We put the IT in city®

CitySmart Blog

Tuesday, April 24, 2018
Nathan Eisner, COO
Nathan Eisner

If you think that cities aren’t a target for hackers, just look at some recent front-page news of cyberattacks that have caused devastating damage. Atlanta ended up paying $2.7 million to deal with a ransomware attack—and some services are still inoperable or paper-based six weeks after the attack. And Savannah, Georgia took weeks to recover from a devastating malware attack back in February.

While we’ve written a great deal about cybersecurity (and many other trade publications, IT vendors, and specialists are writing about cybersecurity), it can all seem a bit overwhelming at times. Where do you start?

This 20-question assessment will help you start with some basic questions, and we also link to many of our blog posts if you’d like additional information about the areas we discuss. We’ve grouped these questions around our “tripod” of IT.

PROACTIVITY

1. Does my city keep our software modernized, upgraded, and patched?

Many cyberattacks can easily be prevented through up-to-date, patched software. Dangerous ransomware like WannaCry exploited unpatched software. Keeping up on patching and upgrades shores up security holes and vulnerabilities. Also consider modernizing your software, especially because older software eventually becomes unsupported by the vendor and more vulnerable to attacks.

Be especially careful of freeware (which is usually unauthorized, unapproved, and unmanaged software at your city) and a failure to update operating systems and web browsers.

2. Does my city have a strong password policy?

Passwords are like locks to hackers. If you have a simple lock (or no lock), then it’s easier to break into a building. Similarly, if your employees use simple passwords (like “123456,” “password,” or “admin”), then you’re at risk. A strong password policy enforces the use of complex passwords, creating new passwords on a periodic basis, and Two Factor Authentication (2FA).

3. Does my city protect our wi-fi access points?

Unsecured or easy to access wi-fi leaves you open to an easy cyberattack. In a previous post about wireless access security, we recommended that you:

  • Secure and lock down all wireless devices.
  • Remove physical wireless access hardware from the public or unauthorized employees.
  • Apply patches and upgrades to wireless devices.
  • Use appropriate wireless hardware and configure it properly.
  • Monitor and maintain your wireless network for security risks.

4. Does my city use enterprise-class antivirus software managed and maintained by IT professionals?

Only managed and maintained enterprise-class antivirus software can ensure your virus definitions are constantly up-to-date, all your devices are protected, your systems are monitored for virus threats, and that you have the experience to know what to do quickly if a virus is encountered before an outbreak occurs. Taking shortcuts with free or employee-managed consumer-grade antivirus is a risky shortcut.

5. Does my city use modernized, professionally supported hardware?

Old hardware—servers, workstations, routers, firewalls—can become more vulnerable to cyberattacks if it becomes unsupported. Also, improper hardware configuration or decommissioning can create gaping security holes. Modernize your hardware!

6. Does my city have strong physical security?

This aspect of cybersecurity often gets overlooked. Hackers or disgruntled employees can exploit physical security vulnerabilities to initiate cyberattacks. Best practices such as securing rooms with sensitive IT assets, requiring employees to log out or lock their computer screens when not at their desks, and keeping an updated hardware inventory all goes a long way toward keeping your physical assets secure.

7. Does my city know that our website is secure and hosted by a reputable provider?

In a previous blog post, we said about website hosting providers, “Are they regularly providing security updates? Are they monitoring for security vulnerabilities? Where are they hosting the servers? Within sovereign U.S. borders? […] Will they allow for a third party to scan your website for security vulnerabilities? If you’re not sure of the answers to most of these questions, then you might want to reexamine where you’re hosting your website.”

8. Does my city know that our email is secure?

We still find cities using personal email accounts or consumer-grade email with questionable security. Your email should be encrypted, offer strong antispam capabilities, and fully integrate with your enterprise-class antivirus software.

9. Does my city know that its online payment system is secure?

In a previous blog post, we said: “Cities should expect the same security from an online payments vendor that they would expect from their personal online banking. That means an industry standard level of encryption, strong authentication, strong passwords, regular auditing, and the ability of the vendor to provide documentation proving that they are testing their security controls on an ongoing basis. In addition to these basic technical requirements, it should also be clear who can access and change any payment information. Permissions and access need to be controlled with sufficient rigor and protection.”

