We put the IT in city®

CitySmart Blog

Wednesday, May 16, 2018
Dave Mims, CEO
Dave Mims

A recent article in The Conversation (titled “Why Cities Are So Bad at Cybersecurity”) referenced a few startling stats:

- 44 percent of local governments say they experience daily cyberattacks (and it’s probably a higher percentage)
- 53.5 percent of local governments “do not catalogue or count how often their systems are attacked”
- “Most local governments [58.4 percent] said they cannot determine the types of attackers that attack their systems.”

These stats reveal that, despite constant targeting by cyberattackers, many cities are not taking steps to monitor their systems or proactively prevent cyberattacks.

Why? Especially when the results to cities are permanent data loss, data breaches, and lack of legal compliance?

After a recent ransomware attack at the City of Atlanta, the city spent almost $2.7 million to recover. Critical data was likely permanently lost, some data took weeks or months to restore, and documentation shows that the city neglected to take recommended actions after an audit.

Strengthening cybersecurity should not be neglected by cities. To help, we’ve provided a 20-question assessment (in our featured article below) that will help your city identify critical gaps related to your IT proactivity, employee training, and data backup and disaster recovery—all of which contribute to strong cybersecurity.

And remember, if you are a member of the Georgia Municipal Association’s (GMA) property and liability fund (GIRMA), then you are eligible to receive a grant from GMA’s Safety and Liability Management Grant Program to reimburse your city for up to 25% of the annual IT in a Box subscription fee.

In customer news, check out the following new websites:

Plus, we’d like to welcome Kuttawa, Kentucky; Louisville, Georgia; Riceboro, Georgia; and Warrenton, Georgia to the Sophicity family.

As always, don't hesitate to reach out to me if you have something to share with our local government community.

Blessings,

Dave Mims


20 Questions to Assess Your City’s Cybersecurity

Despite knowing it’s critically important, cybersecurity can seem a bit overwhelming at times. Where do you start?

This 20-question assessment will help you start with some basic questions, and we also link to many of our blog posts if you’d like additional information about the areas we discuss.

Take our 20-question city cybersecurity assessment.


Newsletter Signup

Sign up for Sophicity's CitySmart Newsletter. Get all of the latest City Government and Municipal League news, articles, and interviews.


Recent Media

Data Backup and Disaster Recovery: Additional Low-Cost Insurance for Cities

Why You Should Never Pay a Ransomware Ransom

That One Unsupported Computer May Bring Your City Down


Events

We hope to see you at these upcoming events including:

Alabama League of Municipalities (ALM) Annual Convention
May 19-22, 2018
Montgomery, Alabama

Kentucky League of Cities (KLC) City Official Academy II
May 23-25, 2018
Bowling Green, Kentucky

Arkansas Municipal League (AML) Annual Convention
June 13-15, 2018
Little Rock, Arkansas

Georgia Municipal Association (GMA) Annual Convention
June 22-26, 2018
Savannah, Georgia

Kentucky League of Cities (KLC) Blighted, Abandoned, & Dilapidated Property Conference (BAD)
June 28-29, 2018
Lexington, Kentucky


A Taste of I.T.

Taste of IT

Recently, Montezuma, Georgia and Peachtree Corners, Georgia took time out of their busy daily schedules to grill out with us for what we call a Taste of I.T. These are BBQ-heavy :) customer thank you events that we’ve been bringing to our customers. Literally each month, we bring the food and beverages and get to have lunch with your staff. At Montezuma, thanks to Mayor Larry Smith, Chief Eric Finch, and City Administrator / Clerk Joyce Hardy. At Peachtree Corners, thanks to Mayor Mike Mason, Finance Director Brandon Branham, City Clerk Kym Chereck, and City Manager Brian Johnson. We had an awesome time!


Other Solutions 

IT in a Box 
Who guarantees IT services based on your expectations? We do.

Frontline
Take action against technology issues at your city.

Data Continuity 
Peace of mind about your records and data.

Monday, May 14, 2018
Dave Mims, CEO
Dave Mims

Recently, Local Government Risk Management Services (LGRMS) sponsored a webinar titled “Reducing Your Risk of Claims Due to Cyber Attacks.” In this webinar, Sophicity COO Nathan Eisner provides recommended controls for cities to help them reduce their risk of future cyber issues.

The webinar includes:

-Case studies that describe how real cities have been impacted by claims from cyberattacks.

-Tips on preventing and reducing the risks of a cyberattack.

-Guidance about what to do in case you are the victim of a cyberattack.

Watch the full webinar below.


Tuesday, May 8, 2018
Brandon Bell, Network Infrastructure Consultant
Brandon Bell

As information technology evolves and various tools and systems improve, why are there so many successful cyberattacks on cities?

One big risk is people.

Hackers and criminals know that people are often the weakest link in an organization. Think about it. If you’re going to steal information from the most secure building in a city, what sounds like a better strategy? Breaking through the locked front door late at night, or tricking a city employee to let you walk right in?

Phishing works similarly. Hackers just need one employee to click on an email attachment to insert ransomware, malware, or a virus inside your city’s systems. And, the employee may not even realize they were just fooled.

Given the high probability of eventual success, it may seem impossible to prevent an employee from falling prey to a phishing attack. However, there are five ways that cities can mitigate the risk and lower the chance of devastating consequences if a phishing attack does occur.

