We put the IT in city®

CitySmart Blog

Tuesday, October 16, 2018
Eric Johansson, Network Infrastructure Consultant
Eric Johansson

Cities and towns—even the smallest municipalities—not addressing fundamental problems with information technology and cybersecurity are not simply risking a virus that could wipe out data. They risk serious legal, financial, and operational penalties. As stewards of private, sensitive, and confidential information, cities must take information technology seriously.

The impacts of IT and cybersecurity underspending, obsolete systems, and poorly trained staff can hurt cities from a variety of angles.

1. The high costs of a cybersecurity incident.

When cities experience a cybersecurity incident without proactive IT support and cybersecurity best practices implemented, the costs in the aftermath of that incident will rise quickly from:

  • The time needed to notify authorities and regulatory agencies.
  • Hiring emergency IT consultants to address the incident.
  • Notifying citizens about the incident and providing them financial reparations (such as free identity theft monitoring services).
  • Paying lawyers lots of money to deal with legal issues related to the incident.
  • Many hours spent by city staff in crisis mode addressing the incident.

Even after addressing the incident, the repercussions may continue to be costly. Lawsuits, fines, and a damaged reputation in the eyes of citizens and businesses will haunt your city for months and years.

2. Losing access to national and state databases (such as crime databases).

When your city appears unable to handle sensitive and confidential data, you may lose access to it. Just consider the example of the Riverside Police Department in Ohio. According to the Dayton Daily News (via GovTech):

“Riverside Police Department’s access to Ohio’s statewide system of law enforcement databases is suspended following multiple ransomware attacks on the city’s computers earlier this year, the Dayton Daily News has learned. The department lost access to the Ohio Law Enforcement Gateway on May 14 in order to shield the system from damage and protect confidential information from exposure, a spokeswoman for Ohio Attorney General Mike DeWine said. Frank Robinson, the Riverside police chief, said the department is largely unable to access ‘anything that has do with old reports or old cases’ in Riverside. He said it is possible that some of the inaccessible reports are for still-open cases.”

Imagine if your police department was unable to access state or national crime databases. Today, so much information access and sharing requires interdependence—and with interdependence comes responsibility. Do you think a friend would feel comfortable leaving valuables at your house if you never locked it? The same logic applies here. Cities need to implement basic cybersecurity best practices or risk losing access to important information from government agencies.

3. Paying higher cyber insurance premiums.

Some cities think that cyber insurance will help take care of the high costs of a cybersecurity incident. However, cities will pay much higher premiums for what’s already costly insurance if they don’t address some of the following issues:

  • Keeping software modernized, upgraded, and patched
  • Creating a strong password policy
  • Protecting wi-fi access points
  • Using enterprise-class antivirus software managed and maintained by IT professionals
  • Using modernized, professionally supported hardware
  • Conducting ongoing employee training about cyber threats
  • Establishing clear data access and authorization policies
  • Establishing a data backup and disaster recovery plan

By taking more proactive steps, cities both lower cyber insurance premiums and reduce the risk of having a cybersecurity incident at all.

4. Cybersecurity continuing to affect municipal borrowing.

Last year, we reported on a trend with credit-rating agencies such as Standard & Poor's (S&P) and Moody’s taking municipal cybersecurity into account when considering borrowing rates for cities. In April 2018, PNC published a report that stated:

“We are seeing that the rating agencies are starting to ask issuers cyber-security-related questions. We also are seeing a limited amount of disclosure, usually after an attack occurs. To date we are not aware of any municipal bond participants that have been downgraded solely as a result of a cyberattack. However, we do think state and local governments will need to take these very seriously in the future and prepare technological and procedural solutions mitigating the threat that exists from cyberattacks.”

The report references cyberattacks at the City of Atlanta, the City of Baltimore, the Colorado Department of Transportation, Davidson County (NC), Mecklenburg County (NC), the City of Dallas, and the City of Lansing (MI) as important examples of why borrowers must take municipal cybersecurity into account. If cities want to borrow money at lower interest rates, they need to proactively address cybersecurity.

5. Arkansas cities can lose their charters if they do not maintain specific cybersecurity standards.

In one state, not following cybersecurity standards can lead to the loss of a city’s charter. As we reported last year after the passage of SB 138:

“The bill states that an Arkansas municipal charter can get revoked (yes, revoked!) if the Legislative Joint Auditing Committee finds two incidents of non-compliance with accounting procedures in a three-year period. Revoking a charter is serious, rare, and extreme. That’s pretty much the end of your municipality. The Arkansas Legislative Audit (ALA) includes both general controls and application controls around information systems. For municipalities, accounting systems are often the most important information system they oversee.”

In another post, we talked about three important points related to this new law:

  1. Arkansas cities can now lose their charter from non-compliance with IT-related accounting practices.
  2. While the law applies to application controls, it’s wise to follow all IT best practices recommended by the Arkansas Legislative Audit.
  3. Other states should see Arkansas as a sign of what’s to come—and prepare.

See a pattern? Today, proactive IT maintenance and support goes far beyond just making sure your hardware, software, and systems are running smoothly. Lack of proper “cyber hygiene” can impact the way you protect information, comply with the law, and stay financially sound as a city.

Are your cybersecurity measures up to the task of protecting your city? If not, reach out to us today.