We put the IT in city®

CitySmart Blog

Friday, December 7, 2018
Kevin Howarth, Marketing & Communications
Tuesday, December 4, 2018
Matt Wood, Network Infrastructure Consultant
Matt Wood

When a new city contacts us wanting help with IT support, we often hear frustrations about their current provider such as:

- “They can take days to respond.”

- “It sure does take them a lot longer than expected to fix what should be simple issues.”

- “They return to fix the same issues again and again.”

Have you said or thought the same thing? Assess your current IT support against the five different aspects of responsiveness we’ve listed below and consider if improvements are needed.

1. The time it takes to respond to your initial communication.

This may seem simple, but so many IT support vendors get this wrong. Many cities will call or send an email about an issue and wait days (yes, days) to hear back. As you know, IT issues are urgent. They disrupt city operations, citizen services, and employee productivity. You can’t wait days, and yet many cities do because they are not a priority for the vendor or the vendor doesn’t have enough available staff resources.

How about an IT vendor that immediately picks up the phone when you call and is ready to address the issue? Or responds within minutes? That’s the kind of responsiveness cities need. Using other channels such as email or live chat windows are other ways to contact a helpdesk engineer fast. If your city can’t contact and engage with IT support within a reasonable timeframe, then you need to seriously explore new options.

2. Remote support as a diagnostic and resolution tool.

Whenever possible, a good IT helpdesk will attempt to quickly resolve problems remotely. By securely accessing an employee’s desktop, the IT engineer can respond immediately to your issue and begin troubleshooting—collecting a lot of useful data as they assess. In many cases, they can often resolve issues remotely. If an onsite visit is required, the IT engineer will already have identified the problem and understand what needs fixing to maximize time when the IT engineer does arrive onsite.

IT vendors sometimes schedule onsite visits for every problem imaginable, thus delaying resolution. As you know, many onsite visits rack up billable hours and get expensive—especially when IT engineers arrive not having even yet properly diagnosed the problem. Make sure your IT support vendor has secure remote support capability. It’s more professional and lessens expensive onsite time.

3. A focus on business continuity in case of major problems.

Let’s say the helpdesk assesses that you have a serious problem such as a failing server or critical software that needs replacing. At the same time, you need to keep your city operations going. How does your IT support vendor respond? Is it with “This is another vendor’s issue, not mine,” or is it possibly something like “It is going to take an additional _____ hours to fix and cost _____ more not including the additional _____ that must be ordered which will take _____ days to deploy.” Or, is it even a response of “I don’t know.”

Where does that leave you in the meantime? Issue unresolved. System down. Uncertainty about when you will be back up. Uncertainty about cost. Uncertainty about what to do.

Your IT support vendor should focus on keeping you running while fixing the bigger problem. For example, if a server is starting to fail, they may respond by switching you over to a temporary solution while a new server is ordered. Or while you begin the search for new software, the IT support vendor may work to optimize the current software’s performance or place the data in the cloud for easier access. In other words, they help you stay operational while continuing to fix the bigger issue.

4. Communicating with other IT vendors on your behalf.

Let’s say you run into a technology issue that’s not under the scope of your IT support vendor—such as a specific hardware or software issue. Cities have told us stories about IT support vendors that throw up their hands and leave thorny technology issues to non-technical city staff to handle (who are already overwhelmed with their day-to-day jobs).

We provide a service with IT in a Box called “vendor management.” That means we handle and resolve technology issues including working with and managing issues related to other vendors. We don’t wait, and you’re not left trying to figure out who has responsibility for what issue—with vendors pointing fingers at each other. We just handle it. If your IT support vendor makes you deal with those kinds of issues, then they are not being responsive to your needs.

5. Quick, efficient, and knowledgeable onsite support.

Obviously, IT problems will arise that require an onsite visit. We’ve talked above about how some IT support vendors like to rely too much on onsite visits. But even when onsite visits are needed, other problems can arise that cities face:

  • IT engineers don’t show up on time. It’s amazing to us how many times we hear about this problem. You’re uncertain why they are consistently not on time, and you’re uncertain when they will arrive.
  • IT engineers seem like they are encountering your problem for the first time. It’s frustrating to explain a problem over the phone and then see when someone arrives that they know nothing or very little about it. Good IT support vendors send people who are informed, knowledgeable, and ready to work on a specific problem that’s already been diagnosed, documented, reviewed, and thought through.
  • IT engineers poorly communicate to you about the problem. Many cities also tell us of their frustration when an IT support vendor shows up, works for a few hours on something, says a bunch of technical jargon, leaves you unclear about the next steps, and leaves. We believe that IT engineers onsite should explain clearly why they are there, ask about your priorities, set clear expectations with you, regularly check in with you, and communicate with you in non-technical, plain language.

