We put the IT in city®

CitySmart Blog

Tuesday, December 12, 2017
Victoria Boyko, Software Development Consultant

Victoria BoykoQuick! Name the top three websites in the world!

You probably guessed Google as number one. Number two? YouTube. Number three? Facebook.

Why is it significant that YouTube and Facebook are number two and number three? It’s because content today is driven so much by video—and video is easier to create than ever before.

What led to this video explosion? A few things:

  • Fast, cheap broadband internet access nearly everywhere
  • Faster, more reliable Wi-Fi access in more places
  • 4G mobile coverage replacing slower 3G coverage
  • Smartphones and tablets that easily record video
  • Easy to use services (like YouTube or Facebook Live) that allow non-technical users to upload videos

One great benefit of this video explosion is the ability to easily stream videos live. As a city, you’ve probably already tried live streaming or want to explore this content option more. If so, we’ve got a few tips and best practices to keep in mind as you get those video cameras recording.

1. You’ve got lots of flexibility with budget and technical complexity.

Video is accessible to you no matter what your budget and technical limitations. Some aspects that you can adjust include:

  • Cost: Free tools exist such as the camera built into your smartphone or tablet combined with a free platform like Facebook or YouTube. As you go up in price with hardware or software, you can increase the quality of the video or technical capabilities.
  • Video quality: Obviously, a smartphone held by a non-technical employee will record video—but it may not meet you or your viewers’ expectations. Plenty of hardware and software exists to up the quality as much as you want—from more expensive video cameras to specialized video streaming software.
  • Technical complexity: Depending on how technical you want to get with video and what resources you have available (such as knowledgeable city staff or a video vendor), you can keep your recording simple or produce incredibly complex videos with multiple shots, high definition, or streaming that goes out to multiple social media channels at once.

2. You’ve got a lot of video add-ons that will delight people.

With modern tools (including free tools), many add-ons help make your video more exciting and engaging. Features may include the ability to:

  • Stream live as an event is happening.
  • Allow people to make comments about the video while it’s playing. You can even interact with those people and answer their questions. However, you want to be careful and perhaps turn this feature off depending on your policies (such as dealing with cursing, hateful comments, etc.).
  • Broadcast the video in people’s news feeds if they are followers of your city on a social media platform.
  • Notify people when the video starts broadcasting live.
  • Allow people to view the video later if they missed the live broadcast.

3. You can integrate video cameras and streaming software with social media platforms.

Modern video equipment and software usually integrates well with social media platforms. Some aspects to review with your video professional are:

  • Video equipment: Do you want to record the video professionally? Will you need to set up multiple cameras for multiple angles? Are you just using a smartphone or tablet? If so, is it set up properly to capture video and audio so that people can see and hear the event? Have you done a test?
  • Hardware: A cheap laptop or aging desktop may not be able to handle the demands of video software and storage. Video software takes up a lot of memory and CPU, and the storage of videos may require a server or cloud storage option.
  • Software: Free or low-cost video software may quickly hit limitations. A technical discussion about video streaming software goes beyond the scope of this article, but a video professional will probably look at elements such as encoding, HD capabilities, streaming capability (so that videos don’t freeze or get choppy over a bad internet connection), APIs (code that connects your software to social media platforms), graphics capabilities (such as overlaying someone’s name on the video when they’re talking at a city council meeting), or how many total viewers can view your video live.
  • Internet bandwidth: High-speed broadband is essential for live streaming, preferably through a wired connection. If you must use WiFi, then make sure you use a high-speed internet connection. And if you must use your smartphone or tablet without WiFi, then make sure you’ve got a 4G connection.

4. Beware of a few live video streaming pitfalls.

Be careful of a few video pitfalls that may impact your decision to live stream your events.

