We put the IT in city®

CitySmart Blog

Wednesday, September 5, 2018
Patrick Perry, Network Infrastructure Consultant
Patrick Perry

IT security company KnowBe4 published an interesting blog post in June that detailed a court case in North Carolina that should worry cities. The blog post’s author Stu Sjouwerman says:

“According to a recent federal court decision, an employee who is tricked into sharing personal information in response to a phishing email can be seen as committing an intentional disclosure under the North Carolina Identity Theft Protection Act (NCITPA). As a result, the employer could face treble damages for the employee’s mistake, adding a new element to potential exposure for businesses. […] The failure to train employees may quickly become more costly not only for North Carolina employers. This decision will be looked at by other courts who very well might come to the same conclusion that not taking reasonable measures to defend against scams like this merits treble (punitive) damages.”

While this federal court decision seems limited to North Carolina right now, it’s probable it could set a precedent for the rest of the United States. As we’ve seen in recent years, cybersecurity laws and regulations are growing stronger as the repercussions from incidents grow more serious.

Cities should not wait until the law catches up to them. Instead, this court case should serve as a warning bell to make sure employees are aware of cybersecurity best practices and defenses against the tricks of hackers.

Here are a few areas where “oops” may no longer work as an excuse.

1. Falling for phishing scams.

Too many employees are not skeptical and still fall for amateurish phishing emails. As a result, employees are likely to click on a link or attachment that downloads a virus into your systems. Or, they will share confidential financial or personal information that leads to a cybersecurity incident involving lost money or the unauthorized release of confidential information into the public domain.

Amateurish phishing emails can often be spotted by examining the email address, the grammar of the content, and the suspicious action that the sender wants you to take. Employees must become even more skeptical as sophisticated “spear phishing” attacks closely imitate people within a city (such as a city manager) and attempt to get city staff to send money or sensitive information to criminals.

To help city staff guard against these types of cyberattacks, consider periodically testing city staff by sending safe phishing simulations with the intent of identifying who is most susceptible to clicking on phishing emails. After identifying those employees, you can give them extra training.

2. Falling for phone phishing.

While seemingly unrelated to cybersecurity, phone phishing is just as dangerous as email phishing. Because many employees sincerely want to help, hackers often attempt to acquire usernames, passwords, and other online credentials over the phone and then use that information to hack an account online. Really good phone phishers can sound very personable like a new employee or a long-time vendor asking for authorized access to information.

Again, employees need to be skeptical and, more importantly, rigorously follow policies and procedures. Even if their favorite co-worker asks for a password or sensitive information over the phone, an employee should not break the rules but instead follow protocol.

As we’ve said in a previous post, “A legitimate IT person or customer support representative does not need your account username and/or password to perform their task. Period. In addition, employees need to follow a process for setting up new vendors—especially when giving vendors access to systems or authorizing payments to them.”

3. Poorly securing and managing passwords.

If you think about passwords like a key, the entire way of thinking about passwords changes. Imagine if an employee:

  • Left City Hall keys lying on their desks at all times.
  • Gave City Hall keys to co-workers if they suddenly needed access to a room.
  • Gave a City Hall key to a vendor representative who didn’t follow your policies and procedures but sounded very convincing and personable.

Obviously, these employees may get fired for such negligence. Yet, cities often don’t think about passwords the same way.

Hackers and criminals take advantage of lax password security—from passwords written on sticky notes in plain sight on an employee’s computer to employees sharing passwords without a second thought—to break into a city’s systems. Having weak passwords (like “123456,” “password,” or “admin”) also makes a hacker’s job easy.

A city needs to enforce password policies that require employees to use passphrases or complex passwords, keep passwords secured like money or keys, and not share passwords with people without authorization or following strict procedures.

Employee training needs to become just as much a part of your IT strategy as maintaining your servers and computers. Otherwise, you’re increasing the risks of employees making errors that the law may punish more severely in the future. And training needs to include your mayor, elected officials, city manager, city clerk, and department heads—along with all other employees.

Are your employees ready to fend off cyberattacks and phishing attempts? If you’re in doubt, reach out to us today.

Friday, August 31, 2018
Dave Mims, CEO
Friday, August 24, 2018
Kevin Howarth, Marketing & Communications
Thursday, August 23, 2018
Dave Mims, CEO
Dave Mims

Today, I delivered training to municipal clerks attending the 2018 Kentucky Master Municipal Clerks Academy. This training focused on cybersecurity as well as policies, procedures, and practices around personally identifiable information (PII) as defined by the Kentucky Department for Local Government (DLG).

