We put the IT in city®

CitySmart Blog

Thursday, March 13, 2014
Dave Mims, CEO

Sophicity is excited to announce that we are now providing IT in a Box to cities through our new municipal league partnership with Arkansas. We officially announced our partnership and answered questions for cities when we participated in the most recent Arkansas Municipal League (AML) Winter Conference on January 31. Arkansas cities were excited to talk about their technology needs, and we look forward to helping those cities with a complete IT solution that’s custom priced affordably for them.

Below, you’ll find the official announcement from AML’s Executive Director, Don Zimmerman.


I am excited to announce that the Arkansas Municipal League is now offering a new service aimed at providing cities with state-of-the-art information technology tools supported by experienced, highly skilled IT professionals. The service is called “IT in a Box” and it’s being offered through a contract with Sophicity. For one monthly all-inclusive fee, a city will receive a website, data backup and offsite data storage, email, document management, Microsoft Office for desktops, server and desktop management, vendor management and helpdesk support seven days a week.

The city of Yellville was the first to join the service in Arkansas! Currently, there are several cities speaking with Sophicity and are expected to come aboard very soon. To learn more about the service, please click on the link below to the League website.


For additional information, please contact one of the following individuals:


Chris Hartley at 501-978-6106 or chartley@arml.org

Whitnee Bullerwell 501-978-6105 or wvb@arml.org


Randy Weaver at 770-670-6940, ext. 115 or randyweaver@sophicity.com

Nathan Eisner at 770-670-6940, ext. 103 or nathaneisner@sophicity.com

Yours truly,

Don Zimmerman

Executive Director, Arkansas Municipal League

Thursday, March 6, 2014
Dave Mims, CEO

One thing that often prevents regular data backups from occurring at cities is simply the inefficiency of it all. Using external hard drives or tape usually means someone is manually backing up data, carrying it to a secure location, and storing it for future use in case of disaster. If you’re using an online data backup program, it could mean managing servers, running memory-hogging backup programs, and spending time ensuring that an entire backup has completed without issues.

If you identify with these struggles, then you may have an opportunity to make your data backup much more efficient. Many advances in data backup technology, especially in the last five years, have made data backup a much more seamless and quick process. The best data backup solutions are so efficient you almost don’t notice them.

So, how do you get there? Here are some tips on evaluating the inefficiency of your current data backup process and considering a more efficient solution.

  1. Do you have unlimited data storage? Storage limitations are one annoying limitation that decreases data backup efficiency. If you use physical media such as tapes or external hard drives, they quickly run out of room. That means you always need to buy expensive physical media and you may even have to avoid backing up certain data because you don’t have budget for the storage costs. Even many online data backup programs have storage limitations, mostly from vendors charging an arm and a leg for storage space beyond a certain limit. Since data storage is now so cheap, it’s relatively easy to find options that give you unlimited data storage for a low fee.
  2. Do you back up your data in increments? Incremental data backup greatly increases overall efficiency by not reinventing the wheel every day. Typically, many cities avoid daily data backup because of the length of time it takes to grab every single bit of data. With an incremental data backup solution, you start off by backing up everything. From that point forward, each day (or even each hour) you only back up the small amount of data that has changed or is new. While consumer-grade data backup tend to work in this manner, it’s best to have an IT professional handle the configuration of your hourly or daily backups to ensure that you’re not missing any crucial data.
  3. Do you synchronize your data backups across different machines? Especially if people are accessing data from similar locations (like the same server), you don’t want to make a backup copy of that data on each person’s computer or on separate servers. It’s more efficient to centralize data so that it’s backed up once and then synchronized across different servers and computers as needed. Synchronization not only avoids redundant and duplicate data, but it also protects data. Just because a single person’s laptop gets a virus, the centralized data that everyone accesses won’t be affected by a singular incident.
  4. Do you automate your data backup? While you still want an IT professional managing and overseeing your data backup, they don’t need to be manually handling physical media or be responsible for starting each and every data backup. Once the data backup specifications are set and configured, modern data backups run without human intervention. This increases efficiency a great deal and lets you worry about doing your work, not backing up your work. You still want someone overseeing the data backup process in case something goes wrong, but the actual daily backups should just take place automatically each day or each hour like clockwork.
  5. Can you access your data from anywhere? When a disaster happens, it often takes cities a long time to restore data. Loading data from hard drives and tapes onto new servers that take a long time to arrive can slow down the data restoration process. Cloud data backup eliminates this inefficiency by giving you access to your data as soon as possible through the Internet. As long as you have an Internet connection, you will be able to access important files, documents, and software applications. While there still might be some complexity in getting the systems restored to their previous state, at least you’ll be able to access data from any location—which is especially helpful after a disaster when working from home or remote locations.

