We put the IT in city®

CitySmart Blog

Wednesday, September 13, 2017
Victoria Boyko, Software Development Consultant

Victoria BoykoWith more than 2 billion monthly users, Facebook is the third most popular website in the world. Because so many people spend time on it, Facebook has become an important place for cities to communicate information and help bring people to your city’s website. City departments often have their own Facebook pages that are individually managed, and those pages can be a fun, easy way to reach out to people.

However, Facebook pages can be plagued with security risks just like your city’s website or systems. For example, imagine a terminated city employee hijacking a city department’s Facebook page and not turning control of the page back over to the city. What would you do? And what could have been done to prevent this situation from happening?

While this situation is bad, we can easily imagine worse scenarios. If someone takes over your page, they can embarrass your city, spread misinformation, and use your page for a different purpose (like political extremism). That kind of hijacking can be a major liability to your city, and so you need to secure your Facebook pages.

How do you secure a page that’s hosted by Facebook that you don’t have direct control over (like your servers, software, or website)? Here are seven security tips that you can apply today.

1. Follow password best practices.

Password best practices are not only good for Facebook pages. They are applicable to all accounts across all systems and applications. Best practices include:

  • Using a password on all devices—including smartphones and tablets.
  • Using passphrases (preferred), but at a minimum using complex passwords.
  • Using two-factor authentication. For example, to log in you will enter 1) your username/password, followed by 2) a code sent to your mobile device.
  • Changing passwords regularly.
  • Not writing passwords down—especially where they are visible to others.
  • Not using obvious passwords (such as "password" or "123456").
  • Not allowing apps or browsers to cache/save passwords.
  • Not using the same password across systems, apps, and websites.

2. Change your password today.

Yes, we’re reiterating some of the points above. If you haven’t changed your password in a while or if it’s an incredibly weak password, change it today. Plus, changing your password today immediately eliminates risks if other people (ex-employees, hackers, etc.) have stolen your current password.

3. Take advantage of the “Setting Up Extra Security” section of Facebook’s Security and Login settings.

If you go to your Facebook page’s Settings, you will see a tab for Security and Login. Go to that tab and you will see a section called “Setting Up Extra Security.” Two important features are there that you should use.

  • Get alerts about unrecognized logins: If an unauthorized user or an authorized user from an unusual location attempts to log in to your Facebook page, then you will receive an alert. In many cases, these alerts will clue you in to a security problem.
  • Use two-factor authentication: We mentioned this under our password best practices, but Facebook allows you to easily set this up. A login to your Facebook page will require a user to enter both a password and a code sent to their mobile device.

4. Limit and manage authorized users.

Don’t just create one account and give everyone administrative access. Limit who uses your Facebook page and give them specific roles by:

  • Going to Settings on your Facebook page.
  • Going to Page Roles.
  • Under “Assign a New Page Role,” you can type in the name or email address of a user and assign them a role such as Editor, Moderator, or Admin.

Once set up, make sure you manage the list of authorized users and review it regularly. Otherwise, terminated employees or other unauthorized individuals may have access to sensitive information. Eliminate any user who is no longer authorized to make changes to your Facebook page.

5. Apply the above best practices to your email software.

Your Facebook page security will mean nothing if your email security is poor. A city might create a generic admin email address used by many people to make it easy for them to log into a Facebook page account. Instead, have everyone use individual email addresses and make sure those email addresses are protected by strong password best practices, suspicious activity alerts, and two-factor authentication. Strong email security at your city prevents unauthorized users from accessing your Facebook page.

6. Check the “Where You’re Logged In” section of Facebook’s Security and Login settings.

Make a habit of occasionally checking the “Where You’re Logged In” section of Facebook’s Security and Login settings to see if any suspicious devices are logged into your account. Each user will be identified by the type of device, browser, and location. It’s especially a red flag if someone unknown is logged in from an unusual location such as another country.

7. Use the Verified Badge for Government option.

We’ve written previously about the benefits of acquiring a Verified Badge for your city’s Facebook page. It makes your page the official, approved page for your city or city department. As we noted in a previous blog post, with a Verified Badge “you now have more authority to shut down damaging or slanderous Facebook pages. If someone operates a Facebook page that pretends they are your city or if they are misleading people about your city, then it’s easier as the owner of the official, verified version of your city’s page to work with Facebook to shut down misleading unofficial sites. Until you receive your verified page badge, you may have to work harder to prove to Facebook that another site is unofficial and shouldn’t be representing your city.”

If you need some help getting a Verified Badge, this post provides some good guidance.


Facebook pages may seem simple because they are so quick to set up, but take them seriously from a security standpoint. In the wrong hands, a hijacked Facebook page can do your city a lot of harm. Apply the tips above in order to secure your Facebook page from hackers and hijackers.

Need help securing your social media pages? Reach out to us today.

Wednesday, September 06, 2017
Dave Mims, CEO

Dave MimsWhile a spam email may occasionally trick your city employees, it’s safe to say that normal spam emails are full of red flags. The writing is terrible, the email address looks obviously wrong, or the information requested from you is bizarre. Immediately, you flag that email as spam because you’ve seen through the amateurish scam.

But because cities are big targets for cybercriminals, you might occasionally become the subject of a sophisticated, targeted email scam—so sophisticated that it’s really, really hard to know if the email is spam.

If you don’t believe this situation could happen to you, meet Stephanie Settles, City Clerk and Treasurer of Paris, Kentucky—a city with a population of a little under 10,000 and a staff size of 125. In other words, it happened to a city that’s probably around your size.

After sharing her story at a recent cybersecurity presentation, about a fourth to a third of the room said they had received similar emails. In this interview, Settles talks to us about what happened, how she ended up detecting the complex spoof email, and how cities can stay vigilant against similar attacks.

So, you received a spoof email but didn’t know it was a spoof at first. Talk about what happened.

I received an email from my “City Manager.” You’ll soon see why I put that title in quotes. Coincidentally, the real City Manager left my office 15 minutes prior to me receiving the first email from “him.”

My City Manager was leaving town for a training session and we were making sure things had been processed and paid before he left. I had told him I was going across the street to pick up a sandwich for lunch and would be right back, and that if he needed or forgot something to let me know.