  • Make sure you have your own copy of the video. Yes, it’s very convenient to simply embed videos on your website from YouTube, Facebook, and other sources. However, it’s ideal to create a standalone video (preferably as an MP4 file) that you own, store on your own servers or video storage solution, and can publish on your own website if you desire. If your video only lives on a platform that you don’t own or control, then you are subject to the whims of that company and may have ownership issues with your video in the future.
  • A live video stream is not the official record of your city council or other city business meetings. Videos do not replace open records laws concerning city council meetings and other meetings involving city business. You still need to publish minutes and follow all laws relating to documenting city meetings.
  • No easy way to integrate minutes and agendas with live streaming platforms. Unless you are using sophisticated software, the free or inexpensive tools today do not have options for integrating the use of agendas and minutes with live streaming. When people later watch the video, they may have trouble finding parts of the meeting that interest them.
  • Possibly disable comments. We live in an era when people will say anything to stir up trouble and “troll” your social media platforms. You may want to disable the comment feature for live streaming videos. If you want to give citizens a forum for engaging, then you may consider blocking specific users who are vulgar, hateful, or harassing.
  • Make sure you deliver a minimum quality live video streaming experience. It’s embarrassing if you’re live streaming a city council meeting and no one can hear what anyone is saying or the footage is blurry. If you are going to live stream, then make sure you meet a minimum video and audio quality threshold.
  • Follow requirements. For example, Facebook Live has a 4-hour video limit and a title length requirement for what you name your video. Knowing requirements like these will help you anticipate problems such as the video suddenly cutting off or failing to work because the title is too long.

Live streaming video holds a lot of exciting potential for your city as it becomes more mainstream. By following the tips and best practices above, you’ll make sure that the video experience you broadcast connects with your audience.

Questions about using live streaming video? Reach out to us today.

Tuesday, December 5, 2017
Adrian McWethy, Account Manager

Adrian McWethyOne great result of modern technology is that it’s easier than ever to set up a website. 20 years ago, you would need a webmaster who knew how to code and host your website on a complicated server. Today, there are so many free website and content management system platforms that you can set up in a short time. Because the cost is so compelling, many smaller organizations, businesses, and even cities go this route to set up a very low-cost website.

That approach leads to significant security risks. For example, a recent SC Media article points out that WordPress websites (which are quite popular) are prone to ransomware attacks from criminals specifically targeting them. Why go after WordPress websites? It’s not because there is anything bad about the platform. Instead, it’s because criminals know that many of these sites are set up by non-technical people who will not know how to configure, manage, code, and update their websites to eliminate security issues.

If you took a low-cost approach to get your city’s website up and running, you may be at risk. To perform a quick assessment, ask yourself the following questions.

1. Where is my website hosted and what do I know about the hosting provider?

Free or cheap website hosting providers may not adhere to strict security standards, leaving your website at risk. Are they regularly providing security updates? Are they monitoring for security vulnerabilities? Where are they hosting the servers? Within sovereign U.S. borders? Is the information hosted in a country where security and compliance laws might differ from the United States? Will they allow for a third party to scan your website for security vulnerabilities? If you’re not sure of the answers to most of these questions, then you might want to reexamine where you’re hosting your website. In some cases, less reputable vendors can even go out of business or sell their platform to another vendor who may not have your best interests in mind.

Another common situation with cities involves a single employee acting like a webmaster who holds all of your information hostage. If that employees leaves, gets fired, or even dies, then you may not be able to access your website. Cities that host their own website in-house on a server may also not follow security best practices if they have limited or reactive IT resources at their disposal.

2. Who manages your website’s security?

If you’re thinking “I need to manage my website’s security,” then you’re in trouble. Website security involves a lot of aspects including:

  • Permissions: Who gets administrative access? Who gets to upload and edit content? Who gets review-only permissions?
  • Password management: Are you enforcing strong password best practices that help prevent hackers from accessing your website? Too many stories still occur where a hacker gets into a website because an organization’s password is something simple like “123456” or “admin.”
  • Technical backend security: We won’t go into technical details here, but hackers have many ways they can take advantage of poor website configurations to attack your website through everything from uploading malicious files to using your error messages to discover ways to hack your website. You also need IT professionals to assess and vet any third party plug-ins to your website.