1. Regularly train employees and keep them aware of evolving phishing tactics.

Use training to make employees aware that several kinds of phishing attacks exist including:

  • Traditional phishing: This is the kind of phishing most people know about. You receive an email that purports to be from a bank, your phone company, or some other legitimate organization. The hacker uses the spoofed email to get you to click on a malicious email attachment or website link.
  • Spear phishing and whaling: These two terms pretty much mean the same thing—a hacker goes after a specific city employee with a great deal of thought and effort. The stakes are usually higher here. For example, the hacker may try getting you to transfer a lot of money. Read how the City of Paris, Kentucky fended off such an attack.
  • Vishing: This is a relatively new term that refers to phishing over the phone. Hackers may do something like pretend they’re a legitimate caller who needs a username and password over the phone. If you hand that information over, the hacker may then use that information to hack you online.

We’ve written about ways to spot phishing attacks in the past, but a few pointers that are always helpful to let employees know about include:

  • Spotting obvious scam signs: Check the sender’s name and email address. If an email supposedly from your bank is from linkmail383738333@kojel.com, then it’s probably not legitimate. Hover over URLs with your cursor. Do the URLs look suspicious (such as not taking you to the banking site)? Is the grammar poor? Organizations (especially large organizations) send out professional messages with good, mostly typo-free writing. Bad grammar is often the sign of a phishing email.
  • Being slow to trust: Question each email you receive. Assume it is not legitimate, and that it is not from the person identified. Does it seem right? For example, if your bank contacts you in the middle of the day, says that “unauthorized access” occurred, and that you need to enter your username and password—now!—or you’ll be locked out of your account in an hour, does that seem right? Even if you think an email is legitimate, don’t use the link or phone number provided in the email. Go directly to the organization’s website or call the organization to confirm that they sent a legitimate message or request.
  • Staying informed about modern scams: Hackers are always trying out new tactics and trickery. Keep employees up to date about new phishing tactics as you learn about them.

In addition to regularly training employees, you may also want to test them. For example, leverage your IT support staff to send out fake phishing attacks at your city to see if employees will click on them. Employees that get tricked can then receive extra training.

2. Develop policies and procedures about protecting information.

Even if you train employees about phishing, they’re more susceptible to phishing attacks if you lack clear policies and procedures around how sensitive information is handled. For example, clear policies and procedures around giving out passwords will mitigate the risk of an employee giving them away in a phishing attack. If employees know that their password is never (never, never, never) to be given out, even if an IT support engineer asks for it, then they will be less likely to fall prey to an email asking for that information. Employees will sense something is wrong because someone is breaking protocol.

3. Use Two Factor Authentication (2FA).

We recently wrote a blog post about the benefits of 2FA, but here we’ll address how it specifically helps protect against phishing attacks. Let’s say a hacker gets hold of a username and password. They won’t be able to hack into a system because they lack the second factor of authentication (such as confirming a code sent to an employee’s phone). 2FA decreases the probability of a hacking exploit because it creates two hurdles instead of one. It’s much, much harder for a hacker to gain access to a system or application that requires 2FA.

4. Ensure that your IT basics are solid.

Because phishing attempts are always occurring, it’s good to ensure that your city implements IT basics that include:

  • Antispam software: Usually part of email software, your antispam software can help prevent a lot of spam from even getting into people’s inboxes.
  • Business-class email software: Cities should not rely on free or consumer-grade email that poorly or erratically segments out spam. Business-class email, managed by IT professionals, will help segment spam out from your legitimate email.
  • Enterprise-class antivirus software: Modern antivirus software can help flag a malware or virus attack before it happens.
  • Firewalls: Properly configured firewalls can prevent a lot of bad people from ever entering your systems.
  • Software updates and patching: Hackers often exploit security vulnerabilities in software. Keeping software patched and up to date reduces the risk of a hacker exploiting a weak point in your software by way of a phishing attack.

5. Create a data backup and disaster recovery plan.

Data backup and disaster recovery is your worst-case scenario insurance in case of a phishing attack. Many well-intentioned organizations that do all the right things can still fall prey to a phishing attack. A data backup and disaster recovery plan that includes an onsite component, offsite component, and periodic testing will ensure that you can recover your data to a time before ransomware, malware, or a virus invades your systems.


While you cannot completely eliminate the risk of a phishing attack, you can greatly lower your city’s risks by applying the five best practices above.

Worried about your susceptibility to a phishing attack? Reach out to us today.

Tuesday, May 1, 2018
Ryan Warrick, Data Center Engineer
Ryan Warrick

After a recent ransomware attack at the City of Atlanta, the city spent almost $2.7 million to recover. Critical data was likely permanently lost, some data took weeks or months to restore, and documentation shows that the city neglected to take recommended actions after an audit.

An article from American City and County quotes Jake Williams, founder of cybersecurity firm Rendition Infosec, who says, "Emergency support and overtime costs phenomenally more than just handling the issues. In other words, upgrades that might have cost $100,000 in normal budgeting might cost $300,000-plus in emergency spending during an incident."

In other words, when an incident happens and you’re not prepared, you could spend up to three times or more of the amount than if you normally budgeted. Think of it in terms of a vehicle repair. Some preventative maintenance may cost you $1,000. But if you neglect that maintenance and the vehicle breaks down, then your city could be faced with a bill of $3,000 or more.

The same logic holds true for your cybersecurity. And one extremely low cost “insurance” investment that can help you recover from a wide variety of incidents—rather than paying a sudden, large amount of money—is data backup and disaster recovery.

In a recent blog post, we outlined four pillars of a data backup and disaster recovery plan.

1. Address time to recovery for smaller incidents through onsite data backup.
2. Plan for worst-case scenarios through offsite data backup.
3. Ensure that you can access your data soon after an incident.
4. Test your disaster recovery plan.