Even though we work with the latest technologies on a day-to-day basis, we’re even amazed at how far data backup has come in just a few years. Transitioning from bulky servers and physical media to the Internet, we’ve seen a clear shift to cloud data backup, unlimited data storage, and data restored in minutes or hours—not days or weeks. You might think these kinds of solutions are cost-prohibitive compared to your external hard drives, tapes, or servers, but you may actually be wasting money with your older solution compared to more modern data backup. It’s worth taking this checklist, examining your current data backup situation, and considering some other solutions.

To talk more about data backup, please contact us.

Tuesday, March 4, 2014
Alicia Klemola, Account Manager

Recently, an alarming cybersecurity report from the U.S. Senate highlighted some disturbing security breaches at three major agencies: the Department of Homeland Security, the Nuclear Regulatory Commission, and the IRS.

A few quotes from the report included:

  • Referring to the Department of Homeland Security: "Independent auditors physically inspected offices and found passwords written down on desks, sensitive information left exposed, unlocked laptops, even credit card information."
  • Referring to the Nuclear Regulatory Commission: "The NRC has had trouble keeping track of its laptop computers, including those which access sensitive information about the nuclear sites the commission regulates."
  • Referring to the IRS: "In March 2012, IRS computers had 7,329 “potential vulnerabilities” because critical software patches had not been installed on computer servers which needed them. [...] IRS officials said they expect critical patches to be installed within 72 hours. But TIGTA found it took the IRS 55 days, on average, to get around to installing critical patches."

When hackers are trying to steal government data on a daily basis, these kinds of weaknesses are simply unacceptable. While these agencies get more scrutiny than local government, they highlight the importance of implementing basic cybersecurity protections that are actually quite simple and cost-effective.

Here’s what you can learn from this report to make sure that your city is ahead of the game—and doing a better job than our federal government at protecting its most sensitive information.

  1. Create a strong password policy. Recent studies show that organizations—including the highest levels of government—use extremely weak passwords such as “password” or “123456.” When you have weak passwords, even amateur hackers are able to get into your servers and computers to steal sensitive information. Create a password policy that forces users to use strong passwords with a combination of letters, numbers, and symbols. They should also change their passwords monthly or quarterly.
  2. Install software patches and updates. It’s not uncommon to audit government servers and find important patches and updates have simply not been installed. Waiting a few days or a week is one thing. We’re talking about waiting months or even years to install patches, which means that your IT staff or vendor is simply not responsibly maintaining your equipment. Not installing patches and updates makes you liable for security breaches and indicates negligence on the part of IT staff. This is one of the most basic technology maintenance functions that should always take place.
  3. Use an enterprise antivirus program and keep it up-to-date. Government entities need enterprise-level antivirus software. You can’t rely on individual employees to install and update their own antivirus software. Enterprise antivirus software ensures that IT staff or a vendor is managing, updating, and maintaining it on an ongoing basis. On the off chance that you do get a virus, your IT staff or vendor will professionally handle the situation and work to eliminate the virus with minimal collateral damage. Since new viruses are created every day, you need to stay on top of those threats with professional antivirus software and management.
  4. Cover the physical side of information security. It’s easy to forget “real life” when dealing with bits and bytes, and apparently the federal government forgot real life a lot. The report detailed physical breaches of information security, especially in the Department of Homeland Security. Learn from their mistakes. Sensitive information (such as passwords) should not be written on paper or post-it notes and exposed to people who walk into a room. Printed out information lying on a desk is just as much of a security risk as stealing it off a computer. And make sure your employees lock their computers with a password so that someone can’t hop on and start snooping around for information.
  5. Perform a hardware inventory and track assets. You should never wonder where a laptop, desktop, or server might be. With modern IT asset management, devices can be commissioned, decommissioned, monitored, and maintained remotely. No device should be “off the grid” in this scenario. However, the situation becomes more complicated when people bring in their own devices. The simplest solution is to assign devices to people and not allow them to use personal devices for work activity. But if you do allow people to use their own computers, create a clear policy that accounts for how sensitive work data is handled. Consider cloud computing options to keep all information secure and off people’s individual computers.

