We put the IT in city®

CitySmart Blog

Tuesday, October 16, 2018
Eric Johansson, Network Infrastructure Consultant
Eric Johansson

Cities and towns—even the smallest municipalities—not addressing fundamental problems with information technology and cybersecurity are not simply risking a virus that could wipe out data. They risk serious legal, financial, and operational penalties. As stewards of private, sensitive, and confidential information, cities must take information technology seriously.

The impacts of IT and cybersecurity underspending, obsolete systems, and poorly trained staff can hurt cities from a variety of angles.

1. The high costs of a cybersecurity incident.

When cities experience a cybersecurity incident without proactive IT support and cybersecurity best practices implemented, the costs in the aftermath of that incident will rise quickly from:

  • The time needed to notify authorities and regulatory agencies.
  • Hiring emergency IT consultants to address the incident.
  • Notifying citizens about the incident and providing them financial reparations (such as free identity theft monitoring services).
  • Paying lawyers lots of money to deal with legal issues related to the incident.
  • Many hours spent by city staff in crisis mode addressing the incident.

Even after addressing the incident, the repercussions may continue to be costly. Lawsuits, fines, and a damaged reputation in the eyes of citizens and businesses will haunt your city for months and years.

2. Losing access to national and state databases (such as crime databases).

When your city appears unable to handle sensitive and confidential data, you may lose access to it. Just consider the example of the Riverside Police Department in Ohio. According to the Dayton Daily News (via GovTech):

“Riverside Police Department’s access to Ohio’s statewide system of law enforcement databases is suspended following multiple ransomware attacks on the city’s computers earlier this year, the Dayton Daily News has learned. The department lost access to the Ohio Law Enforcement Gateway on May 14 in order to shield the system from damage and protect confidential information from exposure, a spokeswoman for Ohio Attorney General Mike DeWine said. Frank Robinson, the Riverside police chief, said the department is largely unable to access ‘anything that has do with old reports or old cases’ in Riverside. He said it is possible that some of the inaccessible reports are for still-open cases.”

Imagine if your police department was unable to access state or national crime databases. Today, so much information access and sharing requires interdependence—and with interdependence comes responsibility. Do you think a friend would feel comfortable leaving valuables at your house if you never locked it? The same logic applies here. Cities need to implement basic cybersecurity best practices or risk losing access to important information from government agencies.

3. Paying higher cyber insurance premiums.

Some cities think that cyber insurance will help take care of the high costs of a cybersecurity incident. However, cities will pay much higher premiums for what’s already costly insurance if they don’t address some of the following issues:

  • Keeping software modernized, upgraded, and patched
  • Creating a strong password policy
  • Protecting wi-fi access points
  • Using enterprise-class antivirus software managed and maintained by IT professionals
  • Using modernized, professionally supported hardware
  • Conducting ongoing employee training about cyber threats
  • Establishing clear data access and authorization policies
  • Establishing a data backup and disaster recovery plan

By taking more proactive steps, cities both lower cyber insurance premiums and reduce the risk of having a cybersecurity incident at all.

4. Cybersecurity continuing to affect municipal borrowing.

Last year, we reported on a trend with credit-rating agencies such as Standard & Poor's (S&P) and Moody’s taking municipal cybersecurity into account when considering borrowing rates for cities. In April 2018, PNC published a report that stated:

“We are seeing that the rating agencies are starting to ask issuers cyber-security-related questions. We also are seeing a limited amount of disclosure, usually after an attack occurs. To date we are not aware of any municipal bond participants that have been downgraded solely as a result of a cyberattack. However, we do think state and local governments will need to take these very seriously in the future and prepare technological and procedural solutions mitigating the threat that exists from cyberattacks.”

The report references cyberattacks at the City of Atlanta, the City of Baltimore, the Colorado Department of Transportation, Davidson County (NC), Mecklenburg County (NC), the City of Dallas, and the City of Lansing (MI) as important examples of why borrowers must take municipal cybersecurity into account. If cities want to borrow money at lower interest rates, they need to proactively address cybersecurity.

5. Arkansas cities can lose their charters if they do not maintain specific cybersecurity standards.

In one state, not following cybersecurity standards can lead to the loss of a city’s charter. As we reported last year after the passage of SB 138:

“The bill states that an Arkansas municipal charter can get revoked (yes, revoked!) if the Legislative Joint Auditing Committee finds two incidents of non-compliance with accounting procedures in a three-year period. Revoking a charter is serious, rare, and extreme. That’s pretty much the end of your municipality. The Arkansas Legislative Audit (ALA) includes both general controls and application controls around information systems. For municipalities, accounting systems are often the most important information system they oversee.”

