnessing the
power of your website. Read our New Year’s post for more tips and advice about how
to make a city website work for you.
Our Focus | Products | Resources | Company | Contact | Sitemap | Login
© 2009-2016 Mimsware Corporation, all rights reserved. Sophicity®, "We put the IT in City”, and the Sophicity logo are registered trademarks of Mimsware Corporation d/b/a Sophicity.