Sadly, many of the federal government’s IT problems are easily preventable. The good news for you is that cities can follow the steps above to create a great foundation for cybersecurity. While there is more work to do beyond what’s listed above, by focusing on policies around passwords, IT maintenance, antivirus, physical security, and devices, you’ll eliminate a lot of easy security holes that hackers can exploit.

To talk about cybersecurity in more detail, please contact us.

Thursday, February 27, 2014
Nathan Eisner, CMO

When cleaning out your house, you’ve probably experienced the shock of realizing you’ve acquired way more stuff than you thought. After staying in one place for a while, it’s tough to go through your attic, garage, shed, basement, or other storage areas to decide what to keep and what to throw out. However, it’s quite a relief when you finally throw out a lot of unneeded things and free up space.

Information technology works similarly. Over time, technology objects pile up and lead to excess servers, desktops, laptops, network equipment, and software. Each city department may accrue excess technology, and that multiplies the extent of the problem. When it comes time to assess your technology, you might be surprised or shocked to find a bunch of useless or redundant equipment and software.

That’s because IT assessment and consolidation is always an ongoing process for any business or organization. From our experiences consolidating many city IT environments, we’ve provided some tips in case you’re about to tackle this kind of initiative. When you’re consolidating, always ask, “What are my city’s business goals? And how is a particular technology investment helping me achieve those goals?”

  1. Shed hardware. Excess hardware is one of the easiest places to start. We find that cities accrue extra servers, desktops, and laptops over time that aren’t needed. Plus, advances in cloud technology mean that you may be able to access many services directly through the Internet – allowing you to eliminate many (if not all) of your servers. Take the time to do a hardware inventory, track down unused or unnecessary equipment, and decommission those pieces of hardware as soon as possible. You can even take advantage of an online auction service to sell this unneeded equipment and collect some extra revenue.
  2. Shed software. Eliminating excess software is much more difficult but worth the effort. Here, you really need to look at your software from a business point of view and challenge its cost and usefulness. If the software is more than 5 years old and you haven’t looked at new options lately, you may want to see if less expensive software exists with more features. If you’re paying for expensive software licenses and hosting servers onsite, then you may want to explore cloud software options that are more cost-effective and easier to upgrade and maintain. Look out for software that you barely use or have stopped using. Those may be wasted costs that you need to eliminate.
  3. Review voice and data services. Often overlooked, voice and data costs often multiply because cities don’t consolidate. Individual departments and buildings buy their own services over the years, and those individual purchases don’t get questioned. Can you consolidate Internet services under one vendor? Is it possible to consolidate multiple landline phone systems under one landline? Or have you considered VoIP instead of a traditional phone system? We’ve guided many cities through voice and data consolidation that saved them thousands of dollars per year. If you haven’t assessed your telecom services in more than three years, then you definitely want to look for consolidation opportunities.
  4. Centralize your technology. Once you figure out what you can eliminate, now it’s time to see what you can centralize. Here, you’re looking for duplicate technology—especially hardware and software—between different departments and buildings. For example, instead of different departments each managing its own network, you should look to consolidate those resources into one network that serves everyone. Otherwise, you are wasting money, increasing security risks, and duplicating work. Similarly, look for departments that might have purchased software individually that really does the same thing for everyone. You might consolidate that software under one vendor.

While assessing your technology can involve a lot of upfront time, the benefits are worth it. Like cleaning your house, you’ll free up space and get rid of unnecessary junk. More importantly, your city stands to reduce costs, gain a lot of efficiency, and simplify your IT management. Once you consolidate, plan to reevaluate your technology assets at least once a year to see if any new or improved hardware and software may help you with further consolidation. IT consolidation is an ongoing process, and you’re always fighting against inertia, time, and technology innovations.

