We put the IT in city®

CitySmart Blog

Friday, March 22, 2019
Kevin Howarth, Marketing & Communications
Wednesday, March 20, 2019
Michael Chihlas, Senior Consultant and Team Lead
Michael Chihlas

Over the past few months, various news items continue to emerge about municipalities opening themselves up to data incidents and cyberattacks from outdated software. For example, 200 Vermont municipalities using New England Municipal Resource Center (NEMRC) software had the personal information of city employees and citizens exposed by a security vulnerability from unpatched software.

Cyware reported, “Started in 1984, NEMRC used a Microsoft program called Visual FoxPro which was discontinued in 2007. In fact, Microsoft stopped providing support to Visual FoxPro in 2015.” That means Microsoft stopped providing security patches since 2015.

Bleeping Computer recently reported that “55% of all programs installed on personal computers running Windows are outdated according to an Avast report, exposing their users to security risks because of unpatched vulnerabilities.” In addition, the Avast report points out that “in more than 94% of cases users who have installed Adobe Shockwave, VLC Media Player, and Skype on their computers haven't updated them to the latest versions.”

In many of our training workshops, articles, and blog posts, we point out that outdated software puts cities at risk. Let’s look closer at why.

1. Security vulnerabilities expose your city to cyberattacks.

First, the obvious. Outdated software is often no longer supported by the vendor that made it. That means you no longer receive patches for bugs and security vulnerabilities. Without vendor-approved patches, you are exposing your city to significant security risks that hackers exploit.

When you don’t patch old software or try to cobble something together, it’s simply not good enough to counter the sophistication of hackers. Outdated software increases your risk of ransomware, malware, viruses, data breaches, and data exposure.

Another security vulnerability that crops up is trusting that a third-party provider somehow successfully manages the security of the outdated software. In the case of the New England software above, the Vermont municipalities trusted the third-party provider. However, outdated software is outdated software, even if someone attempts to “support” it. The situation in Vermont shows that you need to proactively ask if third parties are effectively securing and patching the software. Any software that cannot be patched and updated is a high risk.

2. Clinging onto old software leads to excessive costs.

If the software vendor doesn’t support the software anymore, someone else must make a best effort attempt to keep the system going. That someone will have limited capability to support the system and resolve issues. They will not be able to patch and update the system. This, again, is high risk.

That someone is usually an overworked IT staff member, a high hourly billable IT resource, or a company that’s charging high rates to maintain something so old. Old software, like a car, will also break often, requiring even more repair time and money.

There comes a point when the high risk and unpredictable maintenance costs have far surpassed the costs of an upgrade to modern software, and an upgrade will staunch your financial bleeding.

3. An inability to use modern functionality.

Consider your phone as an example. Are you using a Blackberry from 2004? An iPhone from 2009? A Droid from 2010? Why not? Your phone wouldn’t be able to handle modern applications like GPS, music streaming, or watching videos.

The same is true for your city’s outdated software. Software evolves very rapidly, and it increases the expectations of what users can do with it. If your software can’t perform basic, expected functionality, then it starts to affect how you do business and you will fall behind in productivity compared to other cities and businesses.

4. An increased risk of business disruptions.

Your citizens depend on you. Your elected officials depend on you. Your city staff depend on reliable tools and technologies. Yet, old software freezes, breaks, and fails. It’s not reliable. To “save” money, you’re literally putting up with something that risks disrupting your city’s services and affects the way you serve your citizens. Modern software is more reliable, secure, and faster.

5. An inability to integrate with modern technology.

Outdated software also usually has trouble integrating with modern technology. Examples include:

  • An inability to integrate with a newer operating system such as Windows 10, causing you to stay on another unsupported software platform (like Windows XP) or silo your software from the rest of your technology.
  • An inability to store data in the cloud, meaning you will not be able to access that data from anytime, anywhere.
  • An inability to integrate with mobile devices. Unlike many of your applications (such as email and documents), you won’t be able to access your software on your phone.

Newer software often has built-in integration with modern technologies and will seamlessly work across multiple devices. If you’re hitting walls with technology, such as not even being able to run it properly on your city’s computers, then you need to look at an upgrade.