My presentation covered the cybersecurity risks every city faces. I discussed the contributing factors that lead to cyberattacks, the warning signs that cities can use to assess if they are at risk, the top three cybersecurity risks affecting all cities, and what a city can do to best prepare against the thousands of cyberattacks hitting cities every week.

According to Kentucky law, “Non-digital media containing personal information shall be physically controlled and securely stored in a manner meant to ensure that the media cannot be accessed by unauthorized individuals. [...] If personal information is stored in an electronic format, it shall be protected from access by unauthorized individuals. Such information must be protected by software that prevents unauthorized access. If personal information is transmitted via e-mail or other electronic means, it must be sent using appropriate encryption mechanisms.”

Because of these legal requirements, I specifically addressed Security and Incident Investigation Procedures and Practices for Local Government developed by the Kentucky DLG and detailed some ways to minimize the risk to personal information.

To find out more about how municipal clerks can lessen risks around cybersecurity and PII, check out my entire presentation here.

Questions about your ability to fend off cyberthreats and protect PII? Reach out to us today.

Wednesday, August 22, 2018
Jessica Zubizarreta, Network Infrastructure Consultant
Jessica Zubizarreta

The National Security Agency (NSA), charged with defending the security of the United States, oversees many cybersecurity efforts ranging from cyberespionage to cyber incident response. At the cutting edge of protecting our country in cyberspace, the NSA on its website says the following as part of its guidance to businesses:

"Cybersecurity metrics based on how fast an incident ticket is closed can be misleading. Responders may focus on closing the alert, as opposed to seeking a holistic understanding of the threat activity. Incident responders should be challenged to anticipate reactions that would be used against newly implemented countermeasures, as a persistent adversary may continue to probe for entry points into a network of interest. SOCs [Security Operations Centers] should always strive to preemptively defensive actions and infuse an innovative mentality amongst their teams in pursuit of new adversary tradecraft."

While a bit technical, this statement basically suggests that someone responsible for IT support can miss a lot of details about security incidents if they are not incentivized to be curious. Rather, they may be incentivized to close a ticket as fast as possible, leading to hasty diagnoses of incidents that overlook wider, deeper, or more holistic analyses of a problem.

When we start working with cities, it is common that we uncover bad habits that have made those cities less secure overall. Untrained staff or even previous IT engineers and vendors working too fast to solve issues often reveals that cities are trying to take shortcuts in three ways.

1. Underspending on information technology and helpdesk support.

Yes, responding quickly to an issue is desired and needed. But when the person(s) responsible for IT focuses on speed to close the ticket versus understanding the issue, there is a risk that the issue hasn’t been truly resolved. Without adequate time spent showing curiosity or looking deeper for a root cause, it’s likely the person is overwhelmed—increasing the risk of unresolved issues. Too few people handling too many incidents. A clear sign of IT underspending.

We see this underspending at many cities when one person stays crazily busy as the only person handling all IT incidents along with handling their other job responsibilities. Assigning IT support to someone seen as the “computer power user” at City Hall and the Police Department might seem cost-effective, but they are going to stay completely overwhelmed putting out fires and rarely have time to thoroughly analyze anything.

Cities need an IT helpdesk with the resources to do a more thorough analysis of IT issues and incidents.

2. Thinking as-needed IT support is a wise cost-cutting measure.

A common financial misperception with IT support is that paying only for “what you need” works better for a city. Nothing could be farther from the truth. When cities pay an hourly rate for “as needed” IT support, you will pressure engineers to solve your problems as quickly as possible. Otherwise, you will overly focus on time, not quality of work, and feel the engineers are wasting billable hours. IT vendors feel that pressure from you and may take shortcuts.

When you use fixed cost IT support, the engineers are incentivized to find the root cause of your issues and prevent those issues from draining more of their time in the future. We tell our city customers that our team is motivated to fix issues completely the first time because it costs us—not the city—more when we must revisit an issue.

3. Using underqualified IT resources.

An underqualified IT resource can come in many flavors:

  • Relying on a junior-level engineer as your one IT staff person to solve all issues.
  • Using an offshore or entry-level staffed IT helpdesk full of underexperienced, script readers bad at diagnosing problems.
  • Hiring a local “repairperson” instead of an IT professional. Is a local IT person who also installs car stereos for a living going to know how to identify cyber threat activity at cities?

Underqualified resources are cheaper on paper but cost you a lot in the long run because they take longer to resolve issues, fail to properly diagnose issues, and get in over their heads quickly. And then there is simply the great risk of what they don’t know because they are untrained, unexperienced, or left behind by this fast-paced, increasingly complex technology world.