EMPLOYEE TRAINING

10. Does my city conduct ongoing training about cyber threats?

You can’t just train employees once and be done with it. Cyber threats change constantly. Just a few years ago, ransomware wasn’t on most people’s radar screens. Today, it seems not a week goes by that the latest and biggest new ransomware compromise is reported in the news (again).

Also, as a part of training, it’s good to periodically reinforce lessons about traditional threats such as malicious email attachments or dangerous websites.

11. Does my city let employees know that human error is at the root of many cyberattacks?

It’s easy for employees to believe that if good antivirus software, antispam software, and professionals overseeing IT are in place, then there is very little risk of making a horrible mistake. Yet, an employee clicking on a malicious email attachment or website is at the root of many major successful cyberattacks during the last few years.

Employees need to stay aware of the many ways they can be tricked in a cyberattack including phishing (such as through malicious email attachments or links), poor online habits (such as taking “fun” quizzes or downloading games), and phone calls (where a hacker may attempt to extract sensitive information over the phone by pretending to be a legitimate caller).

12. Does my city have clear data access and authorization policies?

How are people authorized to access information at your organization? Policies should cover vendor contracts and management, network security, wireless security, physical access security, logical access security, disaster recovery, and application controls (such as data input, processing, and output).

13. Does my city have confidence it is compliant with federal and state laws?

Despite the rigor involved in complying with various federal and state laws, cities lack sufficient cybersecurity measures that properly protect information. Your city needs to know—with certainty—that it is protecting personally identifiable information (PII), retaining records and following open records laws, and properly managing body camera footage. Otherwise, cities may find themselves in legal woes and experience increased liability.

14. Does my city have a clear mobile policy for employees?

Ideally, cities need to provide city-owned devices to employees to keep a clear separation between city business and personal use. However, your city may allow you to bring your own device (BYOD). Whichever route you take, create a mobile policy that maintains a clear line between city business and the personal use of devices. Additionally, consider mobile management technology to manage, separate, secure, and, if need be, wipe the data of any device that is lost or stolen.

15. What’s the plan if you are hacked?

Your city needs a clear, specific incident response plan in case you are hacked. What happens? What steps need to be taken? How will you report the incident to authorities and regulators? How will you tell the public and communicate with anyone affected? You may need different incident response plans for different events such as ransomware, denial of service attacks, or a suspected data breach.

16. Does your city include everyone in your cybersecurity plan?

It’s still easy for many busy, non-technical city leaders to downplay the importance of cybersecurity or “just let the techies handle it.” However, there is a part for everyone to play—elected officials, city management, IT staff and vendors, and employees. It sounds like a cliché, but it’s true that cybersecurity is everyone’s responsibility.

17. Does my city have a clear social media policy?

Because Facebook or Twitter is not part of your city’s software or systems, it’s easy to overlook social media as a security threat. However, you need to guard access and authorization to social media pages and enforce policies about what kinds of information can be shared. It’s easy for an employee to reveal sensitive or confidential information on a social media platform or for a hacker to use information gleaned through a social media account to begin hacking a city.

DATA BACKUP AND DISASTER RECOVERY

18. Does my city have a data backup and disaster recovery plan?

A stark reality for cities is that a data breach or cyberattack may be inevitable. So, you must prepare for a worst-case scenario. One of the best preparations is an effective data backup and disaster recovery plan that involves an onsite and offsite component. That way, even if ransomware encrypts your information and prevents you from accessing it, you can revert to a previous state of your data before the infection began.

19. Does my city periodically test its disaster recovery plan?

It’s too common that cities think they have a good data backup and disaster recovery plan. Then, an incident happens. They enact the plan. And...it doesn’t work. Why? The city hasn’t tested it. Testing uncovers issues that may prevent you from restoring critical data, and it’s essential to conduct a full simulation test periodically (such as quarterly).

20. How is your critical information centralized, managed, and prioritized?

A data backup and disaster recovery plan requires that you know a lot about your data. What is your most critical data? Where is it stored? How is it accessed? If you need to enact your data backup and disaster recovery plan, then in what order will you restore your data?


This 20-question assessment should give you a thorough start in helping you assess the state of your city’s cybersecurity. We encourage you to explore the many blog post links we provided for further information.

Need help addressing any or all of these aspects of cybersecurity? Reach out to us today.