Old software is one of the most misleading “cost savers” at cities because it’s not really saving you money. Quite the opposite. In addition to bleeding money, it also heavily risks your city operations and slows you down unnecessarily—similar to using that 2004 Blackberry phone in 2019. Upgrading your software will give you fast, reliable, and secure applications to help your city do its best work.

Need help upgrading your old software? Reach out to us today.

Monday, March 18, 2019
Kevin Howarth, Marketing & Communications

We hope to see you at the following city events this week!

GCCMA 2019 Spring Conference
March 20-22, 2019
Athens, Georgia

 

2019 Iowa Municipal Management Institute (IMMI)
March 20-22, 2019
Iowa City, Iowa

Sophicity’s CEO, Dave Mims, will present an IMMI session titled "Stop Ignoring the Problem: Technology Concerns that Should be Keeping You Up at Night" on Wednesday, March 20 at 3:45 p.m.



To keep up with upcoming events over the next few months along with receiving the latest municipal IT news, articles, and interviews, subscribe to our email newsletter.


Friday, March 15, 2019
Kevin Howarth, Marketing & Communications
Wednesday, March 13, 2019
Nathan Eisner, COO
Nathan Eisner

Payroll. One of the key essential activities of your city operations. Without paying your city employees in a clockwork fashion and carefully following all regulations, your city may get into staff retainment, financial, and even legal trouble.

That’s why threats to payroll need to be taken seriously. And there are more technology-related threats than ever—from cyber criminals to internal issues with data processing. Let’s look at a few of these threats and how IT can help you combat them.

1. Phishing

A few months ago, our Director of Finance and Human Resources received an email from “me.” (Note that this was not the first of its kind.) Take a close look and see if anything appears suspicious.

---

From: Nathan Eisner <admin@ocess.net>
Sent: Tuesday, October 02, 2018 10:57 AM
To: [OMITTED FOR EXAMPLE]
Subject: Direct Deposit Info Update

Sue,
I changed my bank and i ll like to change my paycheck dd details, can the change be effective for the current pay date?

Regards
Nathan

---

If you glance at it quickly, the email almost looks legit. But there are two glaring red flags:

1. The FROM email address is clearly not from our company (and specifically from my work email address).

2. The grammar is slightly not right, and the sentence is unusually direct without any helpful context.

Unfortunately, these kinds of emails often trick employees at organizations. KnowBe4 talked about a recent case at Wichita State University in Kansas: “Three employees of [Wichita State University] fell prey to a common phishing scam asking for their credentials, giving cybercriminals access to change banking details. We’ve said it time and time again: the bad guys do their homework. In the case of the attack on WSU employees, cybercriminals spoofed the university’s payroll system and sent emails to employees tricking them into providing their university ID and password. That was all the attackers needed to gain full control to the employee’s profile, personal data, and most importantly – banking information.”

We suggest reading our phishing tips, reviewing some of the FBI’s phishing tips about payroll scams, and continually training your payroll and finance department employees about how to spot phishing attacks.

2. Ransomware

Not having defenses or preparation against ransomware can affect your payroll. Madison County, Idaho experienced such a situation in October 2018. The Rexburg Standard Journal said, “The hacker demanded money to restore files and access, but Madison County officials declined to pay. Instead, officials turned to their IT specialists to fix the problem. […] IT workers succeeded in restoring the county’s pay system, which allowed for county workers to be paid, reported Madison County Clerk Kim Muir. ‘They got the payroll system back up. Otherwise we’d be cutting paper checks, and we don’t want to do that,’ she said.”

Despite the optimistic tone of this article, consider that the ransomware took down the county’s payroll system for more than four days. What if the Tuesday of that week was payday?

Is your payroll system ready for a ransomware attack? We suggest reading our 2018 blog post, “Ransomware Cripples City for Weeks—and What We Can Learn, “ to find out.

3. Hacking through security vulnerabilities

Hackers take advantage of unpatched, vulnerable software to break into servers and extract information such as payroll data. Sometimes, vendors (especially those with outdated or poorly managed software) may not proactively keep up to date with the software patching you need (as seen by the example of Click2Gov last year). Other times, cities fail to stay up on patching—leaving financial systems exposed.

We recommend reading “Why Is Patching a Problem? Reasons Behind Resisting a Surefire Cybersecurity Best Practice.” If you address the root causes of why you don’t proactively patch your software, then you will make your payroll systems more secure.