To talk more about IT consolidation, please contact us.

Tuesday, February 25, 2014
John Miller, Senior Consultant

A recent article from Microsoft points out that technology alone cannot improve your IT security. You need informed, participating end users—your city employees. When they are informed about security policies through proper communication and training, the true power of your IT security blossoms.

However, this article overrates the trickle-down effect of communicating security policies to employees. Don’t get us wrong. Establishing security policies are absolutely important and provide a great way to detail all important aspects of a security strategy for your city. But ask an employee about the last time they read or looked at a security policy.

We find that a great way to tie security policy to employees is by illustrating tactical, everyday scenarios that often place a city at risk. Through these everyday scenarios, you can discuss IT security policy in a way that relates to everyone.

  1. Internet Browsing. No matter how many years we’ve surfed the Internet, even the best of us get tricked or misled occasionally into a bad website. Usually, most modern browsers provide warnings that keep us out of the worst sites. But employees can be lured by the ruse of useful software, games, or information that is not what it seems. Employees need to be reminded to use only trusted or well-referenced sites, not to download software or plug-ins without the approval of IT, and to never click on a website link from an unknown source.
  2. Passwords. While IT might implement a password policy that employees are forced to use, it’s still helpful to let employees know about the importance of using strong passwords that change every few months. Recently, news organizations widely reported some research from SplashData, a password management company, that the most common password is “123456.” Hackers become more adept every year at breaking into email accounts, websites, and software applications. Your employees shouldn’t make it easier for these hackers. Strong passwords are long and use a combination of letters, numbers, and symbols.
  3. Social media. With so many social media outlets constantly full of people sharing links and information every day, employees can sometimes be unaware of the dangers inherent in sharing the wrong kind of information. Whether publicly or to a large social group, employees might not know what city information is proprietary, secret, or inappropriate to share. People with ill-intent often use social networks to extract information from employees—and local governments are a prime target.
  4. Email. We’ve put email a bit lower on the list since people have gotten better at understanding spam, while technology helps prevent malicious emails from even getting to the inbox. However, email is still a prime source of security issues. All it takes is one person to give up username and password information, open a malicious file containing a virus, or click on a website link that downloads malware, and your city is compromised. Keep employees informed about the dangers always lurking in their inbox and tell them to only open messages and attachments from people they trust.
  5. Physical security and internal threats. Often overlooked, employees will sometimes think IT security threats all come via the Internet. However, leaving a laptop laying around, a computer logged in, or a door open to a server room are all potential breaches of security. Similarly, especially in larger organizations, it’s easy to be tricked by someone who seems like they are another employee or get pressured by an actual employee without authorization to give you certain kinds of information. No matter how glib or natural someone seems, if an employee feels any doubt about a request for information or security access to a particular area, they should check with their boss or IT staff.

By sharing everyday tangible security examples with employees, you will be able to connect normally abstract security policy to their day-to-day jobs. After all, it’s in these specific scenarios that most security breaches occur. The biggest breach in the last few years (in South Carolina) happened when an employee clicked on an email. Weak passwords have allowed hackers to publicly expose sensitive information. And we hear stories about stolen laptops every so often, with those stolen laptops containing social security numbers and other publically identifiable information. When employees hear these kinds of examples, it’s more visceral—making your security policy more likely to stick in their minds.

To talk about IT security in more detail, please contact us.

Friday, February 21, 2014
Brian Ocfemia, Technical Account Manager

You probably recall times when you’ve had to manage documents through email. Most of the time, you’re trying to figure out who has the document, who already provided feedback, and who hasn’t reviewed or approved it yet. It’s like herding cats, and you expend more effort managing the document workflow than you do actually creating or reviewing the document.

In a document management system, you have the ability to set up workflows that force people to follow a series of tasks. From document creation to review to approval, workflows help you focus on the work—not managing the workflow. While there are some technical aspects to setting up a workflow (and some workflows at large organizations can be extremely complicated), most smaller cities will have relatively simple workflows that help manage document creation.

Here are some tips to help you think about how you create workflows. As you can see, these are mostly business decisions, not technical decisions.