After I returned with my sandwich and sat at my desk, I received this email.

Email asking if Stephanie in the office

I was thinking, “Oh, he must have forgotten something.” Remember, I was helping him process paperwork and payments before he left. The timing of this message made total sense. So, I responded to the email. Nothing seemed abnormal at this point.

Email confirming Stephanie in the office 

Then I received the following email from “him.”

City manager email requesting wire transfer

Again, if I looked at this quickly, the message still seemed legitimate. The real City Manager always addresses us by our first names. It would not be unusual for him to request a transfer considering we were paying bills that day. So, I responded back.

City clerk email agreeing to do a wire transfer 

When “he” sent the following email, the red flags started.

City manager email with suspicious wire transfer details

At this point, I noticed that the account name looked suspicious and the dollar amount seemed iffy. At our City, multiple signatures are required to spend over $9,000. But the language still sounded like my City Manager—especially the part about sending me an invoice and supporting documents for proper coding. He uses that language in his emails.

However, I was ready to tell him that I could not complete this request without proper approvals. It’s when I began to respond to this email that I 100% knew it was a spoof. Look at the email address for the “city manager.”

City clerk email with incorrect city manager email address 

The email address—with the “ceo01144” name—clearly did not match our City Manager’s email address. Then, I made some comparisons with a normal email from him.

Typical city manager email with no red flags

In a normal email, my City Manager typically does not reply to emails from his cell phone. Typically, he logs into his computer and replies to emails. Now, I know that if I see something from him that says “sent from my iPhone” that it is a spoof email.

What made this spoof email so tricky to spot?

Most importantly, the timing, language, and request made it seem like a normal email. Some secondary factors also made it tricky to detect that it was a spam email:

  • The emails contained a photo of the real City Manager.
  • The top of the emails referenced the correct email address.
  • The real City Manager always begins his emails with the person’s name he is addressing.
  • The City’s email disclaimer was at the bottom of the emails.
  • The emails came into my inbox grouped into the same “real” inbox for our paris.ky.gov email domain instead of appearing in my inbox from a new email address.
  • Each email that the “City Manager” used to reply to me was a new email. In other words, each time he responded to me, he began an entirely new email thread. Normally, a discussion like this would just form one long email thread as we responded to each other.

Why is this kind of an email a security concern?

Let’s say that I couldn’t detect that this email was spam. Then, a criminal could have obtained access to the city’s bank accounts or other sensitive and personal information. That kind of information in the wrong hands has the potential to cripple a city and interfere with our servers and processing systems, harming our data integrity.

Plus, cities can be vulnerable because we’re often so busy and distracted. For example, I was so busy that day that I decided to take a working lunch at my desk. I spotted the red flags, but imagine someone less experienced or more distracted than me. It shows, with one slip, how easy a spammer can trick someone if they’re not paying attention.

What are some ways that cities can prevent against this kind of email spoofing attack?

This seemed extremely targeted, malicious, and criminal. For someone to go to the extent of retrieving someone’s photo, spoofing an email address, imitating the person’s language, and targeting me with a request that’s not terribly unusual means that’s it’s all but identity theft.

Even with such a sophisticated attack, there are many ways that cities can prevent a spammer from gaining access to your sensitive information by following a few tips:

  • Change your passwords frequently.
  • Run full virus scans on a frequent basis.
  • Take notice of the email address when you respond to someone.
  • If in doubt of an email, just pick up the phone and call the person. It’s better to be safe than sorry.

On top of that, we consider Sophicity’s IT in a Box as an extra layer of security—our security blanket, if you will—to help protect our data. They keep antivirus and antispam software running and up to date, software patched and updated, and our hardware secured. They also help make sure that our employees are educated about spotting phishing emails, not clicking on malicious links or attachments, not sharing sensitive or confidential information with an untrusted person, and knowing who to call when something like this happens.


Concerned about your readiness in the face of a sophisticated spoof email? Reach out to us today.

Wednesday, August 30, 2017
Mark Holbrook, Technical Account Manager

Mark HolbrookCompliance. One of those necessary operational activities that you know is working when nothing bad happens. When compliance doesn’t work, you open the door to significant risk. Maybe you violated open records laws like the city of Chicago and have to pay out $670,000 in lawsuits. Maybe an employee opened a spam email and hackers gained access to that employee’s email account, exposing sensitive and confidential information that the city was supposed to protect. Or maybe you lose eight years of criminal evidence from a ransomware attack, possibly affecting the sentences of defendants as lawyers present evidence for and against their cases.

Even if your lack of compliance seems less startling than the repercussions of these stories, it’s still an issue that opens you up to serious liability claims and lawsuits. Before we started working with one of our current city customers, they discovered that they were not meeting federal or state compliance regulations in several areas. For example, the city’s email was not secure and compliant with open records laws.

We’ve talked a lot in the past about the legal consequences of poor technology infrastructure and support. In this post, we want to highlight how specific areas of compliance can be impacted by your technology.

1. Tax information

Information related to property taxes, municipal income taxes, and other kinds of taxes that cities collect from citizens needs to be protected under law. Much of this information is considered confidential or sensitive (such as social security numbers). Also, the IRS requires that cities keep Federal Tax Information (FTI) secure according to Publication 1075. Secure data transfer, recordkeeping, secure storage, authorized access, and computer system security are all covered under federal law. According to the IRS, “The [Internal Revenue Code] defines and protects the confidential relationship between the taxpayer and the IRS and makes it a crime to violate this confidence.”

2. Public safety information

Too many public safety departments still have a shaky IT foundation with aging technology, obsolete software, and poorly maintained systems. This leaves open many security holes and risks the loss of critical information. At a federal level, there are strict Criminal Justice Information (CJI) laws covering information access, storage, and data integrity. Then, each state has laws pertaining to the security of information exchanged with local public safety departments.

For example, “The Rules of the [Georgia Crime Information Center] Council mandate performance audits of criminal justice agencies that access the Georgia CJIS network to assess and enforce compliance with the Rules of the GCIC Council, O.C.G.A. § 35-3-30 through 35-3-40, other relevant Georgia code sections and pertinent federal statutes and regulations.” That’s why our engineers are GCIC-certified to make sure that IT systems comply with the Georgia Bureau of Investigation as well as Criminal Justice Information Services (CJIS).