In fact, communication is so important that we want to highlight it as an essential element of all five points above. Communication is essential to responsiveness. Responding quickly, clearly, and continually is an intangible ingredient that separates the good from the not-so-good IT support vendors. You may be able to fake technical mumbo jumbo, but you can’t fake timely response and good communication.

Ready to explore better IT support options for your city? Reach out to us today.

Friday, November 30, 2018
Kevin Howarth, Marketing & Communications
Tuesday, November 27, 2018
Dave Mims, CEO
Dave Mims

Over the past year, Sophicity has provided a lot of training across Georgia, Kentucky, and Arkansas centered around cybersecurity. The cities we train show up because they don’t want to be that “next city” hammered by ransomware and viruses causing data incidents that lead to disrupted operations, permanent data loss, and expensive financial and legal repercussions.

While cybersecurity can get overwhelming, we beat the following “3Ps” like a drum:

Passwords

Too many cities still use default passwords, obvious passwords (such as a child’s name, pet’s name, college mascot, birthdate, etc.), or weak passwords (like “123456”).

Patching

By not regularly applying patches, whether your software is older or newer, you are choosing to leave security holes open for hackers to exploit.

People

Who is likely to receive an email with ransomware? Who is likely to click on a malicious website link? Who is likely to open a malicious file attachment? People. And what’s the answer to combatting this weakness? Training.

Obviously, there is much more to consider and address with cybersecurity but these 3Ps – your top 3 risks – are ones you must address head-on, ongoing, and proactively.

One way to tackle these 3Ps is with proactive (rather than reactive) IT support. Read more about the “choose your own adventure” path you should pick in our featured article below.

In customer news, take a look at the following new websites:

Plus, every Friday on our blog, Facebook, and Twitter feeds, we showcase the website of a city we serve with the trending hashtag #WebsiteFriday.

We’d also like to welcome Rincon, GA, Worthington Hills, KY, Farmington, AR, Ryland Heights, KY, and the Water Board of the City of Vincent, AL to the Sophicity family.

As always, don't hesitate to reach out to me if you have something to share with our local government community.

Blessings,

Dave Mims


Pick a Path: Proactive or Reactive IT Support?

Do you remember reading those Choose Your Own Adventure books when you were younger (or seeing your kids read them)? You may know that, in those books, the reader can choose between different storylines based on their decisions. Many stories and many endings that all start from the same beginning.

In the spirit of those books, we’d like to do our own IT support “adventure” where you get to see two different paths depending on the choice you pick.

Click to begin your IT support pick-a-path adventure!

Newsletter Signup

Sign up for Sophicity's CitySmart Newsletter. Get all of the latest City Government and Municipal League news, articles, and interviews.


Recent Media

6 Ways Technology Helps Cities Follow Records Retention Schedules

5 Legal, Financial, and Operational Penalties for Cities Not Addressing Cybersecurity Risks

Data Backup: Not the Only Answer to Ransomware and Viruses


Events

2019 is upon us! We hope to see you at these upcoming events including:

Arkansas Municipal League 2019 Winter Conference
January 16-18, 2019
Little Rock, Arkansas

2019 KLC City Officials Academy
January 16-18, 2019
Lexington, Kentucky

2019 KLC City Officials Academy
January 23-25, 2019
Owensboro, Kentucky

GMA Mayors’ Day Conference
January 25-28, 2019
Atlanta, Georgia

Georgia Clerks Education Institute Conference
February 3-5, 2019
Jekyll Island, Georgia

A Taste of I.T.

Recently, Eastman, Georgia took time out of its busy daily schedule to grill out with us for what we call a Taste of I.T. These are BBQ-heavy :) customer thank you events that we’ve been bringing to our customers. Literally each month, we bring the food and beverages and get to have lunch with your staff. Thanks to City Manager Jason Cobb, Chief Becky Sheffield, and Chairman Buddy Pittman. We had an awesome time!


Wednesday, November 21, 2018
Dave Mims, CEO
Peanuts Thanksgiving Quote
Friday, November 16, 2018
Kevin Howarth, Marketing & Communications
Wednesday, November 14, 2018
Nathan Hall, Senior Engineer and Team Lead
Nathan Hall

According to a recent study by Positive Technologies, “As expected, the most successful social engineering technique is the use of a phishing link—27 percent of employees clicked it. Users are not picky when reading the link URL, sometimes clicking it without a second thought. When a user is prompted to download a file and then run it, every additional requested action raises more suspicions. In these cases, only 7 percent of employees were inattentive and fell for the bait.”

With phishing attacks, more steps create red flags—and that means it’s less likely employees will fall for the scam. But phishers are getting better and better at making emails look legitimate. And if scam emails look legitimate, many employees will fall for them.

If you don’t think phishing is a problem at your city, take your total number of employees and multiply that by 0.27. The answer is the total number of employees who are statistically likely to click on a phishing email. But remember it only takes one employee to be fooled for your city to become the latest victim of cyber criminals.