  1. Workflow Design. Each department at a city will have a specific way of handling document workflow, so you need to set up workflow processes based on those particular needs. Workflows will differ if you’re creating public-facing web content, internal documentation, invoices, or customer support tickets. For each document created, what needs to happen? How is the document created? How many reviewers? What happens after it’s approved? Focus on creating generic roles such as document creator, reviewer, or approver that are assigned to people. For example, don’t designate Steve or Melanie as the third step of a workflow. Instead, designate a reviewer role for the third step. That way, if Steve or Melanie leave the city, you know that you’ll need to fill the reviewer role with someone else.
  2. Document Creation. Without workflows, people tend to create documents however they like. Word documents appear in different versions, and the person using Office 2003 can’t open up the Office 2010 file. Someone gives you a PDF to edit, but you can’t edit it with the software on your computer. The document creation step of the workflow ensures that everyone is using the same process. That may include the kind of software used, document templates that make users fill in certain kinds of information, and document naming conventions that make them easy to find later. This step of the workflow helps make documents look consistent and ensures that people can open and edit them.
  3. Document Review. Document review is an important step of the document workflow, and it’s usually a chaotic bottleneck when people don’t have a document management system. Who’s reviewing the document? Did they track their changes? Did everyone get the email? When setting up the review step of your workflow, decide how many reviewers you need, how they will be notified, and how many automatic reminders they will receive. These automated features will help the document management system manage the process, not you. You can also decide to limit feedback loops so that a document isn’t in eternal review. Document versioning and locking editing also help streamline the document review process by avoiding duplicate edits and cross-communication.
  4. Document Approval. Approvals tend to be a common bottleneck without document management systems. While we can’t promise that busy approvers can approve your documents faster, we do know that a good document management workflow means that approvers know when documents are ready. No more, “Can you resend the email?” or doubts about if certain reviewers have looked at it. By the time it gets to the approver, they know everything is ready. While the workflow might become more complex if there are more approvers, the process is still streamlined even for multiple approvers. Document management systems can even help collect digital signatures if needed for approval.
  5. Document storage and archiving. After a document is approved, it’s easy to see the project as over and not care about where the document resides afterward. Document management workflows can help you eliminate this mystery and wrap up the final destination of a document in a nice bow. Once approved, who needs a copy of the document? Where will the document be stored in case someone needs to look at it? Who has permission to look at it or change it later? When will it be archived, or deleted? By addressing these important workflow questions, you will strengthen your document and records management retention processes and make it easier to handle open records requests.

With a strong document management workflow, you increase the morale of city employees and make it much easier for them to do their work. Managing documents through email or document management systems without a clear process increases stress, errors, duplicate work, and frustration. If your city is especially working toward greater transparency, document management workflow is a small but important step to clarifying how documents are created, reviewed, approved, archived, and deleted.

To talk about document management workflow in more detail, please contact us.

Wednesday, February 19, 2014
Clint Nelms, COO

Back in the 1980s, Judge Wapner used to open up each case on The People’s Court by saying, “I know you've been sworn, and I have read your complaint.” The popular show, still running to this day (unfortunately without Judge Wapner), gave people a surface understanding of the workings of a municipal court—albeit with all of the tedious parts edited out. People often see the legal system as obscure and mysterious, and it helps when an entertaining show shines some light on how it works.

However, when citizens have to actually go to municipal court for whatever reason, the process is often just the opposite. People get confused, worried, and tripped up over what to do, where to show up, and how a certain legal process works. While court can be a hassle, you can make it less of a hassle by providing clear, useful information on your website.

Since people usually don’t voluntarily plan to go to court, they will often come to your website on a mission and probably not in the best mood. What greets them when they’re looking for information? The following tips will help you make this website visit as pleasant as possible for your citizens or those needing to use your court system.