When cities take many weeks or months to recover from an incident, it’s likely they did not have a comprehensive, tested data backup and disaster recovery plan in place. Compared to the cost of a cybersecurity incident, such a plan is very affordable.

Here is how a data backup and disaster recovery plan can serve as additional cybersecurity “insurance.”

1. Recover from ransomware.

Ransomware is a form of malware that, once activated, will encrypt your files. Criminals then want you to pay a ransom to get your data back. A comprehensive disaster recovery plan will include an offsite data backup component. Every day, and possibly throughout the day, the offsite data backup technology will ensure that your data is copied, sent to a data center (or data centers) located geographically distant from your city, and completely separate from your onsite data.

So, let’s say ransomware hits you on a Tuesday. With offsite data backup, you could go back to an uncorrupted copy of your data at the last point it was copied offsite before the ransomware hit. You may lose some data, but that’s a much better situation than losing days, weeks or months of data—or permanently losing data.

2. Reduce liability and remain compliant.

Cities are custodians of sensitive and confidential data related to citizens, businesses, and government operations that includes information about taxes, public safety, payment transactions, and personnel. Laws, regulations, policies, and procedures exist that require you protect this information.

Today, data backup and disaster recovery plans and solutions are considered a best practice for all organizations, including cities. Any city neglecting to properly back up records and data, or failing to recover data after an incident, should expect significantly higher costs when reactively attempting to recover data versus the costs of proactively performing data backup and disaster recovery.

3. Recover from a disaster.

Obviously, cities can’t control the weather or a natural event. However, cities can plan how they will respond to a disaster. Remember, the continuity of your city’s operations is critically important for citizens. After a disaster, they will look to you for information, help, and services. A good data backup and disaster recovery plan allows you to access data after a disaster and serve citizens. Even if city hall is destroyed, you can set up at an emergency location and begin to restore or immediately access systems, records, and data.

4. Protect body camera video.

When you have body camera video, you must meet your state’s records retention policies. Transparently retrieving body camera video helps you in a crisis after a sensitive incident. But if you can’t retrieve specific body camera video that your state’s records retention policies say you must produce, then various forms of backlash may result.

A data backup and disaster recovery plan must account for the nuances of body camera video—especially storage volume and length of retention. Body cameras produce large amounts of data. Explaining that you ran out of storage is not a solution to the problem of body camera video retention or an excuse if you’re unable to produce a specific video.

5. Follow records retention laws.

You are required to follow your state’s records retention laws. Part of those requirements may include policies about data backup and disaster recovery. Even if explicit laws don’t exist requiring a data backup and disaster recovery plan, the laws implicitly state that you need to produce records, if requested, that fall under a specific retention period.

For example, the Georgia Municipal Association’s City Clerk Handbook states, “All local governments are required by state law to have an adopted records management plan which includes the designation of a records manager to coordinate and perform the responsibilities of the plan, an approved records retention schedule, and provisions for the maintenance and security of the records.” Arguably, maintenance and security include a data backup and disaster recovery plan to help protect and secure records from loss—no different than protecting paper records from fire, flooding, tornadoes, loss, or theft.


A data backup and disaster recovery plan provides you additional “insurance” that covers many critical scenarios. If you don’t have such a plan in place, then the costs of a likely incident in today’s cyber world can grow suddenly very expensive. Investing in a way to back up your data, manage the data, and regularly test your solution to ensure that it can be recovered after a disaster or incident will give you peace of mind financially, legally, and, yes, ethically.

Do you have uncertainty about the cost and liability you would face after a significant incident? Reach out to us today to discuss your data backup and disaster recovery plan.

Tuesday, April 24, 2018
Nathan Eisner, COO
Nathan Eisner

If you think that cities aren’t a target for hackers, just look at some recent front-page news of cyberattacks that have caused devastating damage. Atlanta ended up paying $2.7 million to deal with a ransomware attack—and some services are still inoperable or paper-based six weeks after the attack. And Savannah, Georgia took weeks to recover from a devastating malware attack back in February.

While we’ve written a great deal about cybersecurity (and many other trade publications, IT vendors, and specialists are writing about cybersecurity), it can all seem a bit overwhelming at times. Where do you start?

This 20-question assessment will help you start with some basic questions, and we also link to many of our blog posts if you’d like additional information about the areas we discuss. We’ve grouped these questions around our “tripod” of IT.

PROACTIVITY

1. Does my city keep our software modernized, upgraded, and patched?

Many cyberattacks can easily be prevented through up-to-date, patched software. Dangerous ransomware like WannaCry exploited unpatched software. Keeping up on patching and upgrades shores up security holes and vulnerabilities. Also consider modernizing your software, especially because older software eventually becomes unsupported by the vendor and more vulnerable to attacks.

Be especially careful of freeware (which is usually unauthorized, unapproved, and unmanaged software at your city) and a failure to update operating systems and web browsers.

2. Does my city have a strong password policy?

Passwords are like locks to hackers. If you have a simple lock (or no lock), then it’s easier to break into a building. Similarly, if your employees use simple passwords (like “123456,” “password,” or “admin”), then you’re at risk. A strong password policy enforces the use of complex passwords, creating new passwords on a periodic basis, and Two Factor Authentication (2FA).

3. Does my city protect our wi-fi access points?

Unsecured or easy to access wi-fi leaves you open to an easy cyberattack. In a previous post about wireless access security, we recommended that you:

  • Secure and lock down all wireless devices.
  • Remove physical wireless access hardware from the public or unauthorized employees.
  • Apply patches and upgrades to wireless devices.
  • Use appropriate wireless hardware and configure it properly.
  • Monitor and maintain your wireless network for security risks.