In another post, we talked about three important points related to this new law:

  1. Arkansas cities can now lose their charter from non-compliance with IT-related accounting practices.
  2. While the law applies to application controls, it’s wise to follow all IT best practices recommended by the Arkansas Legislative Audit.
  3. Other states should see Arkansas as a sign of what’s to come—and prepare.

See a pattern? Today, proactive IT maintenance and support goes far beyond just making sure your hardware, software, and systems are running smoothly. Lack of proper “cyber hygiene” can impact the way you protect information, comply with the law, and stay financially sound as a city.

Are your cybersecurity measures up to the task of protecting your city? If not, reach out to us today.

Friday, October 12, 2018
Kevin Howarth, Marketing & Communications
Wednesday, October 10, 2018
Mario Solivan, Network Infrastructure Consultant
Mario Solivan

Unpatched computers, servers, and devices are one of the top three reasons for cyber breaches. (The other two reasons are poor passwords and untrained people). This type of breach isn’t caused by some unknown reason. It stems from a known issue. A patch (or fix) already exists, and the breach occurs because the patch hasn’t been applied.

According to Gartner, “Zero-day vulnerabilities made up only approximately 0.4 percent of vulnerabilities during the past decade.” A “zero-day vulnerability” is a technical term for a security vulnerability that no one knows about until the first day (“zero day”) it happens. Gartner is pointing out that 99.6 percent of security vulnerabilities over the last 10 years are from known (and preventable) issues.

So, why is patching a problem? Let’s look at some of the reasons why cities and organizations resist patching.

1. Fear of breaking old, obsolete hardware and software.

Lack of patching sometimes indicates a deeper root cause: lack of technology modernization. Many cities cling onto old, obsolete hardware and software out of habit, familiarity, inertia, or a fear that switching to new technology will be costly and interruptive. Yet, that old technology becomes more of a liability as time goes on. Five years can sometimes be too long to use technology, and yet it’s not uncommon to see cities using hardware and software that’s 10 or more years old.

When technology ages, vendors stop supporting it—including delivering security patches. That means the older your hardware and software, the less secure it becomes. And even when vendors still deliver extended support patches, some cities don’t apply those patches fearing they will break their already shaky technology. If you’re afraid to patch because you fear breaking hardware and software, then you absolutely need to modernize.

2. Interruptions to employee work.

In the classic business book, The 7 Habits of Highly Effective People, Stephen Covey talks about “sharpening the saw.” To illustrate the point, he describes a person trying to cut down a tree with a dull saw. When the person is asked why they don’t sharpen the saw, they say there is no time because they must cut down the tree.

Patching is the “sharpening the saw” of your technology. Not patching because you fear interrupting employee work dulls your technology so that employees will become unproductive anyway through slow applications, frozen computers, and even viruses. Proactive planning can alleviate some of your fears about interrupting employee work (such as patching outside of normal business hours).

3. Manually-applied patches takes up valuable time.

As a valid issue, many organizations struggle with the amount of time that manual patching takes. The larger an organization, the worse this problem becomes. If this is a problem for your city, then you might want to see if one or more of the following situations applies:

  • You’re understaffed. If you have one overworked IT person trying to put out fires every day, then patching will be difficult to fit into their schedule.
  • You’re not taking advantage of automated tools. Certain aspects of patch management can be automated by tools that may help you tackle critical vulnerabilities or apply patches that have a low risk of disrupting your operations.
  • You’re not hiring experienced IT engineers who can implement efficient processes for applying patches. Many times, cities simply have no process for patching. They do it when they get to it, and they may handle the process differently each time. Experienced IT engineers will have processes in place to make patching repeatable, as seamless as possible, and as automated as possible while still maintaining oversight.

4. Too many patches.

The total volume of patches can be a challenge even for experienced IT engineers. When there are too many patches needed for a variety of applications, it’s easy to get overwhelmed and somewhat give up when this river of patches seems to flood you no matter what you do.

If this is a problem, then you may need help prioritizing patches. Setting up a process that ensures the most critical security vulnerabilities are patched first, your most critical applications are addressed before noncritical applications, and less critical patches are tackled later may help you deal with patch volume.

5. City leadership not understanding the importance of patching.

Does your city manager and elected officials receive reports about finances?

How about departmental reports?

How about cybersecurity reports?

You probably answered “yes” to the first two questions but more likely answered “no” to the third. After all, cybersecurity is for the IT people, right?