3. How is payment information secured on your website?

It’s likely that you allow citizens to pay for tickets, fines, utilities, licenses, or other services online. How is payment information secured when citizens share it with you? In order to comply with PCI DSS standards, you need to secure and encrypt payment information when it’s entered, in transit, and in your hands. Otherwise, it’s easy for hackers to steal credit card information, banking information, and personal details such as birthdays or a physical address.

4. Who is regularly patching and updating your website software?

Technically, this may seem part of #2 above. But in light of the WannaCry ransomware attack and Equifax data breach this year, it’s important to specifically highlight patching and updating software. A failure to patch software led to many organizations losing data to ransomware this year - especially a shame because patches existed for many months that could have prevented those attacks.

Websites inevitably contain bugs and security vulnerabilities that need patching on an ongoing basis. In addition, software updates improve your website’s performance and give you access to new features that will enhance how you use the software. If you’re not keeping up on patching or your website software doesn’t provide regular updates, then your website may be at risk.

5. Do you have a backup plan if your website data is lost?

Like any repository that stores data, there is a risk of permanently losing that data. That means you need a data backup and disaster recovery plan in case something goes wrong. If you host your website onsite, then you will need both an onsite and offsite data backup and disaster recovery plan. Otherwise, a fire, flood, or tornado could completely eradicate your website.

Even if you’re using a website hosting provider, you need to ensure that they have a data backup and disaster recovery plan. They can still lose data from human error or a disaster at a data center. What are their contingency plans? If they can’t answer you with confidence and specificity, then you might want to consider another hosting provider.


Going the free or cheap route with a website involves consequences that might become more costly in the long-run. Make sure your website is hosted, managed, secured, patched, updated, and backed up so that it continues to run and keeps your citizens’ information safe.

Questions about the security of your website? Reach out to us today.

Tuesday, November 28, 2017
Victoria Boyko, Software Development Consultant

Victoria BoykoIn the bustle of day-to-day activities, it’s easy to neglect your city’s website. As time passes, a website can grow old and stale rather quickly. However, your citizens—through both desktop and mobile devices—grow accustomed to the ease and usefulness of modern websites. To at least a modest degree, you need to meet these expectations for citizens and people interested in possibly relocating their home or business to your city as they research online.

Fortunately, there are many actions you can take to make your website more useful and modern either with your existing website or in a redesign. These five action items will clean the dust off your current website and make it a much fresher experience for people.

1. Make your website readable and accessible on mobile devices.

In the world of websites, something called “responsive design” has become common. That term means a website that adapts to a variety of device screens. Have you ever had the experience of looking at a website on your smartphone or tablet that looks like a tiny, hard-to-read, exact replica of the desktop website? That kind of website is not responsive.

Other websites seem to fit just right for your handheld device and look different than a desktop version of the website. Those are responsive websites that adapt and adjust to the size of your device.

If you are considering a redesign of your website, responsive design should be in the mix. In fact, Google now rewards responsive, mobile-friendly designs in its search results while penalizing unfriendly websites. You want your website to be found on search engines, so responsive design is a must.

2. Reexamine how you organize information on your website.

Another technical but visible aspect of your website is the “information architecture.” That simply means the way that information is organized on your website. For example, the Sophicity sitemap shows how the information is organized and architected on our website. Two common problems with websites include over-organization (where you have many, many different sections and links) or under-organization (where you haven’t really bothered to organize your information except for a few minimal categories).

Jonesboro, Georgia has an excellent information architecture that doesn’t overwhelm or underwhelm. Categories such as Home, Mayor & Council, Departments, Community, Visiting Jonesboro, and Contact Us are useful to website visitors. Plus, there are only a handful of important links underneath each category. Users expect to find information easily on modern websites without having to spend time hunting it down or trying to sift through a ton of information—and users will have an easy time on Jonesboro’s website.