4. Does my city use enterprise-class antivirus software managed and maintained by IT professionals?

Only managed and maintained enterprise-class antivirus software can ensure your virus definitions are constantly up-to-date, all your devices are protected, your systems are monitored for virus threats, and that you have the experience to know what to do quickly if a virus is encountered before an outbreak occurs. Taking shortcuts with free or employee-managed consumer-grade antivirus is a risky shortcut.

5. Does my city use modernized, professionally supported hardware?

Old hardware—servers, workstations, routers, firewalls—can become more vulnerable to cyberattacks if it becomes unsupported. Also, improper hardware configuration or decommissioning can create gaping security holes. Modernize your hardware!

6. Does my city have strong physical security?

This aspect of cybersecurity often gets overlooked. Hackers or disgruntled employees can exploit physical security vulnerabilities to initiate cyberattacks. Best practices such as securing rooms with sensitive IT assets, requiring employees to log out or lock their computer screens when not at their desks, and keeping an updated hardware inventory all goes a long way toward keeping your physical assets secure.

7. Does my city know that our website is secure and hosted by a reputable provider?

In a previous blog post, we said about website hosting providers, “Are they regularly providing security updates? Are they monitoring for security vulnerabilities? Where are they hosting the servers? Within sovereign U.S. borders? […] Will they allow for a third party to scan your website for security vulnerabilities? If you’re not sure of the answers to most of these questions, then you might want to reexamine where you’re hosting your website.”

8. Does my city know that our email is secure?

We still find cities using personal email accounts or consumer-grade email with questionable security. Your email should be encrypted, offer strong antispam capabilities, and fully integrate with your enterprise-class antivirus software.

9. Does my city know that its online payment system is secure?

In a previous blog post, we said: “Cities should expect the same security from an online payments vendor that they would expect from their personal online banking. That means an industry standard level of encryption, strong authentication, strong passwords, regular auditing, and the ability of the vendor to provide documentation proving that they are testing their security controls on an ongoing basis. In addition to these basic technical requirements, it should also be clear who can access and change any payment information. Permissions and access need to be controlled with sufficient rigor and protection.”

EMPLOYEE TRAINING

10. Does my city conduct ongoing training about cyber threats?

You can’t just train employees once and be done with it. Cyber threats change constantly. Just a few years ago, ransomware wasn’t on most people’s radar screens. Today, it seems not a week goes by that the latest and biggest new ransomware compromise is reported in the news (again).

Also, as a part of training, it’s good to periodically reinforce lessons about traditional threats such as malicious email attachments or dangerous websites.

11. Does my city let employees know that human error is at the root of many cyberattacks?

It’s easy for employees to believe that if good antivirus software, antispam software, and professionals overseeing IT are in place, then there is very little risk of making a horrible mistake. Yet, an employee clicking on a malicious email attachment or website is at the root of many major successful cyberattacks during the last few years.

Employees need to stay aware of the many ways they can be tricked in a cyberattack including phishing (such as through malicious email attachments or links), poor online habits (such as taking “fun” quizzes or downloading games), and phone calls (where a hacker may attempt to extract sensitive information over the phone by pretending to be a legitimate caller).

12. Does my city have clear data access and authorization policies?

How are people authorized to access information at your organization? Policies should cover vendor contracts and management, network security, wireless security, physical access security, logical access security, disaster recovery, and application controls (such as data input, processing, and output).

13. Does my city have confidence it is compliant with federal and state laws?

Despite the rigor involved in complying with various federal and state laws, cities lack sufficient cybersecurity measures that properly protect information. Your city needs to know—with certainty—that it is protecting personally identifiable information (PII), retaining records and following open records laws, and properly managing body camera footage. Otherwise, cities may find themselves in legal woes and experience increased liability.

14. Does my city have a clear mobile policy for employees?

Ideally, cities need to provide city-owned devices to employees to keep a clear separation between city business and personal use. However, your city may allow you to bring your own device (BYOD). Whichever route you take, create a mobile policy that maintains a clear line between city business and the personal use of devices. Additionally, consider mobile management technology to manage, separate, secure, and, if need be, wipe the data of any device that is lost or stolen.

15. What’s the plan if you are hacked?

Your city needs a clear, specific incident response plan in case you are hacked. What happens? What steps need to be taken? How will you report the incident to authorities and regulators? How will you tell the public and communicate with anyone affected? You may need different incident response plans for different events such as ransomware, denial of service attacks, or a suspected data breach.

16. Does your city include everyone in your cybersecurity plan?

It’s still easy for many busy, non-technical city leaders to downplay the importance of cybersecurity or “just let the techies handle it.” However, there is a part for everyone to play—elected officials, city management, IT staff and vendors, and employees. It sounds like a cliché, but it’s true that cybersecurity is everyone’s responsibility.

17. Does my city have a clear social media policy?

Because Facebook or Twitter is not part of your city’s software or systems, it’s easy to overlook social media as a security threat. However, you need to guard access and authorization to social media pages and enforce policies about what kinds of information can be shared. It’s easy for an employee to reveal sensitive or confidential information on a social media platform or for a hacker to use information gleaned through a social media account to begin hacking a city.

DATA BACKUP AND DISASTER RECOVERY

18. Does my city have a data backup and disaster recovery plan?

A stark reality for cities is that a data breach or cyberattack may be inevitable. So, you must prepare for a worst-case scenario. One of the best preparations is an effective data backup and disaster recovery plan that involves an onsite and offsite component. That way, even if ransomware encrypts your information and prevents you from accessing it, you can revert to a previous state of your data before the infection began.

