We put the IT in city®

CitySmart Blog

Wednesday, September 5, 2018
Patrick Perry, Network Infrastructure Consultant
Patrick Perry

IT security company KnowBe4 published an interesting blog post in June that detailed a court case in North Carolina that should worry cities. The blog post’s author Stu Sjouwerman says:

“According to a recent federal court decision, an employee who is tricked into sharing personal information in response to a phishing email can be seen as committing an intentional disclosure under the North Carolina Identity Theft Protection Act (NCITPA). As a result, the employer could face treble damages for the employee’s mistake, adding a new element to potential exposure for businesses. […] The failure to train employees may quickly become more costly not only for North Carolina employers. This decision will be looked at by other courts who very well might come to the same conclusion that not taking reasonable measures to defend against scams like this merits treble (punitive) damages.”

While this federal court decision seems limited to North Carolina right now, it’s probable it could set a precedent for the rest of the United States. As we’ve seen in recent years, cybersecurity laws and regulations are growing stronger as the repercussions from incidents grow more serious.

Cities should not wait until the law catches up to them. Instead, this court case should serve as a warning bell to make sure employees are aware of cybersecurity best practices and defenses against the tricks of hackers.

Here are a few areas where “oops” may no longer work as an excuse.

1. Falling for phishing scams.

Too many employees are not skeptical and still fall for amateurish phishing emails. As a result, employees are likely to click on a link or attachment that downloads a virus into your systems. Or, they will share confidential financial or personal information that leads to a cybersecurity incident involving lost money or the unauthorized release of confidential information into the public domain.

Amateurish phishing emails can often be spotted by examining the email address, the grammar of the content, and the suspicious action that the sender wants you to take. Employees must become even more skeptical as sophisticated “spear phishing” attacks closely imitate people within a city (such as a city manager) and attempt to get city staff to send money or sensitive information to criminals.

To help city staff guard against these types of cyberattacks, consider periodically testing city staff by sending safe phishing simulations with the intent of identifying who is most susceptible to clicking on phishing emails. After identifying those employees, you can give them extra training.

2. Falling for phone phishing.

While seemingly unrelated to cybersecurity, phone phishing is just as dangerous as email phishing. Because many employees sincerely want to help, hackers often attempt to acquire usernames, passwords, and other online credentials over the phone and then use that information to hack an account online. Really good phone phishers can sound very personable like a new employee or a long-time vendor asking for authorized access to information.

Again, employees need to be skeptical and, more importantly, rigorously follow policies and procedures. Even if their favorite co-worker asks for a password or sensitive information over the phone, an employee should not break the rules but instead follow protocol.

As we’ve said in a previous post, “A legitimate IT person or customer support representative does not need your account username and/or password to perform their task. Period. In addition, employees need to follow a process for setting up new vendors—especially when giving vendors access to systems or authorizing payments to them.”

3. Poorly securing and managing passwords.

If you think about passwords like a key, the entire way of thinking about passwords changes. Imagine if an employee:

  • Left City Hall keys lying on their desks at all times.
  • Gave City Hall keys to co-workers if they suddenly needed access to a room.
  • Gave a City Hall key to a vendor representative who didn’t follow your policies and procedures but sounded very convincing and personable.

Obviously, these employees may get fired for such negligence. Yet, cities often don’t think about passwords the same way.

Hackers and criminals take advantage of lax password security—from passwords written on sticky notes in plain sight on an employee’s computer to employees sharing passwords without a second thought—to break into a city’s systems. Having weak passwords (like “123456,” “password,” or “admin”) also makes a hacker’s job easy.

A city needs to enforce password policies that require employees to use passphrases or complex passwords, keep passwords secured like money or keys, and not share passwords with people without authorization or following strict procedures.


Employee training needs to become just as much a part of your IT strategy as maintaining your servers and computers. Otherwise, you’re increasing the risks of employees making errors that the law may punish more severely in the future. And training needs to include your mayor, elected officials, city manager, city clerk, and department heads—along with all other employees.

Are your employees ready to fend off cyberattacks and phishing attempts? If you’re in doubt, reach out to us today.