3. Make it easy for people to find contact information and get to a next step.

We’ve written in the past about “calls to action” which is just a technical term for getting people to interact with your website and do something. Calls to action should be easy to spot and may include paying, signing up for something, clicking on a link, searching for a word/phrase on your website, or following you on social media. Make it easy. People shouldn’t have to struggle while trying to do something specific on your website. That includes finding contact information like a physical address for city hall, phone numbers, and email addresses of city staff.

4. Maintain credibility with an accurate, quality website.

In 2016, we wrote a post titled “6 Easy to Fix Website Mistakes That Are Making Your City Look Bad.” Those mistakes included broken links, outdated information, misspellings, and poor grammar. You may say these issues don’t matter much, thinking that “hardly anyone” checks out your website.

Would you allow garbage to pile up in wastebaskets, dirt and dust to collect on the floors, and misinformed employees to give the wrong information to people who visited you because “hardly anyone” comes to City Hall? No. That’s because you’re proud of your city and you want to provide excellent service for citizens—whether your city has 100, 1000, or 10,000 citizens.

A website is your online version of City Hall. Taking some time to make that website a welcoming, useful, and (yes) even enjoyable experience is something that will make your city look good to citizens, to people possibly wanting to move to your city, and to businesses wishing to explore cities where they may set up shop or expand.

5. Make sure search engines can find your website.

Earlier this year, we asked “If your website is in the middle of a forest, will anyone hear it?” In other words, when people search for your city on search engines, does your website come up high in the search results. There are many small but important things you can do to ensure that search engines find your website and keep you visible such as updating your website frequently with useful information or providing links to other resources that also link back to you. If you type in your city’s name into a search engine and your website doesn’t show up, look at what does show up. Citizens will likely click on those links rather than your website. Are you comfortable with that?


Applying these few tips as you plan out a website refresh or full redesign will make your website much more useful, friendly, and findable for people. Use this list as an assessment to see where you can improve.

Need some extra help with your website? Reach out to us today.

Tuesday, November 14, 2017
Nathan Eisner, COO

Nathan EisnerDepending on your state, laws concerning body camera video policy, retention, and open records requests may vary. Last year, we reviewed various state laws and outlined some best practices that would apply no matter where your police department is located.

However, an interesting article from the Kentucky League of Cities (KLC) pointed out some problems that exist when your state law is ambiguous or lacking clear guidance. According to the article:

“...Kentucky is one of the last states to address the need for legislation dealing with when a video recorded with the cameras should be released and who should be able to obtain a copy of the video. The lack of policy could result in fewer departments using the cameras.”

When policies are unclear, assumptions can create liability. As a result, police departments are less likely to use body cameras. Yet, many police departments recognize body cameras as important and it’s probable that a law (such as Kentucky’s House Bill 416) may eventually get passed.

Because we covered best practices in our article last year, there is no need to revisit them here. But, we do want to explore some of the issues and questions raised in the KLC article about body cameras.

1. Clarify body camera video policy to avoid “entertainment.”

In the KLC article, Louisville Police Officer Nick Jilek says, “Unfortunately, in the modern media world the release of body camera footage ends up being passed around social media. Body camera footage should not be used for entertainment purposes, which is what that ends up being, on the nightly news or social media sites.”

Without a clear policy, an open records request may legally expose embarrassing footage to the public. Even if your state lacks clear policies, your city can create body camera video policies around privacy.

2. Define and clarify the scenarios for which footage can be released.

Some states will define when you can release footage. If not, be clear about what situations you’re allowed to release footage and which situations don’t permit it. For example, in Georgia, “The law excludes body camera recordings from public records when they are taken in a place where there is a reasonable expectation of privacy and no criminal investigation is pending.”

3. Define who has the right to view video footage.

Body camera video footage authorization can vary depending on the person requesting it. Is it someone involved in law enforcement? An attorney? A family member of a deceased victim? The media? A citizen? Define rules around who can view what. For example, Arkansas has detailed rules that explain who can see video footage if a police officer is killed in the line of duty.