3. Payment information

Any city that offers payment services for tickets, fines, utilities, licenses, or other services needs to secure and protect payment information. That includes credit card, debit card, banking, and any other data that hackers can steal to commit financial fraud. Complying with PCI DSS standards is a must for cities when they provide payment services. In addition, any technology infrastructure that stores and processes payment needs to be modernized, monitored, and maintained by IT professionals.

4. Personnel information

You obviously know that personnel matters involve some of the most sensitive and confidential information. That’s because personnel information can include personal history, background checks, tests (such as drug tests), healthcare, and work performance. That information must be protected by law, and there are many federal, state, and local laws that you must follow.

5. Open records and FOIA requests

By law, your city must respond to open records and FOIA requests. Yet, many cities sometimes delay responding to those requests by claiming they can’t find the information. Sure, some cities may have poor email, document management, or paper filing systems that make tracking down information troublesome. But open records laws become more unforgiving with each passing year. Searchable email, records/document management systems, and databases need to give cities access to information quickly. Data backup and disaster recovery expectations mean that you can’t just “lose” information. And you must adhere to specific retention, archiving, and disposal schedules. Not modernizing your technology or backing up your data properly opens you up to fines, lawsuits, and unflattering front-page news stories.


These are five major areas within your city operations where complying with the law relies heavily on policy, best practices, and technology. At a minimum, you need:

  • Adopted policies and training
  • Basic cyber hygiene (such as regularly patching software, enterprise-grade antivirus, and IT professionals monitoring and maintaining your systems)
  • Data backup and disaster recovery
  • Modernized hardware, software, and infrastructure
  • Physical and information security policies and procedures
  • A secure, reliably hosted website
  • Disciplined vendor management

Worried about complying with the law? Reach out to us today.

Tuesday, August 29, 2017
Dave Mims, CEO

Dave MimsOn its city website, Oxford, Georgia describes itself as “A City of History, Community, Education, and Trees.” Chartered in 1839, the City of Oxford birthed Emory University in 1836 at what’s now Oxford College—currently home to 25 percent of Emory’s freshmen and sophomore undergraduates. While a self-described quiet community, the city has recently seen a lot of activity with a new City Hall, new maintenance facility, and plans to establish a mixed-use new Town Center District for community activities.

To support all this activity, the City of Oxford needs a strong IT backbone—what City Manager Bob Schwartz (now retired) calls “invisible IT.” “When we supply water to citizens,” says Schwartz. “People never know that there’s a network of pipes, several access points, and an elevated tank. They don’t care—as long as it works. With Sophicity, IT works for us how water works for our citizens.”

Challenge

A few years ago, the City of Oxford found its IT services out of date and unstable. Concerned with the stability and security of their email, server hosting, and data backup, city officials needed to upgrade and modernize their technology.

With a small staff of 15 who use about 20 PCs and a few file servers, the City of Oxford also had to keep track of technically demanding tasks such as data backup, software patching and updating, and hardware issues. At the same time, the city often had technology issues that needed the responsiveness of a full-time IT staff. However, the city’s size did not justify hiring someone full-time and yet they still needed that level of expertise to handle its technology issues.

“At one of my previous jobs,” said Schwartz. “I had a staff of about 60 people, including two IT staff. It was great to just call the IT person and tell them to look at something. We needed that level of IT responsiveness without hiring someone full-time.”

And while a small city, it’s still necessary to have a modern, service-oriented website that’s easy to maintain and reliably hosted. Before Sophicity, the city would hire a part-time student to maintain the website. Despite the student’s help, city staff often wanted to easily edit and update website content but couldn’t. There was also uncertainty about how and where the website was hosted.

On a more tactical level, the city’s previous document management software limited their productivity and inefficiency—especially with routine tasks like preparing for city council meetings. “When we worked on a document we would email it back and forth between ourselves,” says Schwartz. “There wasn’t a central place to store documents and collaborate on them, which made it harder to prepare for activities like city council meetings that required a lot of edits and revisions to documents.”

Solution

Oxford solved these challenges by using the Georgia Municipal Association’s “IT in a Box” service. IT in a Box included:

  • A new city website: Oxford received a modern fresh website design with Sophicity hosting the website and managing the content. Plus, city staff could now edit and update website content.
  • Data backup and offsite data backup storage: Oxford received unlimited offsite data backup storage and retention for disaster recovery and archiving. No longer did staff have to worry about data backup with Sophicity’s real-time monitoring and quarterly testing.
  • Document management: City records were now protected, and staff could easily apply the state’s record retention schedules.
  • A highly available and dependable email system: The city switched to hosted email on its own city domain that included email archiving, shared calendars and contacts, and 50GB of mailbox storage per user.
  • Help with open records requests: The city was now better prepared for FOIA and Open Records Requests, and Sophicity helps the city clerk process them.
  • Vendor management: The city did not have to worry any longer about frustrating calls with vendors about software issues or hardware procurement.
  • 24x7 helpdesk: The city now had the responsive helpdesk it always wanted. Sophicity provides 24x7x365 support to city staff in the office, working from home, and on the road. Experienced senior engineers address any IT issue remotely—ASAP.
  • Server, desktop, and mobile management: Sophicity now proactively keeps computers patched, protected, and healthy to guard against cyberattacks—taking this task off the plates of non-technical city staff.

Results

“IT in a Box” helped Oxford:

Acquire a 24x7x365 experienced IT helpdesk that’s more effective than full-time staff for less cost.

As Bob Schwartz puts it, “It’s almost the same feeling as hollering down the hall to your IT staff and getting them to immediately look at your problem. The only difference is that we dial a number, Sophicity takes over our computer screen, and they often fix the problem then and there.” Schwarz goes on to joke that “It's not as fun as hollering at somebody!” but he continues on a serious note. “There's no reason to holler at Sophicity when their engineers are so nice and helpful.” It may seem small, but even quick help about simple issues like a disconnected copier was a relief to the city after previously struggling with this issue themselves.

Prepare and run city council meetings more efficiently and collaboratively.