19. Does my city periodically test its disaster recovery plan?

It’s too common that cities think they have a good data backup and disaster recovery plan. Then, an incident happens. They enact the plan. And...it doesn’t work. Why? The city hasn’t tested it. Testing uncovers issues that may prevent you from restoring critical data, and it’s essential to conduct a full simulation test periodically (such as quarterly).

20. How is your critical information centralized, managed, and prioritized?

A data backup and disaster recovery plan requires that you know a lot about your data. What is your most critical data? Where is it stored? How is it accessed? If you need to enact your data backup and disaster recovery plan, then in what order will you restore your data?


This 20-question assessment should give you a thorough start in helping you assess the state of your city’s cybersecurity. We encourage you to explore the many blog post links we provided for further information.

Need help addressing any or all of these aspects of cybersecurity? Reach out to us today.

Tuesday, April 17, 2018
Brian Ocfemia, Engineering Manager
Brian Ocfemia

With hackers targeting cities through a variety of aggressive attack methods, all common sense best practices that decrease the risk of a cyberattack must be considered. One overlooked method is Two Factor Authentication (2FA)—the practice of using two forms of authorization to access an application. For example, an employee may enter their email login information and then receive a notification through an app on their phone that they use to complete the sign-in process.

Unfortunately, even though 2FA decreases the risk of an account compromise from cyberattack, many cities push back on this idea because they view 2FA as troublesome or inconvenient for users. True, 2FA can be one additional annoying step if you’re used to just typing in your username and password and getting on with your day. But cities handle sensitive and confidential information, and they need to comply with various federal and state laws pertaining to the security of the information they handle. It’s important to ensure that only authorized people from authorized devices access that information. 2FA is a necessary tool in your cybersecurity strategy that can reduce the liability of a potential data breach or compromise.

The good news is that 2FA has improved over the past few years as it has become more mainstream for financial services, email, common social media platforms, and other applications that give access to sensitive and personal information. A few things that may ease your mind about 2FA include:

  • Quick logins: A second authentication factor usually doesn’t add much extra time. We’re talking seconds. On a smartphone, a text message or notification app will quickly provide the means to authenticate. With a press of a button or the input of a multi-digit code, you’re ready to go.
  • No need to log in multiple times every day: Many 2FA authentication services will not ask you to log in every few minutes or hours. While maintaining high authentication security, many tools will only require 2FA with your first login of the day.
  • Easy-to-use 2FA phone apps or messaging: 2FA often involves using an app or getting a text message on your smartphone. If your employees are used to texting and phone apps, then 2FA will feel quite natural.

If you’re ready to explore 2FA, then we recommend a few best practices.

1. Apply 2FA to everyone.

Don’t exempt people. Think of 2FA like an extension of your password and authorization policies. You wouldn’t have a few people exempt from entering usernames and passwords to get to their email. If some people are exempt from 2FA, then you’re creating a weak link that can be exploited by hackers.

2. Train employees.

Don’t assume employees will easily transition to 2FA. Include 2FA as part of your ongoing cybersecurity training. (You are conducting ongoing cybersecurity training, aren’t you?). Explain to employees why 2FA is so important, how it helps stop cyberattacks, and why it helps cities comply with laws and policies. And clearly explain how 2FA will work so that employees understand how to log in and how the authentication process will involve their smartphones or other devices.

3. Rely on experienced IT support professionals to handle any challenges.

As with any technology, 2FA will run into issues as employees start using it. Someone may forget the process. Another may have issues with their smartphone receiving an authorization code. Because 2FA may be a new technology for some people that also involves security, authorization, and compliance, it’s best to have experienced IT professionals managing this tool. These professionals will ensure that it’s working properly, issues are resolved, and it’s used appropriately.

4. Include 2FA as part of your overall logical access security policy (including your password policy).

In a previous blog post, we talked about the importance of logical access security policies—meaning policies that electronically prevent unauthorized people from accessing sensitive information. Part of logical access security includes a strong password security policy—and 2FA can become part of that policy. You may need to flesh out some details in your policy about 2FA such as:

  • The process for logging in
  • Any authentication apps or processes that involve an employee’s smartphone
  • Whether or not an employee can use those authentication apps or processes on their own smartphone, a city-owned mobile device, or another device (such as a landline phone).
  • When and how an employee gets locked out
  • Processes for onboarding, monitoring, and decommissioning employee access and authorization

2FA can be a powerful tool in your city’s arsenal to improve your security, decrease your cyber liability, and increase your chance of preventing a cyberattack that leads to a compromise. By extending your logical access security policy to include 2FA, you will take some important steps toward making your city environment more secure.

It’s possible that a hacker or bad actor in your office, in your city, across the country, or even around the world can gain access to your username and password after you fall victim to a phishing scam. But even if they succeed, they would be stopped dead in their tracks with 2FA. So why has your city not yet implemented 2FA?

Interested in implementing 2FA at your city or improving the way you manage it? Reach out to us today.

Tuesday, April 10, 2018
Mark Holbrook, Technical Account Manager
Mark Holbrook

Yes, we’re talking about that one unsupported computer at your city. Or more than one. Maybe you think you’re saving money by not supporting what you see as an unessential computer. Maybe people barely use this computer. After all, it’s just a computer (or two). As long as your IT vendor supports everything else, you’re fine. Right?