Wrong. Reporting on cybersecurity doesn’t mean boring city leadership with technical details. But it does mean letting them know about risk, liability, and threats that may seriously impact city operations. Your department heads and IT staff may be fully aware of the need for patching, but if city leadership has no visibility into it and doesn’t know why it’s important, then they won’t prioritize it. Instead, they will focus more on saving money and getting big projects done fast without prioritizing patching and security at all—until a cybersecurity incident happens. At that point, it’s too late.


While patching can challenge cities, they can more aggressively stay on top of this important activity by:

  • Hiring experienced IT engineers who understand the patch management process.
  • Building a proactive patching plan that alleviates operational hassles such as employee interruptions and manual staff time.
  • Modernizing technology so that patching is easier and reduces the risk of “breaking” any applications.

Need help assessing the state of your security patching? Reach out to us today.

Friday, October 5, 2018
Kevin Howarth, Marketing & Communications
Wednesday, October 3, 2018
Jasmine Williams, Network Infrastructure Consultant
Jasmine Williams

During the past few months at various events and conferences in multiple states, we have seen cities taking ransomware seriously. But a consistent theme encountered as we talk to cities is an inconsistent and noncomprehensive approach taken. Some cities respond, “We have antivirus.” Others respond, “We back up our data.” Let’s look at the silo approach of “Our data backup solves our ransomware problem. If we get hit with ransomware, we’ll just restore our data.”

Not quite.

Data backup and disaster recovery is so crucial as part of a strategy against ransomware and viruses that we’ve even devoted a blog post solely to this topic. However, that focus on such an important part of a ransomware strategy may make cities think it’s the only answer.

Here’s why data backup and disaster recovery, by itself, is not the full answer to your ransomware worries.

1. Disruption to your operations

Just because you can restore your data doesn’t mean that ransomware won’t disrupt your operations. After the initial shock and halt to your operations, it takes some time to restore data. It’s a complex process, and all your backed-up data may not be immediately available after recovery.

What happens in the meantime? Disruption. Employees who cannot do their job for days (and possibly even weeks). Citizens not served by your city—not able to make payments, get business licenses, or find information. Ripple effects that can last weeks or months.

To prevent disruption, you need strategies and tools that include:

  • Enterprise-level antivirus software: Antivirus software, kept up to date, can prevent many ransomware viruses from ever entering your systems.
  • Software patches: Patches shore up security vulnerabilities, which ransomware creators often exploit.
  • Antispam software: According to Trend Micro, “The email gateway continues to be ransomware’s top infection vector.” Antispam software (built into a business-class email system) can help stop a lot of ransomware emails from ever reaching an employee’s inbox.

2. Data security

Backing up and restoring data does not necessarily mean you are taking data security seriously. When ransomware hits, criminals have accessed your data, encrypted your data through their virus, and potentially stolen your data by uploading a copy over the internet. This means you’ve opened yourself up to a security incident.

The biggest issue that some cities ignore is security around data access. Some best practices include:

  • Password policies: The easier it is to guess your password, the easier it is for a data incident to occur. Criminals can more easily access your systems if passwords are shared or easy to guess.
  • Authorization policies: Do you have a process for authorizing employees and third-party users from accessing your software and systems? Experienced IT engineers need to manage user access and accounts—and then employees need to adhere to strict policies around who gets access.
  • IT systems best practices: Many times, city staff or local IT vendors set up systems with holes. Firewalls, routers, and servers are like an abandoned house with doors and windows open everywhere. Hackers easily get inside when your systems are unsecured and misconfigured.

Just because you can restore an abandoned house to its previous condition doesn’t mean you should be living in an abandoned house!

3. Compliance

Federal, state, and local laws, policies, and ordinances require that you protect and secure specific information such as

  • Tax information
  • Public safety information
  • Payment information
  • Personnel information
  • Open records and FOIA requests

Simply backing up but not securing this information doesn’t put you in compliance with the law.

4. Liability

Data backup alone will not reduce your liability. A successful cyberattack may lead to paying expensive claims. Plus, insurance companies will penalize you by raising your premiums if your risk of a cyberattack is high—whether through past cyberattacks or the current state of your IT. Even municipal bond ratings are at risk if your cybersecurity is poor.

Safeguarding against cyberattacks requires a proactive, not a reactive, security mindset.

5. Accountability

Cities may still think of cybersecurity as solely an IT problem. In the past, viruses and malware may have affected servers and computers that were not crucial to a city’s operations.

Today, cybersecurity is everyone’s responsibility as city operations significantly (and moving toward completely) rely on information technology. Only with leadership and employees fully involved in carrying out cybersecurity policies will a city become better protected.