Training helps lessen that risk. In this post, we dissect the tactics scammers use in phishing emails. Your city employees should know about these tactics and receive regular training about them.

1. Convincing email subject lines

A recent TechRepublicarticle outlined 11 common email subject lines used to trick employees. Notice the pattern for how these subject lines are meant to get your attention and replicate an urgent notice from a legitimate source.

  • Review or Quick Review
  • Bank of [Bank Name]; New Notification
  • Charity Donation for You
  • FYI
  • Action Required: Pay your seller account balance
  • Unauthorize login attempt
  • Your recent Chase payment notice to [name of employee]
  • Important: (1) NEW message from [Bank Name]
  • AMAZON: Your Order no #812-4623 might ARRIVED
  • Wire Transfer
  • Assist Urgently

Scammers are looking to get your attention so that you open their email, and they use compelling email subject lines to do it.

2. Convincing sender email address

Scammers have gotten good at spoofing email addresses from people. You may receive an email that looks suspicious (such as saying, “Click here!”), but you might trust the email because it looks like a friend, family member, or co-worker sent it. Their name appears along with their correct email address, so you logically think it’s from them.

So, how do you know whether it’s really from them? Look at other clues within the email. Does the message sound like something that person would send? Is it consistent with previous messages? If you have any doubt at all, call that person and ask if they sent it.

3. Convincing message

Here is where scammers often hit pay dirt. They become better and better at writing messages that seem legitimate. Let’s look at two tactics.

Classic deception

Scammers craft mass email messages that seem legitimate and trick you into clicking. For example, you might receive a message that says, “You have (1) new Amazon reward ready to claim.” If the email contains other Amazon-like messaging that seems legitimate and you’ve participated in similar rewards programs with companies, you may click on the link.

Business email compromise and spear phishing

Business email compromise takes a variety of forms but often involves scammers taking over an email account (by gaining access to a username and password), targeting specific people in your city by pretending to be the person whose account they took over, cultivating a targeted person over a period of time, and then enacting the scam.

According to the FBI, “[In] just about every [business email compromise] case, the scammers target employees with access to company finances and trick them into making wire transfers to bank accounts thought to belong to trusted partners—except the money ends up in accounts controlled by the criminals.”

Business email compromise is different than “spear phishing,” which involves the same tactics but instead relies on a spoofed email address rather than a compromised email account. The City of Paris, Kentucky experienced a spear phishing attack last year. If you want to learn more, we wrote a blog post interviewing the city clerk and analyzing the email.

4. Convincing look and feel

Another approach involves closely copying legitimate emails from a graphic design perspective. One way that people assess emails is by the look and feel. If it looks professional and sophisticated, it must be okay, right?

Take a look at this email. The scammer copies Google graphics fairly well so that, at a glance, it looks legitimate. The Google logo is correct, the blue button looks like Google buttons, and the messaging below the button looks professional.

 

However, a few things should raise red flags:

  • The email address does not look professional or related to Google at all.
  • “GoogleSupport” is one word. That’s odd.
  • What’s a “returned email message”? If you’ve used email for many years, you know that emails sometimes bounce back and you receive an automated message from the recipient. But you don’t get “returned email messages” with email.
  • An organization like Google would send clear, professional, detailed messages during the rare times they contact you. This email raises more questions than it answers. It’s cryptic.
  • Hovering over the button shows a URL that is suspicious and not related to Google at all.

Again, if you have any doubt whatsoever about an email, don’t click on anything. Instead, go directly to the company’s website or application. For example, if you had doubts about the message above, go directly to your Gmail account and see if any legitimate alerts or messages are waiting there.

5. Convincing attachments

Phishing scammers love it when you open attachments full of ransomware, malware, or viruses. To tempt you to open them, they use Word documents, PDFs, and zip files with normal business terminology like “contract,” “invoice,” “order,” etc. For example, look at the following message.

 

At a glance, you might just see “Apple” and “Order” and think, “Did I order something? Let me check the order.” You click on the PDF and…it’s not a PDF. Something starts downloading to your computer and suddenly you’ve got a ransomware virus infecting your city.

Do not, do not, do not click on suspicious attachments. In the email above, notice the strange email address and complete lack of information about the order. If you have doubt, ask the sender if they sent you a legitimate email with a file or document.

6. Convincing links and buttons

Scammers can sometimes spoof links and buttons. In some sophisticated phishing emails, a link can look legitimate but then redirect you to a malicious website that asks you for a username/password, financial information, or information that helps a hacker take over an account. Other links may initiate or get you to download malware, ransomware, or a virus.

Unless you are absolutely certain an email comes from a trusted sender, don’t click on links from an email. For example, even if you think an email from your bank is legitimate, be safe by going directly to the bank’s website.