If you recall the myth of Achilles, the gods made him completely invulnerable—except for his heel. Sure enough, Paris shot an arrow in Achilles’ heel during the Trojan War—and that arrow killed Achilles. It’s such a great lesson that people still use the phrase “Achilles’ heel” thousands of years after Homer told this story in The Iliad.

Even just one unsupported computer is your Achilles’ heel. It’s like having a well-locked city hall building but leaving a door or two wide open all day, every day.

Let’s look closer at some critical weaknesses of any unsupported computer on your network.

1. Lack of sufficient antivirus software

Without enterprise-grade antivirus software, an unsupported computer will either have no protection or uncertain protection. Free or cheap consumer-grade antivirus software is not good enough for a city, and you can’t rely on employees to keep virus definitions constantly updated.

Each city computer needs enterprise-grade antivirus protection supported by IT professionals who will keep virus definitions up to date, monitor for possible virus attacks, and quickly identify and address issues.

2. Lack of regular software patches, updates, and vendor support

Having an employee now and then click on Windows updates is not a good practice for unsupported computers. We’ve seen unsupported computers sometimes have months of software updates not applied. And then, employees wonder why the computer runs slow or they can’t properly use an application.

Software patches and updates fix security vulnerabilities and bugs while also adding new features and functionality. For security, compliance, and performance reasons, every computer you use needs regular patching and updating. Employees are not trained IT professionals and may forget to patch, apply the wrong patches, or not know what to do when they encounter issues. Because of those reasons, some employees fear applying patches at all—which is not good.

In addition, we see instances of unsupported computers running obsolete operating systems on aging hardware—leading to more security risks and the chance that the computer will break down any day. Such old computers and operating systems are often not supported by vendors. If they break, there is no one to help.

3. Uncertainty around data backup

If your computer is unsupported, how is the data on that computer getting backed up? While you might think certain computers are important, it makes sense that any computer you’re using for city business likely contains some data worth protecting.

Backing up data through manual methods such as a flash drive or hard drive introduces too much risk into your city. They are unreliable methods because you cannot guarantee that employees will regularly back up data or back up all required data. IT professionals following a data backup and disaster recovery process is the only way to be certain that a computer’s data gets backed up.

4. Uncertainty around passwords, authentication, and authorization

Who is accessing your unsupported computers? How easy is it for people to access these computers? Sometimes, unsupported computers won’t have any required login. Or, the passwords might be weak and shared across many employees. This situation poses both a physical security and online security risk—and increases the risk of a compromise.

Physically, a disgruntled employee or non-employee may sit down at an unsupported computer and acquire or destroy sensitive information if the computer is not appropriately password-protected. Online, these kinds of computers are low-hanging fruit for hackers. It’s not hard to hack into these computers and, through them, gain access to your entire system. This is a good example where the weak link idea especially applies.

IT professionals can help you manage passwords, authentication procedures, and authorization policies on all your computers. Leaving one or more computers with uncertain login issues can become a major security risk.

5. Unknown software and applications residing on the computer

IT maintenance and monitoring often requires a bit of friendly discipline—especially around employees downloading software and applications. Software needs IT support, vendor support, patching, and updating to not only work properly but also comply with policies and laws. When non-technical employees are downloading and “managing” software by themselves, you introduce security and compliance risks.

Without IT professionals supporting your software, how will you know if a major security or performance problem exists? Who will fix that issue? Plus, the use of unsupported software without security oversight means you could be exposing confidential and sensitive information to unauthorized users or installing malware onto your computer that will lead to ransomware.


So, what are your thoughts about that unsupported computer now? If you really aren’t using it for anything important, consider decommissioning it and getting it off your network. Otherwise, get that computer supported!

Want to make sure you’re supporting all computers on your network? Reach out to us today.

Tuesday, April 3, 2018
Mike Smith, Network Infrastructure Consultant
Mike Smith

In the wake of a recent ransomware attack at the City of Atlanta, the question has been raised (again) about whether to pay a ransom or not. It appears the city ended up not paying, but other cities and government entities have done so. Unfortunately, IT professionals and law enforcement sometime give mixed signals about paying ransom. But you should never pay.

Here’s why.

1. It is never guaranteed that criminals will unencrypt your data.

Criminals often ask for thousands of dollars in ransom. Would you take thousands of dollars from your city treasury and then flip a coin to see if you keep it? That’s essentially what happens when you pay criminals.

According to SentinelOne's Global Ransomware Report 2018 (reported in KnowBe4), “45% of US companies hit with a ransomware attack last year paid at least one ransom, but only 26% of these companies had their files unlocked.” Yes, only 26 percent! With such a low chance of your ransom actually unencrypting your data, it’s not wise to throw thousands of dollars at criminals. Plus, if you pay, criminals may also ask for more money or target you again—viewing you as a nice source of revenue!

2. It is never guaranteed that criminals will restore your data as it was.

Once you get your data back, do you know for sure that it’s unaltered? If criminals had access to it, they could do anything with it. Delete some of it. Corrupt it. Implant malware into it. Who knows? These are criminals. You can’t trust them.

In some cases, ransomware attacks are led by sophisticated nation states or professionally organized criminal syndicates with deep pockets and resources. Who knows what they’ve done with and to your data before they give it back.

3. It is never guaranteed that criminals will no longer have access to your data.

Remember, these criminals held your data hostage. By paying a ransom, you are trusting a criminal to perfectly return your data back to its previous state. And maybe they’ll also nicely clean up the mess they made to your data, computers, and network—and lock the door behind themselves on the way out?

Don’t bet on it. How do you know they don’t intend to still use the data they held hostage? You don’t know for sure if criminals accessed your data, still have your data, and intend to use your data for malicious purposes.