  • Leadership needs to take the lead on creating cybersecurity policies, ensuring funding exists to modernize and secure IT systems, proactively focusing on preventative security measures, and including ongoing cybersecurity training as part of an employee’s job.
  • Employees need training that gives them awareness because many times they are the ones who let viruses and ransomware in the door—despite the best IT precautions. Training needs to cover updates about cyber threats like ransomware, hacker tactics (like phishing), cyber hygiene (like not clicking on dangerous email links or websites), social media policy reviews, and reinforcing policies about authorized access to information.

Protecting yourself against ransomware must go far beyond simply acquiring a good data backup and disaster recovery solution. Letting hackers into your systems, disrupting your operations, and only placing the responsibility of information security onto your IT staff or vendor means placing yourself at risk—including financial, legal, and operational risk.

Data backup and disaster recovery is a crucial tool to help you fight ransomware. But it’s only part of the picture. Sadly, the bad guys are winning as cybercrime is now a $1.5 trillion (yes, with a “T”) criminal industry.

Need guidance on how to combat ransomware? Reach out to us today.

Friday, September 28, 2018
Kevin Howarth, Marketing & Communications
Wednesday, September 26, 2018
Dave Mims, CEO
Dave Mims

Last month, I delivered training to municipal clerks attending the 2018 Kentucky Master Municipal Clerks Academy that was focused on policies, procedures, and practices around personally identifiable information (PII) as defined by the Kentucky Department for Local Government (DLG). However, beyond simply pointing out how to follow the law, I also covered the cybersecurity risks every municipality faces – and these municipal clerks were eager to learn more.

That’s because the threat of cyberattacks increasingly puts towns and cities at risk. Hackers specifically target local governments, and so it’s important for cities to understand the warning signs of cyberattacks, use self-assessments to see if you are at risk, and learn what a city can do to best prepare against the thousands of cyberattacks hitting cities every week. I encourage you to check out my Cybersecurity- Keeping City Hall Safe presentation to learn more.

Not acting on your cybersecurity vulnerabilities is just too risky today. As you assess, you may discover and reveal deeper problems with the quality of your municipal IT support. Many towns and cities try to save money using fast and cheap IT support, but it ends up costing you more in the long run. Check out our featured article below to learn more about the risks of taking these kinds of IT support shortcuts.

In customer news, take a look at the following new websites:

Plus, every Friday on our blog, Facebook, and Twitter feeds, we showcase the website of a city we serve with the trending hashtag #WebsiteFriday.

We’d also like to welcome Austell, GA; Berlin, GA; Vincent, AL; and Homer, GA to the Sophicity family.

As always, don't hesitate to reach out to me if you have something to share with our local government community.

Blessings,

Dave Mims


Fast and Cheap IT Support Puts Your City at Risk

Someone responsible for IT support can miss a lot of details about security incidents if they are not incentivized to be curious. Rather, they may be incentivized to close a ticket as fast as possible, leading to hasty diagnoses of incidents that overlook wider, deeper, or more holistic analyses of a problem.

When we start working with cities, it is common that we uncover bad habits that have made those cities less secure overall. Untrained staff or even previous IT engineers and vendors working too fast to solve issues often reveals that cities are trying to take shortcuts in three ways.

  1. Underspending on information technology and helpdesk support.
  2. Thinking as-needed IT support is a wise cost-cutting measure.
  3. Using underqualified IT resources.

Read more about these shortcuts and how they can negatively impact your city.


Newsletter Signup

Sign up for Sophicity's CitySmart Newsletter. Get all of the latest City Government and Municipal League news, articles, and interviews.


Recent Media

Why Your City’s Wi-Fi Access May Be Vulnerable to Hackers

“Oops!” May No Longer Work as an Excuse for City Employees Making Cybersecurity Mistakes

Cybercrime Now at $1.5 Trillion Each Year, And Why That Should Concern Cities


Events

We hope to see you at these upcoming events including:

GCCMA 2018 Fall Conference
October 17-19, 2018
Athens, Georgia

GMA District Policy Forums
September-October
Various Georgia cities

GMA Fall Training Event
September 26, 2018
Young Harris, Georgia

GMA Workshop Series: Managing Rights of Way in the Wireless Age
September-October
Various Georgia cities


Apply GMA's Safety and Liability Management Grant Toward 25% of IT in a Box’s Cost

If you are a member of the Georgia Municipal Association’s (GMA) property and liability fund (GIRMA), then you are eligible to receive a grant from GMA’s Safety and Liability Management Grant Program to reimburse your city for up to 25% of the annual IT in a Box subscription fee.

Read about the City of Pembroke, Georgia receiving a GMA liability grant for IT in a Box.