  1. When and where. More than other sections of your website, the when and where of municipal court is the most important information on this page. It should be upfront and absolutely clear when municipal court is in session and where municipal court is located. Otherwise, people will call you and tie up the time of your city staff asking this simple question. Don’t just give a physical address. Provide detailed directions that take difficult-to-find parking, landmarks, and non-descript buildings into account. Getting to court should never be a mystery.
  2. What requires your presence, and what doesn’t. When people are saddled with a parking ticket, accident ticket, or other citation, they might not immediately know if they can pay it without showing up to court. Explain on your municipal court page what can be paid online, what doesn’t require an appearance in court, and what absolutely does require a court appearance. Just because you know this information inside out doesn’t mean you should assume that citizens know.
  3. What lies within your jurisdiction. To many people, a court is a court is a court. They often don’t realize that different courts serve different functions. Your city court, for example, may only deal with violations of city ordinances, enforcement of local laws, and misdemeanors. Different kinds of cases may be served by a county court, and more serious court cases usually take place at the state level. Clarify what falls under your municipal court and help citizens know to work with the county or state courts for other cases.
  4. Easy-to-find contact information. Court produces anxiety, fears, and doubts, which produce lots of questions. No matter how thorough your website, people often like to double-check if they’re doing the right thing when paying a fine or appearing in court. Be ready to answer questions by placing contact information front and center. At a minimum, provide a phone number and an email address. Communicate that you will respond within a specific timeframe, and then do it. This basic information goes a long way toward being helpful to people.
  5. Segmented content based on different needs. Avoid lumping all content on the same page, especially if your court handles different functions. When people visit your website, they will have different processes if they are dealing with a traffic ticket, child support, jury duty, or other court situation. For example, child support information should be clearly called out by heading and section, or even linked to a separate page. Sectioning your content like this helps people find the answers to their specific questions much faster and better meets their needs.

Additionally, when applying the tips above, it’s tempting to provide reams of legal information. After all, it’s a court and it deals with law. While accurate and thorough, legal language is intimidating to most people. You can provide it as extra detailed information, but make sure you don’t bury your most helpful information in legalese. It will only frustrate and confuse people visiting your site.

Municipal courts ultimately reduce all legal situations to simple processes—what to do, where to show up, and how to resolve the issue. Your website is an extension of that simplification and, with the right content, provides a great public service to your citizens. Then, citizens won’t mind getting sworn in, and having their complaint read.

To discuss your municipal court website content in more detail, please contact us.

Thursday, February 13, 2014
Dave Mims, CEO

KLC helps city stabilize data backup and disaster recovery, better respond to open record requests, and delegate all IT support to experienced professionals.

Residing in the beautiful northeastern Kentucky mountains within the Daniel Boone National Forest, Morehead is a city of almost 7,000 people approximately 70 miles east of Lexington. It’s also home to Morehead State University, ranked as a top public school in the south, and Cave Run Lake, an 8,270-acre reservoir that attracts many recreational enthusiasts.

Like many smaller cities throughout the United States, a small dedicated staff oversees many of the day-to-day operations. That means everyone, including the mayor, is hands on helping citizens. But as information technology becomes more complicated in its variety, requirements, and integration with legal aspects of local government, it can be overwhelming to add its hassles to an already overburdened staff workload.


For many years, the mayor and city staff handled any technology needs and requirements for their city. That meant setting up their own computers and calling software, Internet, telecom, and hardware vendors for support requests. Not surprisingly, this essential work can get overlooked and even shelved when day-to-day tasks take over.

This frantic scramble to keep up with technology was a symptom of deeper problems. Without a dedicated person to focus on technology, the city also had uncertainty related to the reliability of its data backup, a compromised ability to respond to e-discovery or open records requests from using an email service that was difficult to support, and no website to communicate with citizens.

However, the potential high cost of hiring IT staff and upgrading the city’s technology prevented Morehead from moving forward.


Morehead solved these challenges by using KLC’s “IT in a Box” service. Powered by Sophicity, “IT in a Box” is a complete IT solution for cities and local governments. The service includes a website, online payments, onsite data backup, unlimited offsite storage of backups, email, document management, Microsoft Office for desktops, server, desktop, and mobile management, vendor management and a 7-day a week helpdesk.


“IT in a Box” helped Morehead:

  • Launch a high quality, user-friendly website.
  • Mitigate the risk of data loss through onsite and offsite server backups.
  • Ensure a highly available and dependable email system.
  • Support its city staff 24/7 through ongoing monitoring and maintenance of all servers and workstations, coupled with 7 days a week helpdesk support.
  • Mitigate the risk of paper document loss and increase document retrieval ability through a document management system.
Morehead also saved $28,134 (or 60%) of the costs typically spent modernizing a city network of their environment and size.