The city uses Sophicity’s document management system to prepare city council agendas for meetings. Schwartz and the city clerk can collaborate while working on files without fear of losing information in an email or missing a revision to a file.

“We can add to the agenda as we go,” says Schwartz. “The city clerk will put in copies of the minutes from the last meeting that city council has to approve at the next meeting. I’ll put in a memo explaining a proposed ordinance or some explanation about an activity. The document management system warns us if we're both trying to edit the same document, which avoids messy reconciliation issues.”

Modernize its website and allow city staff to edit and update content.

Instead of a part-time student overseeing the city’s website, Sophicity modernized and redesigned it to give the city’s online presence a fresh look and feel. The current website now offers information about city government, how to contact city departments, news, answers to common questions, and other resources—kept fresh by city staff who can now update and edit content.

Schwartz notes, “You have taught our assistant clerk how to make the less complicated changes, so we’re able to post stuff very quickly.” If the content is a bit tricky to upload, then Sophicity will post it for her.

Not worry about IT anymore.

Like the old Maytag repairman commercials, the best IT is often “invisible” IT—in the sense that technology just works. Schwartz says, “We haven’t crashed or been subject to ransomware. Our programs and PCs are up and ready to work when we get to the office. And when my PC did irretrievably break, your staff was able to recommend a replacement and restore all my files from your backup copies.”

Schwartz notes there are a lot of stories in the media about cities getting hit with ransomware and viruses. And it’s in that moment that cities realize—too late—that not backing up data and failing to implement proactive IT maintenance leads to permanent data loss, failure to comply with the law, and a loss of citizen trust.

With Sophicity, even if the worst disaster happens there are many protections in place from onsite and offsite data backup to ongoing IT monitoring and maintenance that means the worst isn’t that bad.

“My advice for any city would be to ask themselves, "Who's doing your virus protection? And who's doing your backup? Where is it?" Monthly data backup is not enough. And sometimes you think you’re backing up, but you’re not. You really don't want to wait until ransomware strikes, half of your files disappear, or you can't boot up in the morning. With Sophicity, I don’t have to worry about these problems.” Bob Schwartz, City Manager, City of Oxford, Georgia

Contact Us Today

If you're interested in learning more, contact us about IT in a Box.

About Sophicity

Sophicity provides the highest quality IT products and services tailored to city governments. Among the features Sophicity delivers in "IT in a Box" are a website, data backup, offsite data backup storage, email, records/document management, video archiving, help with information security policy and compliance, Microsoft Office for desktops, server and desktop management, vendor management, and a seven-day a week helpdesk. Read more about IT in a Box.

Wednesday, August 16, 2017
Mike Smith, Network Infrastructure Consultant

Mike SmithWhen cities use too many different technology vendors, too many problems happen. One of our customers talked to us about what it was like before we started working with their city. They previously contracted individual vendors for:

  • Troubleshooting
  • Data backup and disaster recovery
  • Document solutions
  • Email
  • Website hosting
  • Telecom auditing
  • Product management

Add 3 ISP providers to the mix and you’ve got vendor chaos! Because of too many vendors, the city grappled with problems that included:

  • A lack of a comprehensive document management solution
  • No overall, holistic vendor management
  • Uncertainty around federal and state compliance with laws
  • Lackluster support from their vendors—also known as finger-pointing

So why is transitioning from many vendors to one vendor so important for cities?

1. More vendors cost more money.

Each vendor will charge a premium for their service along with onboarding time, installation, upgrades, and maintenance. You’ll pay these costs even if there is overlap in services such as different data backup services for different products.

Generally, too many IT vendors suggest that costs have potentially spiraled out of control. It’s like when an organization is overstaffed with too many people serving in unclear, conflicting roles.

2. Vendors split across many functions lack an in-depth knowledge about your IT environment.

An email vendor wants to make a change to your software that has an unintended consequence elsewhere. Your data backup vendor isn’t aware of rules related to records retention. Your website vendor provides you features and functionality not compliant for local government. In these situations, you experience the result of vendors that make decisions without knowing your environment well.

A vendor that monitors and maintains your entire IT environment will know how to quickly and effectively troubleshoot problems, proactively fend off issues, and keep you in compliance. If they oversee all the different parts and pieces, then they will understand how email relates to compliance or how data backup relates to document management.

3. More vendors lead to chaos.

When you have seven different vendors, who is managing all of them? Often, it’s overworked city staff already strapped for time. Even in a stress-free environment, it’s difficult for non-technical city staff to keep track of issues and to-dos related to seven different technology vendors.

In an environment without someone providing vendor management, mistakes happen. Things don’t get done. Vendors conflict with each other. Balls get dropped. Tempers flare. People point fingers. But when IT professionals oversee vendor management, many of these problems disappear.

4. Different vendors do not back up data consistently.

Your various software systems may have their own data backup and disaster recovery processes. These processes may conflict with each other or add up to an incomplete overall backup of your critical information. Who is testing these backups? What vendors are cooperating with each other?

5. Many task-specific vendors don’t understand city-specific requirements like compliance.

The city mentioned in our introduction noted that their email vendor was not compliant with open records and cybersecurity laws. This left the city open to liability claims and lawsuits. Other task-specific vendors for data backup, document management, and website hosting may also lack in-depth expertise about local government compliance and leave you open to noncompliance risks.

Studies show that many security breaches are the result of third parties. When many vendors are allowed to go into your IT environment without much oversight, they can be setting you up for noncompliance and introducing security vulnerabilities that may lead to a cyberattack. You need IT professionals to oversee vendors and the technology in your environment to make sure you’re able to handle open records requests, authorize access to information, and prevent most cyberattacks.

6. With many different vendors, you can’t see the big picture.

There’s a reason that IT runs best when it’s led and overseen by professionals who understand the business of cities. Someone needs to assess your entire environment and put all the pieces together. That involves planning, coordination, monitoring, maintenance, upgrades, patching, support, procurement, and vendor management.