4. How do you answer time-intensive open records requests?

In the KLC article, Representative Robert Benvenuti (R-Lexington) is quoted as saying, “We cannot create a situation where officers are being pulled off the road to sit for hours and hours editing footage or redacting footage. We need them out on the road, protecting all of us, not sitting behind a desk trying to interpret the Open Records Act.”

However, the reality is that if a law says you must provide the record, then you must provide the record. To prevent the hassle of officers getting tied up in heavy, tedious video editing and redacting, additional staff may have to address this issue. That way, your officers can stay focused on their job while additional staff can help with the video archiving aspects of open records responses.

5. How do you keep costs low?

The KLC article goes on to summarize the thoughts of Campbell County Sheriff Mike Jansen who said “small departments like his worry about the costs. He told lawmakers the expense goes beyond buying the cameras, into storage fees and equipment and hiring additional personnel for editing and answering requests.”

Obviously, storage costs can grow high because of the sheer amount of video footage needing storage. Each police department is different and may require a customized solution that works for them. In some cases, a cloud storage option is best. In other cases, storing data in-house makes more sense. A good option that’s available and popular with cities is video archiving that includes unlimited storage at a fixed cost. That makes it easier to keep costs low and predictable. This solution also forms part of a city’s disaster recovery plan and ensures that video remains available even if a disaster (such as a fire or flooding) hits a city.


Despite the complexity of body camera issues, a well-thought out plan that accounts for policy and technology can alleviate most of your worries.

Questions about your body camera video policies and technology? Reach out to us today.

Tuesday, November 7, 2017
Dave Mims, CEO

Dave MimsA recent article in CSO Online talked about some confusion between disaster recovery and security recovery. The article’s opening sentences state that “Many enterprises blend their disaster recovery and security recovery plans into a single, neat, easy-to-sip package. But does this approach make sense?” Analyzing the differences between the two, the article goes on to outline why it’s important to separate them out.

If we take a step back, this topic represents a bigger confusion about the holistic nature of IT. Information technology sometimes seems like it’s just about computers, software, networks, bits, and bytes. Best practices, policies, people, and other non-technical aspects of IT are often forgotten and too commonly unconsidered, which creates great risk for cities.

Limiting your IT scope will increase risk and liability for your city. Therefore, consider IT like a tripod—and stand firmly upon these three legs to address any real risks you may be overlooking.

1. Proactivity

What’s the easiest way to know if your IT is successful? Proactivity. A reactive IT environment is usually fraught with chaos. There is always a hot fire, issues are always very bad issues, and security risks are wide open. Shifting to a more proactive mindset literally transforms the way cities operate and work.

Proactive IT involves:

  • Policy: If you need a quick reference, we’ve talked a lot about security policies in past blog posts. Policies should cover vendor contracts and management, network security, wireless security, physical access security, logical access security, disaster recovery, and application controls (such as data input, processing, and output).
  • Processes: IT runs more like a machine when you have documented processes. Processes also reduce errors, decrease security risks, and allow for faster learning curves when new people must administer and use your systems.
  • Technology and Tools: IT professionals should use monitoring software that continually assesses the health of your systems and proactively detects issues that need resolving.

2. Employee Training

No matter how sophisticated your IT systems and how experienced the professionals who oversee them, your employees must use technology properly and protect themselves from constant security attacks. Ongoing training is essential, especially as security threats evolve.

Training should include aspects such as:

  • Spotting email phishing attacks: Email phishing attacks grow more sophisticated as hackers target specific people within cities to steal money or gain access to confidential, sensitive information. Employees need to know the signs of malicious emails and learn how to be skeptical.
  • Avoiding malicious websites: Employees are human. They like to download games, take quizzes, and visit websites that interest them. However, many websites mislead people to get them to download malware, viruses, and ransomware. While browser security can help block some websites, employees need to be trained on what to watch for as they visit webpages on the internet.
  • Social engineering by phone: Today, hackers are leveraging all means to steal and destroy your data for their financial gain, including the phone. A hacker that’s good at social engineering may trick you into thinking they are a city employee. From there, they may gain information they need to steal an employee’s identity or take over an employee’s email account. Employees must follow strict procedures when vetting people over the phone or email to know when it’s appropriate to give information away.