4. Risk of permanent data loss

What if your payroll software experiences a server failure? What if a natural disaster occurs and wipes out your servers? Can you recover your payroll data in hours or days?

As part of your disaster recovery plan, you need to make sure you can recover important data such as payroll data sooner than you recover less critical data. And also work with your IT staff or vendor to make sure your payroll data is all—and not partially—recoverable (which you can confirm by regularly testing your data backup).

5. User access and authorization

Who can access your payroll software? Who is authorized to access specific information? Does everyone in the finance department have “admin” (or full) access?

Thinking through your user access and authorization policies can help you lessen the risk of incidents that expose data. This includes third party access to your applications. Do vendor employees have access to sensitive payroll data for no clear reason? Do contractors unnecessarily have access to sensitive data? Your IT staff or vendor can help you perform an audit of who can access your payroll software and what they can see. Then, you can create policies that more clearly define who has access to what information.

6. Data processing and integrity

Sloppy, weak, or error-prone data processing and integrity doesn’t serve you well. A few tips include:

  • Ensuring that you have reliable transaction logs: In a previous blog post, we noted, “These logs record all electronic information about transactions that take place within an application. For example, you may enter payroll information each week into your accounting application for each employee. Each completed set of data that you input for each employee counts as a transaction if the data is processed between, for example, your system and a bank. Transaction logs must match what are known as ‘source documents.’ For example, payroll information may originate from a timesheet (either on paper or sent electronically). If the timesheet and the paycheck doesn’t match, then there may be a transaction error. Experiencing many transaction errors may indicate a problem with your application or with the way your employees are using it.”
  • Set up proper controls and processes. The right controls and processes help prevent data input errors or fraud—such as an employee changing payroll data or deleting payment records.
  • Put field edit checks in place to reduce errors. You can require that employees fill in certain fields, information gets autocorrected, and autofilled data populates fields.

7. Software best practices

Your payroll system, beyond patching, is affected by software quality. Make sure you:

  • Use updated operating systems: Unsupported operating systems (like Windows XP) opens your payroll software up to cyberattacks. Windows 7 will be unsupported as of January 14, 2020, and your payroll software is at risk if you are running it on this soon-to-be-outdated operating system.
  • Run your payroll software on a server or servers (preferably in the cloud): Some cities run important software like payroll software on a single PC. There are so many reasons why this is a bad idea, from data backup uncertainty to lack of cybersecurity oversight. Run your software on servers or, better yet, through the cloud so that you don’t have to maintain hardware onsite.
  • Use modern software: Using old, outdated software opens your city to up many security risks such as ransomware, viruses, unauthorized access, and permanent data loss. You also will risk your payroll software freezing, slowing down, and crashing. Don’t skimp on your payroll software.

    Worried about risks to your payroll software? Reach out to us today.

Friday, March 8, 2019
Kevin Howarth, Marketing & Communications
Tuesday, March 5, 2019
Adrian McWethy, Network Infrastructure Consultant
Adrian McWethy

Last year, Hurricane Florence and Hurricane Michael were sad, powerful reminders of nature’s power. They devastated many cities in North Carolina, South Carolina, and Florida while causing flooding in other states. As cities lost power, experienced flooded and destroyed buildings, and dealt with loss of life, citizens relied on municipal government for many services in the aftermath. Safety information, road closures, school closures, emergency information, emergency response, public works activities, and other services are all important to citizens as you continue to run your city’s operations despite possibly experiencing the disaster of a hurricane yourself.

To serve citizens after a hurricane, you need access to your electronic data. Yet, at a time when cities are already traumatized by a natural disaster, they unfortunately often experience a further ill-timed shock to discover they made some wrong assumptions about data backup or failed to create an effective disaster recovery plan.

While your city might be removed from hurricane threats, you can still experience other types of natural disasters like flooding, tornadoes, fire, and even cyber disasters like ransomware. Before a disaster hits, use this checklist to see if you’ve anticipated the following data backup hurdles.