One of our colleagues recently told us a story about taking a four-hour bus ride between two major cities. At the bus station, the bus was outside but did not depart on time. People waited in line for 45 minutes, the bus driver stood outside, and no one communicated about the reason for the delay. When our colleague asked the customer service person why, she shrugged and said, “I can’t help it. It’s up to the bus driver.” When our colleague talked to the bus driver, he said, “I can’t help it. It’s up to the bus company.” Instead of accountability, there was inexplicable confusion, chaos, and uncertainty related to the departure time.

That’s what happens when too many vendors form a part of your environment. Why is email not working? Why did the website go down? Why can’t employees access documents? It’s often another vendor’s fault. There’s no central point of command.

One IT vendor should holistically oversee everything. For example, your document management system may involve data backup, storage, compliance, features, and functionality. Instead of a document management vendor blaming the data backup vendor, or vice versa, one vendor overseeing everything will be able to handle problems in these two areas simultaneously.


If your city struggles with too many vendors, then there is a better, more cost effective way. Reach out to us today.

Tuesday, August 08, 2017
Nathan Eisner, COO

Nathan EisnerIn an upcoming Georgia Municipal Association interview, Bob Schwartz, City Manager of Oxford, Georgia, says:

“...there is the “invisible” aspect of IT—like the old Maytag repairman. The less you saw him, the better the product. It's nice to know your IT folks but you don't want to know them so well that you see them every week. Their work is largely ‘invisible’ in the sense that […] software gets updated, data backups happen, and viruses are kept out.”

He’s right. Cities function best when IT vendors take care of issues proactively and keep your environment well-maintained and stable. Yes, IT is always there like your heartbeat in a sense, proactively maintaining your environment behind the scenes and supporting your users 24/7/365. IT should not be always there again and again for another crisis, another break/fix, or another triage moment. As a city manager, Schwartz sleeps better at night knowing his city hasn’t crashed or been subject to ransomware. His programs and PCs are up and ready to work when his staff gets to the office.

So what clues reveal if you are seeing and interacting with your IT vendor for the right reasons? Here are five.

1. Your IT vendor schedules regular, planned work like installations, patches, and upgrades.

One of the most common signs of weak, at-risk IT is crashing servers, workstations, and software applications. That means something is seriously wrong. The root causes of crashing include:

  • Unpatched hardware and software
  • Obsolete, unsupported operating systems
  • Old, aging hardware at the end of its lifecycle
  • Poor IT support
  • Virus infections

Servers, workstations, and software applications should rarely crash if you have modernized, properly supported technology. That means your IT vendor regularly monitors, maintains, patches, and upgrades your hardware and software.

A crashing website indicates similar problems, usually with the quality of your website hosting and the maintenance of your website’s platform. Remember that your citizens, prospective residents, and business owners looking to relocate are negatively impacted by a constantly crashing website—and your city looks bad to the outside world.

2. Your IT vendor spends a lot of time focused on your cybersecurity.

While employee error is often the cause of viruses, that doesn’t mean viruses occur equally at all cities. An effective antivirus and cybersecurity strategy involves a variety of factors:

  • 24x7x365 monitoring and alerting through a combination of automated software and IT professionals overseeing your IT environment
  • Enterprise-grade antivirus software (that can be monitored and maintained by IT professionals)
  • Strong antispam software (spam is often a source of viruses)
  • Software updates and patches regularly applied to fix security vulnerabilities
  • Data backup (in case the worst happens, you can still recover your files)

Without these elements, you’re more likely to get a virus. Viruses are extremely dangerous and interrupt city operations. They may lead to a data breach, stolen money, stolen information, backdoors opened to hackers, permanently lost data, and compromised machines. You want to do everything to eliminate the possibility of a virus crippling your city.

3. Your IT vendor isn’t fighting fires all the time.

Too many “firefighting” issues signify that your IT vendor is not properly maintaining your technology. Signs of hardware and software issues include:

  • Really slow software, slow loading webpages, and slow boot up times
  • Features and functionality not working or inaccessible
  • Servers, workstations, and software regularly taking a very long time for your IT staff or vendor to repair

To solve essential hardware and software issues, you need IT professionals ensuring proper installation, configuration, monitoring, maintenance, patching, upgrading, and working with the hardware or software vendor when necessary to fix issues. And at the right time, hardware or software needs decommissioning when it’s at the end of its lifecycle.

4. Data backup just happens—and it works when you need it.

While some cities may use some form of manual data backup and may even have non-technical IT staff help create the backups, it’s best if data backup just happens without any city staff worrying about it. Your data backup should be:

  • Automated, which removes the risk of forgetting and human error
  • Tested, so that you know it works when you need to restore data
  • Offsite as well as onsite, so that your data is safe even if a disaster occurs
  • Unlimited in storage space so that you don’t have to worry about data caps or cost increases

Cities should not have to wonder if data backups are happening or find out too late that backups haven’t been working.

5. Your IT staff or vendor proactively handles technical issues with hardware and software vendors.

If you are taking on the responsibility of calling hardware and software vendors when you have issues, then that’s a big problem. When non-technical city staff speak to technical vendor support technicians, miscommunications can occur. Problems can seem solved when they’re really not. It’s also a waste of time for non-technical city staff to spend hours, and sometimes days, on the phone with vendors when they have more important things to do.

A city’s IT support should handle technical communications with vendors and get this time-wasting task off your plate. That includes software issues and even hardware procurement such as buying a new computer.


Seeing too much of your current IT vendor for the wrong reasons? Need help? Reach out to us today.

Friday, July 28, 2017
Dave Mims, CEO

Dave MimsBarraged with cybersecurity news every day, it’s difficult to sift the real danger from the noise. Cybersecurity headlines tend toward the dramatic—even if the concerns are real. For example, the Washington Post recently sounded the alarm about local governments using Kaspersky Lab antivirus software. The federal government removed the software from its approved vendor list because of concerns that it could serve as a backdoor to feed intelligence to Russia, but local governments have kept using it.

An article in Governing notes that “there have been no specific vulnerabilities identified and no evidence of malicious intent released to the public” about Kaspersky Lab. Yet, this story makes headlines because of the media’s current focus on anything related to Russia. The antivirus software may be a risk to cities but that isn’t certain without evidence.