3. Data Backup and Disaster Recovery

The final leg of the tripod prepares you for the worst. In case of an incident, whether it’s a server failure or a tornado that destroys a building, you need the ability to recover your data. Data backup is also crucial for security incidents such as ransomware where a hacker encrypts your data and demands a ransom from you to get it back. Instead of paying the criminal, you are prepared and able to recover your data.

A good data backup and disaster recovery solution includes:

  • Onsite data backup for quick recovery after less impactful events like a server failure.
  • Offsite data backup for worst-case scenario recovery after a major incident like a natural disaster or a massive virus outbreak.
  • Periodic data backup testing to make sure you will be able to recover your data after a disaster. So many cities do not test their data backups, and those backups may fail when you need your data most.

Use this post to assess if you’ve got the full IT tripod. If you are missing one or more legs, then you might feel a bit wobbly. Make plans to fix those areas as soon as possible. When you do, you will increase your operational capabilities while decreasing security risks and liability.

Need help building your tripod? Reach out to us today.

Tuesday, October 31, 2017
Sarah Northcutt, Account Manager

Sarah NorthcuttIt’s still tempting for cities (especially smaller cities) to roll up their sleeves, purchase some software to fill a basic need, and install it themselves. After all, there can’t be much to worry about. You don’t need IT professionals for that, right?

Wrong. As much as we admire a “go get ‘em” attitude, even the “simplest” software improperly installed can open you up to major security risks. As an example, Bitdefender published a recent article that described how lax security settings led to a sophisticated phishing attack against an Office 365 system that tricked users into giving up their usernames and passwords.

As the article warns:

“...this isn’t the case of a hacker forging your email headers to pretend that the messages they are sending are coming from your business’s servers. They really are originating from inside your company’s email system. A compromised business email system. If you don’t act now to harden your defenses and make it difficult for an attacker to breach your Office 365 system via this technique, then you have a ticking time bomb on your hands.”

This warning applies not only to Office 365 but any software that you may attempt to install yourself. Here are some reasons why you need IT professionals to install, configure, and maintain even your most “basic” software.

1. Advanced administrative capabilities help IT professionals smoothly monitor and maintain software.

Today, quality software includes sophisticated administrative management tools that IT professionals understand how to use. For example, email software may include settings that involve storage limits and antispam filters. Document management software may include settings that involve retention schedules or permissions to access files. There are even administrative tools to manage compliance and user activity. All these administrative tools help IT professionals resolve issues, keep your city secure, and make sure you stay compliant with any laws and policies.

2. Security and privacy settings need careful attention.

When non-technical users set up their own software, it’s typical to find that the security settings are set to default. But also, and all too common, we find that non-technical users have set up full access and administrative rights for themselves and other users. This creates great risk. As a result, security needs to be tight.

IT professionals can navigate advanced security settings to help you with:

  • User access and authorization
  • Password management
  • Two-factor or multi-factor authentication
  • Encryption
  • Monitoring suspicious activity
  • Taking specific actions after a security incident

3. Remote access needs careful attention.

Non-technical people often unknowingly give unsecured, open access to their networks through software. Whether your staff uses their own laptops, smartphones, or tablets to access software, danger exists if sensitive or confidential information gets stored on those devices. Suddenly, you’ve increased your risk of a data breach nightmare.

Solutions like a thin client, application streaming, or a VPN along with device and data encryption need to be considered when giving users remote access. These solutions avoid problems related to data leakage or theft while only giving users access to necessary aspects of the software for their work use.