We now have a level of security unimagined beforehand with constant monitoring and reliable offsite backups. I worry much less with the Sophicity team watching things for the City of Morehead. – Mayor David Perkins
If you're interested in learning more, contact us about IT in a Box.

Print-friendly version of the Morehead, Kentucky IT in a Box case study.

About Sophicity

Sophicity is an IT services and consulting company providing technology solutions to city governments and municipal leagues. Among the services Sophicity delivers in “IT in a Box” are a website, online payments, onsite data backup, unlimited offsite storage of data backups, email, document management, Microsoft Office for desktops, server, desktop, and mobile management, vendor management and a seven-day a week helpdesk. Read more about IT in a Box.

Thursday, February 13, 2014
Alicia Klemola, Account Manager

While larger cities benefit from having procurement offices to spend time researching, selecting, and negotiating with vendors, smaller cities can feel at a disadvantage when procuring items—especially technology products and services. And even procurement directors can have trouble keeping up with the latest hardware, software, and technology solutions.

Despite the overwhelming technical aspects of technology procurement, we’ve found through our experience that there are some basic tips that help cities get the best bang for their buck. Even if you’re not a technical expert, these tips can help you better prepare when you’re ready to invest in technology.

  1. Spend time defining what you need. It’s easy to just think “I need a computer” and go to a retail store to pick up one. Or to think that you know exactly what kind of software you need when you put out an RFP. However, we find that it helps to define what you need from a business point of view before starting to shop for a solution. What business problem do you need solved? What specific capabilities are currently lacking in your current situation? What capabilities do you need? If you can’t invest in everything you need at once, what are the priorities? Asking these kinds of questions helps you define your business problem and reduce the temptation of an impulse or gut purchase.
  2. Shop around and know the industry. This is where your IT staff or vendor comes in handy. You need someone with extensive knowledge of technology to do some shopping. An IT professional will stick to your requirements, understand when vendors are blowing smoke or distracting you with unnecessary features, and ask technical questions that you may overlook. All of this information will affect the price. Since the B2B technology industry is so competitive, starting prices are often ripe for negotiation. When you shop around, never view a price as final (unless it’s a clear-cut price listed in black and white on a vendor’s website).
  3. Know your government pricing. Government pricing isn’t always obviously apparent on major vendor websites and especially not when you shop retail. Take advantage of special discounts for local government offered by major hardware, software, and technology vendors. Sometimes it can be tough to navigate vendor websites to find pricing for specific contracts, select the right menu options that apply to your situation, and understand what’s specially priced and what’s not. Make sure your IT or procurement expert is able to figure out the best pricing for your city.
  4. Don’t just settle on lowest price. Technology is not like buying pens. If three pen vendors are in the running and one has the lowest price, you probably don’t risk a whole lot from buying the lower priced pens. With information technology, we’ve seen so many cities over the years treat a handful of complex IT vendors as equal and simply choose the lowest priced vendor. During the RFP or purchasing process, make sure you evaluate each vendor rigorously against your business needs. What exactly are you getting? What is the vendor’s reputation and experience? Will your business needs be solved? Price is a factor in your final decision, but not the only factor.
  5. Look out for indirect costs. Not vetting technology properly leads to many risks such as indirect costs. One common example is a low-priced vendor offering “24/7” support and maintenance. In many cases, that means installing some monitoring software on your computers but billing you at a high rate when a problem actually occurs—leading to an unpredictable annual IT budget. Another example is when a software vendor sells you software on the premise that it’s easy to install. Once you purchase the software, “suddenly” you find that you need to buy another kind of software, or a server, or additional Internet bandwidth, when you thought you were just paying for the software. Indirect costs usually strike when non-IT professionals buy a technology solution and lack experience to detect major red flags or ask the right evaluation questions.