With that said, cities cannot remain passive against well known, serious, and confirmed cybersecurity dangers (even if the news deems them less headline-worthy). For example, the recent WannaCry and Petya attacks that ravaged organizations around the world should not be ignored by cities. Why? These attacks best exploited organizations with weak cybersecurity and poor cyber hygiene. Even the world’s foremost cybersecurity experts pointed out that simple activities like regular software patching, updating operating systems, and backing up data could have eliminated most of these ransomware threats. Congress has even proposed a bill—the Modernizing Government Technology (MGT) Act—that requires government agencies to follow basic IT best practices to prevent cybersecurity attacks.

So, if we dig beneath the flashier headlines, we find five real cybersecurity dangers that most threaten cities—and these dangers should keep you up at night if you’re not addressing them.

1. Ransomware

Ransomware is a virus that encrypts your data with malicious intent. It's a weapon used by a criminal who attempts to steal your money or destroy your property (in this case, your data) if you don't pay a ransom. Once your files are encrypted by the virus, a screen will pop up on your computer with instructions about paying a ransom.

Once you pay, the criminals will hopefully decrypt your data—although there are no guarantees. Remember, these are criminals. Can I trust them? Will my data be restored? Is my restored data unaltered? Do they still have access to my computer? Will this happen again?

As one of the scariest viruses out there, attackers use ransomware more and more often. The ransom price demands are increasing. According to a PhishMe report from earlier this year, ransomware attacks through phishing emails increased from 56 percent in December 2016 to 93 percent in March 2017. Yes, 93 percent!

Quite simply, ransomware has become very profitable for very bad people. Many ransomware attacks have devastated local governments—from shutting down 911 systems to erasing years of criminal evidence. It’s putting communities at risk. Imagine critical systems like water treatment plants being held hostage.

2. Viruses and malware

Hackers still use a variety of viruses and malware to steal information, corrupt or destroy data, shut or slow down your systems, and defame your websites. Viruses and malware enter your computer systems from a variety of sources such as malicious email attachments, websites, ads, pop-ups, and software downloaded from the internet. External hard drives and flash drives can also get infected with viruses and infect computers as people share them.

3. Data breaches

According to Breach Level Index, there have been about 90 government data breaches so far in 2017 alone (as of July 27). Those data breaches include:

Data breaches occur when sensitive and/or confidential information is exposed to the public either accidentally or through a criminal act. The repercussions of data breaches—financially, legally, and publicly—are harsh and last months or years.

4. Phishing

According to a December 2016 PhishMe report, “91 percent of cyberattacks start with a phishing email.” Phishing is an activity performed by hackers to lure people into clicking on malicious links, attachments, ads, pop-ups, and software downloads. Unsuspecting employees are tricked into downloading viruses, malware, and ransomware that leads to data breaches, stolen information, and data loss.

Over 90 percent of cybersecurity attacks originate with human error, which means that your employees may unwittingly become the source of a cyberattack if they are unaware of these dangers.

5. Website Attacks

Your website is an important part of your city. It’s your window to the online world, your public relations vehicle, your library of city information, and possibly the place where many of your citizens pay taxes, fines, and utilities. Website attacks are a favorite of hackers, and many cities experience financially harmful and embarrassing consequences. A few tactics include:

  • Denial of service attacks. Hackers flood your website with so much fake online traffic that it crashes—often for days.
  • Defaming. Hackers take over your website and replace it with a political message, a porn site, or other embarrassing information that has nothing to do with your city.
  • Stealing data. If your website stores sensitive or confidential information that should only be accessible to authorized users (such as a utility customer’s payment information), then hackers can steal this data.

If your city has poor cybersecurity, it’s extremely likely that one of the scenarios above will happen to you. Hackers are looking for easy targets, and their methods grow more sophisticated. Don’t be an easy target, and don’t be passive about the cyber risks your city faces.

Concerned? If your city has uncertainty around cybersecurity, then you need to especially examine your:

  • Data backup and disaster recovery: If the worst happens, then you need to recover your data. Your data backup should contain an onsite and offsite component—with regular testing to make sure it works. Your data backups should also be stored separately from your day-to-day data so that backups don’t get infected with a virus or malware.
  • Updates and patching: Your software—both operating systems and applications—needs regular updates and patches. For example, most organizations hit by the WannaCry ransomware virus failed to implement a patch that Microsoft had released a few months before the attack.
  • Antivirus and antispam: Your city needs enterprise-grade antivirus and antispam that’s regularly updated and monitored by IT professionals.
  • Trusted, professional website hosting: Your website needs to be hosted by a trusted vendor that maintains high security.
  • Access controls: Only authorized employees should be able to access specific hardware, software, and systems at your city.
  • Policies and compliance: Clear, thorough information security policies and procedures will ensure compliance with the law and help prevent cybersecurity incidents.
  • Employee training: Because human error is at the root of such a high percentage of cyberattacks, you need to train your employees about phishing, identifying malicious links, and staying vigilant when they use the internet.

Concerns about your city’s cybersecurity? Reach out to us today.

Wednesday, July 26, 2017
Adrian McWethy, Account Manager

Adrian McWethyIn a document entitled “Protection of Personal Information: Security and Incident Investigation Procedures and Practices for Local Governmental Units,” Kentucky’s Department for Local Government (DLG) lists six important goals to include in a policy that aims to protect personal information. According to the DLG, a city’s policy should “minimize the risk of disclosing personal information and [set] practical guidelines for effectively responding to security incidents.”

The six goals that Kentucky’s DLG says should form part of a policy are to:

  1. Identify vulnerabilities.
  2. Eliminate or mitigate those vulnerabilities.
  3. Recognize when an incident has occurred.
  4. Notify appropriate personnel in the event of an incident.
  5. Respond to information security threats.
  6. Recognize events that require special handling due to their potential impact or special reporting due to legal or other concerns.

Even if you’re not a Kentucky city, similar laws exist in other states around protecting personal information. These six goals also form a set of best practices that any city security policy should aim to cover.

So how can you go about tackling these six areas? Here are a few tips.

1. Identify vulnerabilities.

How do you make sure you are able to proactively identify vulnerabilities? Before jumping to a tactical level, it helps to set a policy showing that you’re aware of the potential for vulnerabilities related to:

Clarifying your policy around these areas will help you identify gaps in your security that could lead to a cyberattack. We’ve linked to blog posts that tackle these policy areas in more detail.