4. Improper software installation and deployment can lead to security issues.

While this may seem the same as the second point above, it goes beyond simply setting up the software. When you install software, you’re installing it on servers and computers that may be unsecured or configured improperly. And when you deploy software, you are activating it within a network of switches, routers, and firewalls that may have security issues. Many variables exist when software interacts with an IT environment. IT professionals are familiar with such complex environments and can avert security issues related to installation and deployment.

5. Failure to patch and update software leaves you open to hackers.

This year, something that used to get treated as a technical, menial task has become part of front-page headlines in mainstream news publications. Why? Failure to patch and update software is at the root of companies losing data to ransomware (such as the WannaCry attack earlier this year) and even at the heart of the Equifax data breach—one of the biggest and most devastating data breaches ever.

Software vendors regularly put out patches and updates but many organizations—including many cities—fail to apply those patches and updates. That failure leads to gaping security holes that hackers exploit. Their attacks lead to data breaches and data loss.


Maybe you could go it alone in the old days of technology, but today you need IT professionals to help you set up your software. Despite your natural technical know-how, there are just too many security risks that a non-technical employee may miss when setting up software.

Need help installing, deploying, monitoring, and maintaining your software? Reach out to us today.

Tuesday, October 24, 2017
Brandon Bell, Network Infrastructure Consultant

Brandon BellIn the wake of a natural disaster such as a hurricane, scams are as inevitable as the selfless help offered by generous people. A recent article from GovTech reported on a sharp increase in scams after Hurricane Harvey that led the IRS to issue warnings. According to the article:

[These] criminals often send emails that steer recipients to bogus websites that appear to be affiliated with legitimate charitable causes. These sites frequently mimic the sites of, or use names similar to, legitimate charities, or claim to be affiliated with legitimate charities in order to persuade people to send money or provide personal financial information that can be used to steal identities or financial resources.

This situation reminds us of an ongoing issue that cities must battle all the time: phishing attacks. Today, phishing attacks don’t take place just through email. Criminals also use the phone and social media to get important information from you (like personally identifiable information and even passwords). With that information, they can hack into your accounts, steal identities, or upload viruses and ransomware into your systems.

Employees are at the front lines of these attacks and it’s always good to remind them of ways to spot—and avoid—phishing attacks.

1. If you’re suspicious about an email, then open your browser and go directly to a website instead of clicking on a link.

Let’s say you get an email from a bank and you’re not 100% sure that it’s legitimate. Instead of clicking on the email link, go to the bank’s website directly from your web browser. That way, you will make sure that you are logging into the website legitimately and you can check if the message in the email actually pertains to your account.

Unless it’s extremely obvious that an email is okay, make it a habit to go directly to websites—especially when the information you exchange with them is sensitive. Good examples are banking websites, social media websites, or any websites where you make financial transactions.

2. Question email messages and be skeptical.

We recently published an interview with Stephanie Settles of Paris, Kentucky who successfully detected a whaling attack (an advanced phishing attack where a hacker targets a specific employee, typically a manager or personnel responsible for financial or purchasing decisions, with a sophisticated message to fool them). Her skepticism helped her detect the attack when the supposed city manager’s emails sounded a little off.

Even if an email says that it comes from a person you know, don’t assume it does. Spammers can spoof an email address to make it appear as if it’s coming from a specific person. That’s why examining the email message is so important. Look for misspelled words, broken sentences, irrelevant content, and other red flags. Look at the email address before you reply. Look at the link URL before you click it. And if you have any doubt about an email, contact the person directly to confirm that they sent it.

3. Don’t download attachments unless you are 100% sure they are from a trusted sender.

Email attachments that your co-workers, friends, and family send you as part of your ongoing communications may be fine. However, remain skeptical by following the recommendations above before you open any attachment, click any link, or reply. Especially double check the email address and be on guard for any attachments in emails from organizations or unknown senders. For example, you may receive an email that seems like it’s from a well-known bank that says your statement is ready to review. A PDF is attached, and the email asks you to download it. You do and...your city is now infected with ransomware.