4. You’re supporting a criminal enterprise by paying the ransom.

Why is ransomware so rampant right now? Because it works. People are falling victim and then paying the ransom. If no one paid, criminals would not make money.

If you pay the ransom, you’re funding criminal activity and encouraging it to continue. It’s no different than traditional blackmail or ransom. By not paying the ransom, you’re helping to cut off the lifeblood from these crime rings.

5. You’re further avoiding taking proactive steps to protect your environment.

A CBS News article about the City of Atlanta’s March 2018 ransomware attack said:

Atlanta was warned months before a recent cyberattack that its IT systems could easily come under attack if they weren't fixed immediately, an internal audit obtained by the CBS affiliate WGCL-TV shows. In the 41-page audit, which was presented to city leaders last summer, the city was told that its IT department was on life support and that were no formal processes to manage risk, WGCL-TV reports.

Don’t be “that” city. Ransomware need not cripple you. Some key best practices include:

  • Data backup and disaster recovery: Because there is no guarantee that you’ll get your data back after paying a ransom, you need to take steps to ensure you can retrieve your data even after a ransomware attack. A tested onsite and offsite data backup and disaster recovery plan is your best insurance against a ransomware attack.
  • Proactive IT support, maintenance, and monitoring: This includes antivirus software kept up to date, security patches applied to software, and senior IT professionals monitoring your systems for red flags.
  • Ongoing employee training: All it takes is one employee clicking on a malicious email attachment or website link to download ransomware into your systems. However, ongoing training can help employees spot phishing attacks and avoid malware.

You should never pay a ransom, and you should never be in the position of even considering it as an option. Don't be that city leader who ignores the auditors, ignores best practices, ignores red flags and warning signs, and doesn’t ask “What are we doing about this problem?” until your ransomware attack is front page news.

Worried about your ability to survive a ransomware attack? Reach out to us today.

Tuesday, March 27, 2018
Tim Koutropoulos, Data Center Engineer
Tim Koutropoulos

Highly competitive businesses (such as retail) care a lot about time to recovery. Why? Systems down for even just a few minutes can lead to millions of dollars lost and long-lasting, damaging impact to a company’s brand. But in the world of government, time to recovery is often overlooked as part of a disaster recovery plan.

Even city governments must collect revenue and keep their operations running to deliver mission critical services. Time to recovery cannot be neglected or taken lightly. Recent media coverage has put a glaring spotlight on a few Georgia cities that experienced compromised computers. As a result, these cities lost data, services were unavailable, and drastic steps were needed to recover. The result?

 

  • Unexpected, unbudgeted, reactive high costs
  • Services at risk
  • Community needs unmet
  • Citizen frustration

This is the risk of time to recovery realized. And as that time grows, cities see costs, risk, unmet needs, and citizen frustration all increase.

Is your city doing enough to ensure a quick time to recovery? Here are some ways to prevent your mission critical systems and operations from going down for weeks or months.

1. Address time to recovery for smaller incidents through onsite data backup.

For smaller incidents like a server failure or a limited virus infection, you can recover quickly from onsite data backup—sometimes within an hour or less. If something bad happens to your server and any initial means to address the issue are unsuccessful, then you always have a fallback of onsite data backup for quick recovery of your data, systems, and servers.

2. Plan for worst-case scenarios through offsite data backup.

Yes, a virus outbreak that affects thousands of computers is a very bad scenario. With cyberattacks, if you are on “the network” (connected to other computers and/or the internet), then you are at risk. It’s that simple. Hackers are looking for just one weakness as their entry point. This weakness can involve technology but it can also involve a criminal duping an employee. In one city’s case that was recently reported in the media, an email phishing attack appears to have tricked a susceptible employee. That’s all it takes.

Because you need to plan for the worst, offsite data backup must form part of your disaster recovery plan. It’s not just about fires, floods, and tornadoes. It’s about losing your site. A widespread cyberattack that compromises your network is the same as losing your site. For example, by taking snapshots of your data and storing them offsite (geographically separate from your onsite servers), you will be able to recover your data at a point in time when the data was not infected by a virus. You may still lose a little bit of data, but you will be able to recover most, if not all, of it reasonably quickly. Offsite data backup is an essential part of any disaster recovery plan—and it’s an underrated tactic to fend off viruses and ransomware.

3. Ensure that you can access your data soon after an incident.

Here’s where we go beyond simple onsite and offsite data backup recommendations. You may have data backups running and you may even have the data backups stored offsite. But can your city recover quickly? Ask yourself:

  • Do you have a plan?
  • Is your plan documented?
  • What procedures and steps will you follow?
  • Could someone other than you execute this plan?
  • Who has access to this plan?
  • Do they know how to access your data through this plan?
  • Do you know what systems need to be recovered first?
  • Is your technology compliant? Onsite and offsite?
  • Are you monitoring your data backups for issues?

As Benjamin Franklin once said, “By failing to prepare, you are preparing to fail.” When it takes weeks or months to recover, it raises questions—questions you need to ask yourself. Am I prepared? Am I taking the high risk of a cyberattack seriously?

4. Test your disaster recovery plan.

We’ve said this many, many times, and it’s always worth repeating. Test your data backup and disaster recovery plan by assuming a worst-case scenario. During this test, ask yourself:

  • Is all your data backed up (or at least what you designate as critical data)?
  • Can you recover your data and systems from your data backups? If not, then you can work to resolve those issues before a disaster happens.
  • Can you recover within any required timeframes from your data backups?
  • Are you truly accounting for a worst-case scenario?