On a tactical level, you need proactive, ongoing IT monitoring and maintenance of your applications and systems to identify vulnerabilities as they arise.

2. Eliminate or mitigate those vulnerabilities.

Once identified, you need tools in place to eliminate and mitigate vulnerabilities. Those tools may include:

  • Enterprise-grade antivirus and antispam software: Cities need enterprise-grade antivirus and antispam software—not consumer-grade or free software. Enterprise-grade software can be customized and monitored by IT professionals who will use it to help eliminate and mitigate cyberthreats.
  • Patches and upgrades: Many cities still do not regularly patch and update software. Vendors create patches and updates to fix security vulnerabilities. Those patches and updates need to be applied soon after they are released by a vendor.
  • Vendor management: To be sure that your software is safe to use, IT professionals can talk technically with vendors about eliminating or mitigating vulnerabilities.
  • Data backup: In a worst-case scenario, having data backup can mitigate the loss or corruption of data.

3. Recognize when an incident has occurred.

The City of Miami Beach, Florida recently experienced an incident where criminals stole $3.6 million—and the city did not notice it for six months! It’s a good example of what happens when your city simply doesn’t pay attention and fails to recognize when a security incident occurs.

Cities need IT professionals who proactively monitor and maintain your systems with:

  • 24/7/365 automated software that provides updates about the health of your system.
  • Human oversight to flag potential problems.

Otherwise, a security incident could occur that you don’t learn about for days, weeks, or months.

4. Notify appropriate personnel in the event of an incident.

This step touches on two areas that you need to flesh out:

  • Information security policies, procedures, and best practices. Once outlined, you can rely on these documents to follow a specific process after an incident. Sometimes, this means following the law (such as with a data breach). In other cases, it may just mean reviewing best practices on how to handle something like a virus once a machine is infected. If something happens, you’ve got a plan—and it helps to have experienced IT professionals on hand who can act fast.
  • Disaster recovery. A disaster recovery plan encompasses a much wider area than an information security policy, but a city’s disaster recovery plan needs to account for information security. In a worst-case scenario such as a fire, flooding, theft, or natural disaster, what happens if data is lost or destroyed?

5. Respond to information security threats.

Basically, this step is all about carrying out your plan. It’s best if:

  • Experienced, trained IT helpdesk staff tackle the problem: Proactive IT support engineers will immediately know about and respond to the problem. Reactive or inexperienced IT support will be too slow to respond and you risk more problems as a result.
  • Get your data backup ready: In the case of a virus, ransomware, or other form of data loss related to a cyberattack, be ready to respond by reverting to a previous snapshot of your data. You may lose a few minutes, hours, or days of data, but you will recover quickly. Without ongoing data backup, you risk permanent data loss.
  • Get your city staff ready: Members of your city staff may play a part in responding to a threat. Your public information officer may need to let citizens know about a data breach. Your city attorney may need to follow certain legal procedures in the aftermath of a security incident. Law enforcement may need to get involved if data is stolen.

6. Recognize events that require special handling due to their potential impact or special reporting due to legal or other concerns.

We can’t list every single event that would need special handling, but a few common ones may include:

  • A website hack, defamation, or denial of service attack. You may need to work with the website hosting provider on the issue or inform citizens about when to expect the website to return to full service.
  • An email security issue. Perhaps from an unauthorized breach, improper use of a personal email address for city business, or an unencrypted email with confidential information, an email incident may involve special handling.
  • An open records request issue. If you feel you are not able to respond to an open records request because of a technology issue, then you may need an IT professional to examine your email or document management systems to see if you can comply.
  • A video archiving issue. Especially for public safety, video can run into many technical issues because of storage, accessibility, or security issues. Because of the complexity and confidentiality of the data, you need to handle it carefully.

In the document cited at the beginning of this post, Kentucky’s DLG says, “Each [Local Government Unit] LGO is responsible for ensuring that employees and others with permissive access to, or who may access, personal information are familiar with the policy and all such persons or entities shall be aware of what constitutes an incident. Each LGU shall ensure that employees are aware that compliance with this policy is mandatory. LGUs have the responsibility to enforce this policy.”

Again, while your state may be more or less strict compared to Kentucky, it’s clear that laws increasingly point toward greater accountability related to cybersecurity vulnerabilities. Having a plan for dealing with security vulnerabilities will be good for your city—no matter the law in your state.

Wondering if your city can effectively handle security vulnerabilities? Reach out to us today.

Wednesday, July 19, 2017
Sarah Northcutt, Account Manager

Sarah NorthcuttMunicipal bonds. One of those long-standing, tried and true ways that your city can fund important projects including downtown development, infrastructure, and schools. As you know, many factors can lower your bond rating such as financial instability or signs of poor management. When your bond rating goes down, it’s harder and more expensive to borrow money.

So why are we, an IT company, talking about municipal bonds in a blog post? Recently, Standard & Poor's (S&P) and Moody’s said they will soon start taking cybersecurity into account when they evaluate the ability for local governments to borrow money.

According to Reuters, “S&P Global has begun to quiz states, cities and towns about their cyber defenses, and some credit analysts are starting to factor cyber security when they look at bonds. Moody's Investors Service is also trying to figure out how to best evaluate cyber risk.”

The article goes on to state that while this currently isn’t part of the three key rating agencies’ processes, signs show that it will eventually happen:

“[Court Street Group analyst Joseph Krist] expects others to follow suit. ‘We went through this with getting munis to ... disclose more pension information. Those were frankly long and painful processes. It just has to get to a critical mass.’”

Both the WannaCry and the most recent Petya global cyberattacks are electrifying lawmakers to take action about cybersecurity. Rules and regulations will only increase and become part of the evaluation process for things like your city’s ability to borrow money.

In other words, not taking care of your cybersecurity means the same level of perceived instability or negligence surrounding a poor financial situation at your city.

Your city remains a big target for cybercriminals. Generally, cities can be easy targets and keepers of valuable, sensitive information. If you want your city to remain able to borrow money at a low interest rate, then you must address the following cybersecurity areas.