A helpdesk full of qualified resources includes engineers taking calls and working through tickets while managers oversee the engineers. These managers assess resolutions, look for patterns, and identify trends and issues with customers. A team.

Cost-cutting measures focused only on price will also affect your city’s security as well as your operations. Cybersecurity has become a serious issue for cities. Not having the right IT support can open your city up to financial and legal liability from the effects of ransomware, viruses, and data breaches. The NSA is not kidding when they say you need an experienced helpdesk that is truly curious about getting to the root of your IT issues.

Need a reassessment of your IT support? Reach out to us today.

Friday, August 17, 2018
Kevin Howarth, Marketing & Communications
Wednesday, August 15, 2018
Brian Ocfemia, Engineering Manager
Brian Ocfemia

Obviously, cities know they must store documents to follow state records retention schedules set by law. However, we find that many cities get overwhelmed when they think about taking more proactive steps toward managing their document lifecycles. It’s one thing to keep records. It’s another thing to follow a useful records retention process that saves you time, money, and worry in the long-term.

If you’re frustrated about your current records retention and document management processes, you might wonder where to begin. The following tips will help you get a better handle on this problem and create a records retention process that runs smoothly like a machine.

1. Clarify and update your knowledge about state records retention laws.

It never hurts to refresh your knowledge about your state’s records retention laws. We find that many cities default to retain records indefinitely because of either uncertainty or busyness.

While it can seem easier to just keep everything indefinitely or for a long time, it’s better in the long-term to follow state records retention policies for each record type. For reference, we’ve provided a few records retention schedules for states where cities we serve are located.

Georgia Local Government Record Retention Schedules

Kentucky Municipal Government Records Retention Schedule

The Arkansas General Records Retention Schedule

2. Start scanning paper documents.

Figuring out what to do with a mountain of paper documents often worries and intimidates cities. Where to begin? Why begin? We encourage cities to just dive into this process. Make sure you’re using optical character recognition (OCR) technology so that words in paper documents are searchable after you convert them to electronic documents.

Some approaches to tackling your paper documents might involve:

  • Scanning and uploading your paper documents one box at a time. Setting goals and milestones by box can help you manage the process and eventually lead you to complete this task in bite-sized chunks.
  • Leverage interns, temps, and/or free labor. After defining the process, paper scanning soon becomes a tedious, repetitive activity. This is a perfect job for interns and low-cost labor.
  • Pick a date and start your document capture moving forward. If you feel scanning your past documents is just too time-consuming or overwhelming, then another option is to pick a date. Then, from that date forward, start scanning any paper document you receive. Make sure you stick to this process moving forward.

3. Make sure your documents are searchable.

Cities often show concern for how documents will be organized compared to what they are doing today and wonder how they will find the documents they want.

You need a document management system with built-in search capabilities such as searching for keywords within common document formats and bringing up the most relevant results (like how Google returns search results). This keyword capability can be applied to paper documents scanned with OCR. You can also apply custom metadata to your documents to make them more findable. (Read our blog post about metadata to learn more.)

4. Set document permissions to ensure authorized access.

It’s a best practice to set permissions for access to specific files and folders. A good document management system will allow you to set and manage these security controls. Setting up restricted access can also help prevent undesired user access and data breaches.

5. Consider using a cloud-based solution to store documents.

Some cities are not comfortable storing documents in the cloud and want to keep documents onsite. However, a cloud solution may be your best option for many key reasons.

  • Security: Onsite servers can feel more secure because you can see them. In reality, cloud data centers boast some of the best security in the industry. Engineers staffed 24/7 at these data centers spend enormous amounts of effort securing and monitoring cloud servers. At cities, onsite devices often receive less attention and there is more risk of a cyberattack or disaster that leads to permanent data loss.
  • Reliability: The whole point of the cloud is to approach near 100% reliability. High service level agreements (SLAs), multiple internet connections, and data distributed across different cloud hosting facilities means you experience highly reliable access to your documents (anytime, anywhere).
  • Redundancy: Cloud data centers offer redundant backup power that ensures continuity in case of power outages.

To take advantage of a cloud-based document management system, it’s essential that you evaluate and possibly upgrade your current internet connectivity. Ideally, cities need a business-class fiber connection with 99.9% or higher uptime and high speeds that work for your city.

Implementing these tips can be challenging for smaller cities with minimal staff. This process consumes a lot of time and sometimes requires technical oversight. Consider relying on professional IT engineers experienced with municipal records management who can help you set up processes that make your records retention capabilities quicker, more secure, and more compliant with the law.

Need help with your records retention? Reach out to us today.