Friday, September 21, 2018
Kevin Howarth, Marketing & Communications
Friday, September 14, 2018
Kevin Howarth, Marketing & Communications
Tuesday, September 11, 2018
Nathan Eisner, COO
Nathan Eisner

As if the City of Atlanta’s cybersecurity issues couldn’t get any worse, a recent Help Net Security article reported that the city’s Wi-Fi was under attack by hackers using phishing techniques. The article notes several techniques that hackers use to attack Wi-Fi access points:

Evil twin: A hacker sets up a fake access point that might share the same name as your legitimate city Wi-Fi. Users log in, reveal sensitive information (like a username and password), and hackers can now snoop on your network.
- Captive portals:After you log into a Wi-Fi network but before you get access, you might see a webpage that pops up asking you to connect, for a password, or for further authentication before you can actually access the internet. A hacker can use a fake captive portal to intercept a user and steal sensitive information.
- Man-in-the-middle attack: A hacker inserts himself in the middle between you and the other person (or system) with whom you are communicating by using an ARP spoofing attack (which is too technical to dive into here). The hacker is then able to eavesdrop and possibly alter the communication.

Your city stores confidential, sensitive, and personal information that is valuable to hackers. And Wi-Fi can be one of your weakest links in your security chain.

Let’s look at why.

1. Cities tend to use unsecured or poorly secured Wi-Fi devices.

It’s tempting to set up a wireless device like you would at home. Go to a retail store, set it up yourself, and you’re wireless! Unfortunately, there’s a good chance that a non-technical employee setting up a consumer-grade wireless device may not know how to secure it properly.

Even in situations when an IT employee or vendor sets up Wi-Fi access, they may attempt to secure it but do so poorly through not setting up a strong enough password, configuring the security settings improperly, or leaving the Wi-Fi devices in a public space without any physical security.

2. Lack of Wi-Fi security gives an opening for criminals to access your network.

When passwords, encryption, software patching, security protocols, and physical security are all weak or non-existent, you create open doors and windows through which a hacker can gain internal access to your network. For example, hackers will “sniff out” Wi-Fi access points to look for ones that don’t prompt them for any password. Gold! Or, they look for Wi-Fi access points with weak encryption so that they can read all the information sent and accessed by your wireless users.

Think of your Wi-Fi access points like doors and windows to a building. You need to lock and protect those doors and windows so that a criminal cannot enter that building.

3. Securing your Wi-Fi access points doesn’t mean using the default password.

A non-technical employee may not think twice about using the default password identified in the Wi-Fi setup when unpackaging the device. After all, it must be a unique password that only you know. Right?

Check out this list of Cisco default passwords. So…no.

Lifewire points out in an article that “The default usernames and passwords for popular models of wireless network gear are well-known to hackers and often posted on the internet. [...] If the default password isn't changed, any attacker or even a curious individual who comes within signal range of an unsecured device can log into it. Once inside, they can change the password to whatever they choose, locking the owner out of the device and effectively hijacking the network.”

4. WiFi configuration is complex and needs someone with technical expertise to set up and monitor.

It is all too common to find WiFi not properly configured and instead left at the default settings. This leaves you open to security risks. Configuration involves technical aspects such as:

  • Security protocols: These affect the level of your WiFi device’s security.
  • Network integration: Connecting your wireless devices to your network involves technical integration such as correlating IP addresses.
  • Adjusting settings for your internet traffic:Configuration settings can affect the speed of your wireless access or leave ports (doorways / paths) open that should be closed.
  • Patching and updates: Like any software, your WiFi device will require patches and updates to eliminate bugs and security vulnerabilities.
  • Monitoring and maintenance: Experienced IT professionals need to monitor and maintain your wireless devices for security issues.

5. No hacker should be able to access your wireless administration.

You might think your wireless devices are safe if IT staff or a local vendor set them up. But we find that many wireless access points are weakly guarded by either no password or a simple password such as “admin.” If a hacker can climb into the administrative functions of your wireless devices, they can wreak havoc on your network—setting their own passwords to block you out, gathering the usernames and passwords of users, and accessing sensitive information.

To learn more about securing your wireless access, read our post that recommends:

  • Securing and locking down all wireless devices.
  • Removing physical wireless access hardware from the public or unauthorized employees.
  • Applying patches and upgrades to wireless devices.
  • Using appropriate wireless hardware and configuring it properly.
  • Monitoring and maintaining your wireless network for security risks.

Securing your wireless access points begins with proper setup, configuration, and deployment by an IT professional. If you’re having issues with or uncertainty about your wireless security, reach out to us today.

| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 |