1. Prepare for the worst with data backup and disaster recovery.

An essential part of a cybersecurity plan is to assume the worst will happen. When ransomware infects your servers, what happens to your data? You need to be able to access and continue your operations within hours or days. That means having a data backup and disaster recovery plan that accounts for both onsite and offsite backup that’s tested regularly.

2. Proactively fend off viruses, malware, and ransomware through enterprise-level antivirus software.

If a city uses free or consumer-grade antivirus software, then it’s in trouble. Your city needs to use an enterprise-grade antivirus and antispam solution that’s monitored, maintained, and updated by IT professionals. When you use free or consumer-grade antivirus software (often “maintained” by non-technical employees), you are taking on risk—potentially significant risk—by not having expertise and experience on hand to deal with these critical and fundamental systems.

3. Patch and upgrade software to eliminate security vulnerabilities.

Hackers are successful with viruses, ransomware, and malware by exploiting security vulnerabilities in software. That’s why software vendors constantly release patches meant to not only fix bugs and add enhancements but to also shore up security vulnerabilities. Many of the most devastating WannaCry and Petya attacks resulted from organizations not patching their software. You need to regularly patch and upgrade software when needed. The WannaCry and Petya ransomware also exploited computers still using obsolete, outdated software not supported any longer by the vendor. By upgrading software, you ensure it’s supported, patched, and secured.

4. Create cybersecurity policies and procedures for your city.

Many states such as Arkansas and Kentucky include laws and best practices related to local government audits and oversight. In Arkansas, a city can now lose its charter if it’s not following appropriate cybersecurity policy. Your city needs policies that address:

Regular self-auditing with the help of your IT vendor and third parties will help you ensure that you are complying with the law.

5. Train users regularly.

Because cybersecurity threats grow more sophisticated over time, you need to keep users up to speed. Take the time to train them about:

  • Malicious emails and how to know if an email is legitimate.
  • Malicious websites and how to avoid them.
  • Why employees must not use unapproved software or download games and quizzes from the internet.
  • How viruses work and what they can do to your city.
  • How modern forms of viruses such as ransomware work.

Employees especially need to know how their actions can lead to a devastating cyberattack, why they must follow policy, and what consequences can happen to them if they don’t. Many employees like to use their work computers like they use their home computers, but they must understand that certain restrictions aren’t aimed personally at them. These policies are in place to help your city avoid a devastating cyberattack.

Worried about the state of your cybersecurity? Reach out to us today.

Wednesday, July 12, 2017
Dave Mims, CEO

Dave MimsDocument management is an important part of a city’s information technology backbone, and many cities might not realize how much it can help streamline a complex, routine activity such as preparing for City Council meetings. We recently chatted with Bob Schwartz, City Manager of Oxford, Georgia, for some insight about how he uses IT in a Box’s document management feature to make preparing a City Council meeting as easy as possible.

Talk about some of the ways you use the IT in a Box document management feature to prepare for a City Council meeting.

The City Clerk and I use the document management feature to prepare our City Council meeting agenda, and it helps us in several ways. First, the two of us can work with common folders in a centralized place. She can put documents into the folder that relate to the City Council meeting agenda such as copies of the minutes from the last meeting for the councilmembers to approve. I may put in a memo that explains a proposed ordinance or some activity the city has done. We each add to the agenda folder as we go, and it’s an easy way to assemble the documents we need for the agenda.

Second, the document management system warns us if we're both trying to edit the same document. That forces one of us to back out so that only one person can edit at a time. Before we had this document management system, two people might edit the same document at different times—making it harder to reconcile all the edits and different versions later. It's an easier editing process to have one person work on a document at a time, and the document management system enforces that rule. This leads to better collaboration. I'll just tell the City Clerk, "Let me know when you're done and then I'll give that document an edit."

This is a process we go through every two weeks because we have two Council meetings a month. It’s now just second nature to put our information into the document management system, let the City Clerk take a final look at it, and assemble the agenda. When we’re done uploading and preparing our information, she emails the agenda to the Council. Then, everybody gets to look at it.

In fact, we've set up the agenda in the document management system so that councilmembers can look at the files but only the City Clerk and myself can edit the files. Setting up permissions—who can edit and who can just review—along with restricting access so that only one person can edit at a time helps keeps documents accurate and clean. Occasionally, a councilmember may look at a draft version of the agenda before we’re finished and say, "How come that's on the agenda?" Then, you can either explain it or say, "It's not finished yet. It may change later." However, we make it clear that an agenda is in draft form rather than a finalized form.

Third, we also use the document management system’s calendar function to schedule our meeting room so that we can't schedule a meeting when someone else is already using it. While it's not a heavily used meeting room, it still makes sense to reserve it through this tool instead of assuming the room will be open. That’s another way the document management tool helps streamlines the process of a small but important logistical detail of preparing for a City Council meeting.

Why is this document management feature better than other alternatives?

Well, without any document management tool, we would email documents back and forth. In that scenario, it’s hard to tell what’s the latest version, who’s editing what document at what time, and if two people are editing it at the same time. There’s a lot of potential inefficiency there and room for mistakes.

On the flip side, there are fancier and more elaborate programs to prepare an agenda and those might work when there are many people contributing and collaborating. For a smaller city like ours, the IT in a Box document management feature is perfect. We only have a couple of people contributing and collaborating, so we don’t need a specialized agenda preparation package. Sophicity’s tool works just fine.


Bob’s experience with the document management feature reflects the needs of smaller cities with a few people on staff who still need to collaborate over often complex City Council agendas. Having uncertainty related to documents and grappling with a chaotic process through email just adds problems that you don’t need—or have to put up with.

A document management solution like the one Bob discusses also helps cities:

  • Protect city records in a safe location.
  • Apply record retention schedules. Automated tasks can be set within the document management system to follow your record retention schedules and apply them to documents.
  • Scan paper files to free up file cabinets and floor space. This also eliminates the risk of permanently losing paper files in a fire, by flooding, or by theft.
  • Easily search for documents based on their content as well as data fields. This especially helps when you need to respond to open records requests.

Want to learn more about how document management can help your city prepare for City Council meetings? Reach out to us today.

| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 |