Friday, August 10, 2018
Dave Mims, CEO
Wednesday, August 8, 2018
Cale Collins, Network Infrastructure Consultant
Cale Collins

At home, it’s acceptable to put together a handful of PCs into a network. If you have an application on your PC, then others in your family can access that application through the shared network. Very tiny businesses may also operate in this fashion. Despite so many applications now accessible through the cloud, there are still many homes and small businesses that operate with the traditional networked PC model.

We see many cities use this model, too. Instead of buying a server or exploring cloud application options, they will have a critical application residing on one person’s PC. If others need to access that application, they will network PCs together. We’ve seen critical applications ranging from police case management software to utility billing software residing on a single person’s computer.

Unlike a server, a person’s computer is, well, personal. Think about how your computer is like a part of you every day. You log in, you do work on it, you check the news and weather, you browse the internet, you update your website, you do research, and you even customize the look and feel of your screen. It’s your computer. And yet, if you’re running a critical application, then it’s also your responsibility to make sure that application continues to work and its data is protected.

But having this critical application on your PC is highly risky. Your police chief or city clerk might be IT savvy, but they are not experienced IT engineers. You may have survived so far, but consider the number of situations that can put your city at risk.

1. Data backup and disaster recovery

How are you backing up your PC? You might have a manual process in place such as an external hard drive, flash drive, or consumer-grade data backup solution. But people can get distracted and forget to back up. Manual backups fail or data gets corrupted. And when do you have time to adequately test your data backup to ensure it works?

If your PC crashes, fails, or gets destroyed, then you risk permanent data loss. A server or cloud-hosted application managed by IT professionals combined with a robust data backup and disaster recovery solution will allow you to recover quickly in case of device failure and even help you recover after a major disaster.

2. Cyberattacks

It’s highly unlikely that a single non-technical employee can do what it takes to properly fend off cyberattacks. Ransomware, viruses, malware, and other nasty threats relentlessly target cities. That includes smaller cities. The number of virus and ransomware stories that have knocked out smaller cities keeps adding up year after year. Cybercriminals are looking for access to money and sensitive information. Cities, to them, are low-hanging fruit.

On an individual PC, is the non-technical user…

  • Keeping antivirus software updated?
  • Using a sufficiently configured firewall?
  • Regularly applying security patches to the application?
  • Managing user access to the application?

Probably not. These tasks are challenging and complex, especially when issues arise. Imagine what a police chief or city clerk faces trying to consistently fit these tasks into everything else they must do. Unfortunately, slipping in this area means you risk a data breach, data held hostage by ransomware, and permanent data loss.

3. Software patching and upgrading

Partly, software patching and upgrading helps you avoid security issues. All software has security vulnerabilities that vendors must shore up with patches. Not patching opens you up to cyberattacks—like leaving a back door open at city hall. But patches and upgrades also address other important problems such as performance, reliability, and bugs. Upgrades feature improvements to functionality that may help you and your staff more productively use the application.

Many organizations—including cities—fail to apply patches and upgrades in a timely fashion. The probability that your city patches and upgrades software significantly goes down if that task is in the hands of non-technical users.

4. User management and authorization

Part of making an application secure involves managing users and authorizing their use of the software. Application permissions can be granular and complex to manage, and this management can fall to the wayside if a non-technical user doesn’t have the time or experience to properly configure them. That leads to situations we’ve seen where anyone networked into an application can access it without a password (or with a bad password like “123456” or “admin”).

Within an application, non-technical users will often fail to set permissions around users accessing specific kinds of data. If authorization policies are loose, then unauthorized people might access files, data, and application functionality that they should not be able to see at all.

5. Reliability

So, the application doesn’t work. Or it’s slowing down. You think, “What’s going on? Where do I begin? I have to get payroll done by noon, and it doesn’t work!”


That’s right. It requires a lot of technical experience to fully understand what’s going on with applications when they slow down, crash, or freeze. Maybe it’s a patching issue. Maybe it’s the computer or network. Maybe it’s hardware. Maybe it’s a virus. It’s hard to say without an experienced diagnosis. Additionally, recurring problems might need a more long-term solution (such as a server or cloud-hosted application).

If you’ve survived so far with only a few networked PCs with a critical application residing on a single employee’s computer, then that’s great. But with cyberattacks growing more sophisticated, higher technology standards expected of cities, and significant liability concerns around sensitive and confidential data, it may be time to look at a solution that mitigates the risk. Alternatives—from a single server to a cloud-hosted application—can help offload the security risks and technical burdens of managing an application on a single PC.

Want to transition your application from a single PC to something that reduces risk and liability? Reach out to us today.

Friday, August 3, 2018
Jeremy Mims, Account Executive
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 |