Technology purchases can be quite expensive and complex. That’s why it helps to follow the steps above to make sure you’re vetting each purchase rigorously and appropriately. With many city revenue streams in a precarious state, you want to make sure you’re investing in the right technology responsibly. You don’t want to become so paralyzed with fear that you don’t buy anything, but you need to have the right guidance and expertise on hand to help you step boldly forward in your investments that will help achieve your city’s vision and business goals.

To talk more about technology purchasing, please contact us.

Tuesday, February 11, 2014
Nathan Eisner, CMO

In a December 2013 report titled “Cyber Security: Pay Now or Pay More Later. A Report on Cyber Security in Kentucky,” author Adam Edelen discusses some of the biggest cyber security risks to government—including local government. Coming from the state of Kentucky’s auditor of public accounts, the recommendations are serious and worth a read.

I had the good fortune to be on a panel discussion with Adam back in October 2013 at the Kentucky League of Cities’s annual conference. Together, we talked about the risks of cyber security for cities. While we’ve shared our insights concerning the basics of cyber liability in a past blog post, we want to highlight some important and often overlooked cyber security points that Adam mentioned in his report.

  1. Human-related incidents are the most dangerous cyber security threats. While a natural disaster can be devastating to your data, at least it’s understandable, somewhat predictable, and rare. Contrast that with human beings who attempt to hack your systems every day, internal breaches of security from loose security policy or poor server configuration, and employees downloading malware and falling for phishing scams. Adam points out that the biggest security breach in recent years (at the State of South Carolina) resulted from an employee falling for an email phishing scam. If you don’t have the proper cyber security measures in place, you’re exposing your data to attack every single day from human-related threats.
  2. Improper server configurations leave open gaping security holes. Even if you have antivirus, antimalware, and antispam software, all of those efforts may not mean anything if your servers were set up incorrectly. These problems are often hard to detect because usually your “IT expert” set them up—whether they are an employee or vendor. Unless you get another IT expert to check on that person’s or vendor’s work, shabby configuration can go undetected for years. Adam’s report points out common issues from poor configuration such as open ports—the equivalent of having an unlocked door in your building that people can walk right through.
  3. Organizations often forget “less important” devices and access points. Your city might focus on security for servers, desktops, and laptops. That’s good. But cities and many other organizations often forget that devices such as printers, scanners, or wireless routers also provide potential ways for hackers to gain access to sensitive information. Remember, any machine that connects to your network is a target for exploitation. Your printers and scanners should be locked down with strong passwords just like your servers and computers. And since people do something called “war-driving” (i.e. looking for open wireless access points), you need to make sure your wireless routers are password-protected and all wireless data transmission is encrypted.
  4. Physical security is an overlooked aspect of cyber security. It’s good to focus on all of the technical aspects of cyber security such as encryption, firewalls, and server configuration. But what about the rooms that host your servers, computers, and other equipment? In many cases, anyone could walk into those rooms, access the servers and computers, and harm them either accidentally or maliciously. Only authorized people should have access to equipment that holds your most sensitive information.
  5. Authorized access to information is one of the most referenced points of the Kentucky report. While there were many variations of issues related to authorized and unauthorized access in Adam’s report, the common theme is to make sure that you clearly give the right people access to the right information. In too many cases, people have either inappropriate access to information or even have access to information after they’ve quit or been fired. Adam talks about paying attention to “logical security” which “involves, but is not limited to, restricting access to only authorized users, strong password settings, and appropriate levels of access granted to a user.”

While there are many more issues contained in the report, these are the five most important cyber security points that we feel are overlooked by cities. Sometimes, IT vendors can be accused or suspected of hyping up these same security issues in order to sell products and solutions. So when the state of Kentucky’s auditor of public accounts is discussing these cyber security threats in such detail as part of an official report, it’s an extra signal to take action and address these issues at your city.

The good news is that most of the security breaches that Adam mentions in the report could have been prevented by addressing some of the basic security measures above, along with implementing preventative tactics such as data backup, ongoing IT support, and antivirus software. In the report, Adam says, “When attacks against public sector entities are successful, citizens begin to lose confidence in government’s ability to protect the data it stores.” If you don’t want your citizens to lose confidence in your city, it’s best to address your cyber security risks now—rather than after an embarrassing disaster.

To talk about cyber security in more detail, please contact us.

| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 |