Why do your firefighters train? Why do your police officers train? It’s because the likelihood of an event needing their response will occur.

In today’s cyber world, the likelihood of an event needing a tested disaster recovery plan at your city is high.


We’re not saying there is a magic way to prevent all serious IT disruptions, especially after a data breach, virus, equipment failure, or other incident. However, this set of time to recovery best practices can go a long way toward mitigating the risk of a longer outage—especially for mission-critical systems that affect public safety, business continuity, and revenue.

Worried about your time to recovery after a disastrous IT incident? Reach out to us today.

Thursday, March 22, 2018
Dave Mims, CEO
Dave Mims

If you’re a Georgia city, you may have heard that members of the Georgia Municipal Association’s (GMA) property and liability fund (GIRMA) are eligible to receive a grant from GMA’s Safety and Liability Management Grant Program to reimburse your city for up to 25 percent of the annual IT in a Box subscription fee.

Why has GMA taken such a step? Because a lack of proactive IT support has become a critical liability for cities—and municipal leagues are noticing.

Not long after GMA began offering this grant, two Georgia cities were hit hard with malware attacks (one of which likely happened when an employee clicked on a malicious email attachment). Systems went completely down, computers needed erasing and re-imaging to be usable again, and some data was permanently lost as the cities worked to eliminate the malware.

The result? Weeks and weeks of downtime. Lots of money lost. And a loss of trust with citizens impacted by a lack of services.

These events are not surprising. Cities are struggling with three consistent issues:

1. Cybersecurity

It’s not exaggeration to say that all cities are now targets for hackers. Ransomware, malware, and viruses lead to data breaches, data loss, and inoperable systems that are taking unprepared cities weeks or months to recover—with high financial and potential legal liability added on top of the disruption.

2. Data backup and disaster recovery

Too many cities still cannot say for sure that they can recover data after an incident.

3. Helpdesk

IT support with poor response times, poor troubleshooting, and poor problem resolution hurts cities that must rely more and more on technology to run their operations.

Last year, we wrote an article titled “The Tripod of IT: Proactivity, Training, and Disaster Recovery” as a way for cities to think about tackling their technology problems.

  • Proactivity involves the right policies, processes, technology, and tools.
  • Training involves aspects such as teaching employees how to spot email phishing attacks or avoid malicious website
  • Disaster recovery involves onsite and offsite data backup along with regular testing.

One city that has tackled many of these problems is Forrest City, Arkansas. We’ve highlighted them in a case study and as our Featured Article for this month (see below). Read more about Forrest City to see if your city could use a similar technology transformation.

In customer news, check out the Town of Trion, Georgia’s new website. Plus, we’d like to welcome Alpena, Arkansas; Bull Shoals, Arkansas; Eastman, Georgia; Fairburn, Georgia; and Dover, Arkansas to the Sophicity family.

As always, don't hesitate to reach out to me if you have something to share with our local government community.

Blessings,

Dave Mims


Forrest City, Arkansas No Longer Worried About Legislative Audit Compliance and Now Enjoys Responsive IT Support

Doubling in population since 1950, Forrest City, Arkansas has continued to see steady population and business growth in recent years. To support more businesses and residents, Forrest City’s staff at city hall needs reliable technology. However, some uncertainty and technology issues started to hinder the city from not only serving its citizens but also complying with the important Legislative Audit.

After the city switched over to IT in a Box, they experienced many positive results.

  • Forrest City passed Legislative Audit with the burden of the process managed for them.
  • Responsive IT support led to increased productivity and employee morale.
  • Data backup helped prevent the permanent loss of data.
  • Sophicity untangled several complex IT problems that addressed employee frustration and lack of productivity.
  • Modernized hardware for a low price.

“I recommend that cities consider using IT in a Box. They especially helped us with the Arkansas Legislative Audit. For a city with limited staff, it’s a headache for one person to sit down and get all those policies in place. Also, Sophicity is there if you need them for overall IT support. At first, we thought the service was a little costly. But after getting IT in a Box up and going, we all now realize we should have done this a long, long time ago.”

– Derene Cochran, City Clerk / Treasurer, City of Forrest City, Arkansas

Read the full case study.


Newsletter Signup

Sign up for Sophicity's CitySmart Newsletter. Get all of the latest City Government and Municipal League news, articles, and interviews.


Recent Media

Is Your City Really Prepared for a Disaster?

Ransomware Cripples City for Weeks—and What We Can Learn

Securing Your City Employees Without Annoying Them


Events

We hope to see you at these upcoming events including:

2018 GCCMA Spring Conference 
Monday, March 26, 2018 – Wednesday, March 28, 2018 
Jekyll Island, Georgia 

GMA District Spring Listening Sessions 
March and April 2018 
Across Georgia 

KLC City Official Academy II 
Wednesday, May 23, 2018 – Friday, May 25, 2018 
Bowling Green, Kentucky 


A Taste of I.T.

Taste of IT

Recently, CIS (Citycounty Insurance Services) Oregon (located in Portland) took time out of its busy daily schedule to grill out with us for what we call a Taste of I.T. These are BBQ-heavy :) customer thank you events that we’ve been bringing to our customers. Literally each month, we bring the food and beverages and get to have lunch with your staff. Thanks to Executive Director Lynn McNamara and CIO Mark Snodgrass. We had an awesome time!


Other Solutions 

IT in a Box 
Who guarantees IT services based on your expectations? We do.

Frontline
Take action against technology issues at your city.

Data Continuity 
Peace of mind about your records and data.

| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 |