By understanding the different components of a phishing email, you can better spot the signs of a scam. This post should also highlight the importance of cybersecurity training for city employees. Addressing topics like phishing helps city employees stay aware and guarded against cyberattacks—lessening your risk of human error and lowering your liability.

Need help with cybersecurity training? Reach out to us today.

Friday, November 9, 2018
Kevin Howarth, Marketing & Communications
Tuesday, November 6, 2018
Dave Mims, CEO
Dave Mims

While cybersecurity can seem like an overwhelming problem, we strongly and consistently encourage cities to start with the initial step of addressing the most important low-hanging fruit risks we call the 3Ps: passwords, patching, and people.

If cities can improve upon these three areas, they can eliminate some of the biggest risks that lead to viruses, ransomware, hacking, and cybersecurity incidents. Being proactive and intentional about these problems will lead to strengthening your overall cybersecurity and decreasing your liability.

Let’s look at the 3Ps in more detail.

1. Passwords

Too many cities still use default passwords, obvious passwords (such as a child’s name, pet’s name, college mascot, birthdate, etc.), or weak passwords (like “123456”). Half of all security breaches involve stolen or easily guessable passwords. The weaker or looser the security around a password (such as people writing their passwords on paper notes around their desk), the easier it is for hackers to break into your systems and steal information. Hackers use automated software to look for holes in your systems. That automated software attempts common and weak password combinations that are easy to crack.

To protect yourself:

  • Do not write passwords down and leave them visible.
  • Use a password on all devices.
  • Do not use simple or obvious passwords. We strongly recommend using passphrases.
  • Do not save passwords to websites and applications.
  • Change passwords regularly.
  • Do not use the same password for all systems you access.

Two Factor Authentication (2FA) is also becoming easier to use and vastly decreases the risk of a hacker using a password to break into your systems. With 2FA, your employees may enter their email login information and then receive a notification through an app on their phone that they use to complete the sign-in process. Even if a hacker somehow obtains an employee’s username and password, the information is worthless because they are required to validate the authorization through an app on the employee’s phone—which obviously they cannot access.

2. Patching

So many data breaches and cybersecurity incidents—including major stories that dominated headlines over the past two years such as Atlanta, Equifax, Petya, and WannaCry—are rooted in a simple failure to patch software security vulnerabilities. Sadly, government entities (including cities) significantly lag on replacing outdated software, patching current software, and implementing endpoint defense that makes sure devices connected to the network follow a compliant process.

It’s not unusual for us to see cities using software that is 8-10 years old—or even older. That’s an eternity in technology time—so much so that software vendors often stop supporting those systems. If you keep using older software, then security vulnerabilities are not getting patched and that software becomes more of a major vulnerability for your city. By not regularly applying patches, whether your software is older or newer, you are choosing to leave security holes open for hackers to exploit.

In a previous post, we discussed a few important points about patching:

  • Patch management is an essential element of cyber protection. Just do it. Fears such as “I’ll break my software” mean you need to modernize your software or you’re making excuses.
  • You need IT professionals overseeing patch management and following rigorous procedures. There are too many risks when you let non-technical city employees apply patches themselves.
  • Non-technical employees aren’t able to test patches before applying them. IT professionals test patches to monitor possible issues and ensure they will work before full-scale deployment.
  • Patches need to be applied to all your machines regardless of their location. That includes the devices of remote employees using your city-owned hardware and software.

3. People

A recent survey shows that 64 percent of working adults either did not know the definition of ransomware or defined it incorrectly. In addition, 32 percent of working adults could not define malware or misunderstood it.

Now, ask yourself, even if you have the best information security at your city:

  • Who is likely to receive an email with ransomware?
  • Who is likely to click on a malicious website link?
  • Who is likely to open a malicious file attachment?
  • How is ransomware most likely going to enter your city network?

The answer? People. It’s possible that you, your staff, or some other user on your network will make a mistake that leads to a cybersecurity incident.

And what’s the answer to combatting this weakness? Training.

Today, training employees about cybersecurity is more important than ever. Hackers use techniques that trick employees into handing over access to your systems—and criminals know that people can be the weakest link in your security. Those who need ongoing regular training include your mayor, elected officials, the city manager, the city clerk, and department heads, along with all other employees.

We’ve created a blog post titled “How to Create Effective Cybersecurity Training for Cities” that outlines what you need to cover in your cybersecurity training and how to get started.


Remember it takes just…

  • One unprotected or unmanaged computer for a cybercriminal to exploit.
  • One unsuspecting employee for the cybercriminal to trick.
  • One critical best practice to overlook (such as regularly patching your software) for a cybercriminal to steal your data.

If you need help with the 3Ps, reach out to us today.

Friday, November 2, 2018
Kevin Howarth, Marketing & Communications
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 |