1. You find out your “offsite” backup is not really offsite.

Cities sometimes think they have “offsite” data backup when it’s not actually offsite. Some examples include:

  • Locating your “offsite” data backup in a building next door to City Hall.
  • Locating your “offsite” data backup in a building one block away from City Hall.
  • Locating your “offsite” data backup at an employee’s house or a safety deposit box in a local bank.

When a natural disaster hits, that disaster can threaten an entire area—meaning your “offsite” data backup is really “onsite.” In other words, true offsite data backup doesn’t mean nearby. It means storing your data backups in a data center geographically distant from your city to ensure that it’s completely removed from the disaster area.

2. You find out it will take a long time to order and replace hardware.

It’s not unusual for new servers to take 3-4 weeks to arrive after ordering. Can you be without servers for that long?

Not after a hurricane. Those are crucial weeks when citizens who may rarely interact with your city are now relying on you for services and information. This is when your offsite data backup component needs to enter the picture and save the day.

Until the new servers arrive, you can access city data through the internet where it is backed up in the cloud. As long as city employees have an internet connection and a computer, they will be able to access the information they need to keep working on behalf of citizens.

3. You find out that time to recovery is too long.

Last year, we wrote a blog post about time to recovery. Even when cities have data backup in place, they can often overlook the time it will actually take to restore backed up data into an operational, useable state.

Before you stumble upon this overlooked roadblock, you want to ask yourself:

  • Do I test my data backups? By testing, you will see how it long it actually takes to restore data and flush out any issues.
  • In what order would I need my data after an incident? Cities need to restore more critical data first.
  • Who is responsible for recovering the data? It’s embarrassing to know you’ve backed up data and then, facing the need to recover it, a group of city employees stare at each other and ask, “Now what happens? Who’s going to do what?” With defined roles, specific people should hit the ground running after an incident and everyone should know what steps need to be taken to restore the data.

4. You find out you don’t really have a clear disaster recovery plan.

If you have an overall disaster recovery plan, have you answered all data backup-related questions? You want to do this long before an actual disaster hits. We wrote a blog post a few years ago that highlights some important questions about a disaster recovery plan:

  • If a disaster happens, how would you run your city? Where will you meet? What will you need to do?
  • How is your hardware, equipment, and data backed up? Do you have an onsite and offsite component? Is it tested periodically and monitored by professionals?
  • What can you still do while power and Internet is out? Do you have generators? Can you access data through WiFi?
  • What services and data will you need immediately, and what can wait? Can you restore your most critical data first, and quickly?
  • What do your vendors provide concerning disaster recovery in their support agreements? Are you sure that they will help you in the right way after a disaster?

5. You don’t back up any of your data in the cloud.

Cloud backup is essential after a disaster. Some cities still get skittish about the cloud and prefer onsite servers that they can see and touch. However, if you rely only on hardware you own, then employees can only often access data onsite or through a secure connection that connects directly to the server. If employees cannot get to city hall or the servers are destroyed, then they cannot work.

With the cloud, city employees only need an internet connection to access data—and they can access that data anywhere, anytime. Cloud services especially help after a disaster when city hall and equipment may be damaged and take weeks to rebuild.


Natural and cyber disasters are tragic enough. Don’t add to the tragedy by finding out, too late, that you are not able to restore data, keep city operations running, and serve citizens to the best of your ability. With a robust onsite and offsite data backup and disaster recovery plan that accounts for all of the five issues above, you will be ready to respond.

Need help assessing your city’s disaster recovery plan? Reach out to us today.

Monday, March 4, 2019
Kevin Howarth, Marketing & Communications

We hope to see you at the following city events this week!

Newly Elected Officials Institute
March 6-8, 2019
Tifton, Georgia

 

2019 Kentucky League of Cities Insurance Services Risk & Safety Conference
March 6-8, 2019
Bowling Green, Kentucky

 

To keep up with upcoming events over the next few months along with receiving the latest municipal IT news, articles, and interviews, subscribe to our email newsletter.


Friday, March 1, 2019
Kevin Howarth, Marketing & Communications
Monday, February 25, 2019
Kevin Howarth, Marketing & Communications

We hope to see you at the following city event this week!

CIS Annual Conference
February 27 – March 1, 2019
Salem, Oregon

To keep up with upcoming events over the next few months along with receiving the latest municipal IT news, articles, and interviews, subscribe to our email newsletter.


| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 |