Be very suspicious about emails that ask you to download attachments. Usually, downloading attachments is not necessary to conduct business with a bank, business, or government agency—and it’s not a best practice for these organizations to send you PDFs, zip files, or other documents to download.

4. Be just as wary about social media.

All the above rules apply to social media such as Twitter, LinkedIn, and Facebook. Spammers and scammers use these platforms successfully to trick people, and their tricks may be harder to spot. On Twitter, spammers will often follow you and Tweet messages with spam links that they want you to click. On Facebook, spammers may post spam messages to your wall or send you direct messages with malicious links. And even on LinkedIn, many people that want to “connect” with you are actually false identities. Once you connect, they will attempt to get you to click on malicious links or attachments.

When you’re on social media, stay focused on communicating your messages, don’t click on links or attachments that strangers send you, and delete posts that seem spammy. Follow these 7 tips to secure your city’s Facebook page.

5. Be just as wary about the phone.

As an IT company, why are we giving a tip about answering phones? It’s because hackers use the phone more and more as part of their phishing efforts. As physical and online security has steadily improved over time, it becomes harder for hackers and spammers to pull off a scam through those areas alone. However, they can trick you into giving up passwords or personal information over the phone and then use that information to hack into your website, servers, or bank accounts.

Obviously, cities must answer calls from everyone as part of their service to citizens. Policies need to be in place that govern what information employees can give out over the phone. Just as you need to authorize people to enter your building or access a server, you need to follow an authorization process if someone asks for sensitive information (such as personnel information, a password, or financial information) over the phone.


Spammers and scammers will attack you from all directions. Your city needs to defend against these attacks with strong security policies, procedures, and technology. It helps to train employees and remind them on a regular basis how to spot the signs of a scam so that your city’s security isn’t jeopardized.

Worried about your ability to prevent scammers from infiltrating your city? Reach out to us today.

Tuesday, October 17, 2017
Ryan Warrick, Network Infrastructure Consultant

Ryan WarrickToday, all of government—including local government—is a target for hackers. Wired recently reported the results of a study done by SecurityScorecard that ranked government 16 out of 18 industries for cybersecurity. According to Wired:

The analysis of 552 local, state, and federal organizations [...] found that the government particularly lags on replacing outdated software, patching current software, individual endpoint defense (particularly when it comes to exposed Internet of Things devices), and IP address reputation...

In this post, we want to focus on modernizing and patching software. These two items were the reason that the WannaCry ransomware virus devastated so many organizations earlier this year.

If patching could prevent so many hacking attempts, then why don’t organizations (including local government) do it more often. According to a Computer Weekly article, patching is viewed as too costly and resource-intensive:

For those organizations where patch management is currently ad hoc at best, developing a policy and framework may seem like another cost that they can do without. However, continuing with ad hoc patching, as and when time and resourcing allows, is wholly inadequate if the organization is to be protected from threats exploiting known vulnerabilities.

The risks and dangers from failing to proactively manage technology patches and updates are simply too great to ignore. Here are five major reasons you need to patch.

1. Information Security

First and foremost, patch to shore up security flaws that are inevitable in any software. Vendors release patches when they discover security flaws and vulnerabilities in their software that hackers can exploit. Without patching, you are more susceptible to viruses, malware, hackers, ransomware, malicious websites, and malicious email attachments.

When discussing WannaCry back in April 2017, we said:

Microsoft released a Windows security patch in March 2017 that prevented WannaCry from affecting an organization. According to CNN, “The ransomware is spread by taking advantage of a Windows vulnerability that Microsoft (MSFT, Tech30) released a security patch for in March. But computers and networks that hadn't updated their systems were still at risk.”

Without applying basic, routine patches, you’re increasing the risk of getting hit by the next major cyberattack.

2. System Stability

Patches also help fix bugs and issues that can affect productivity. Like maintaining a car, software needs tuning and repair. Patches help keep your technology “car” in good driving shape. Otherwise, you may notice your systems slow down to a crawl, crash, or be visited by the blue screen of death. In some cases, not applying patches can actually damage your software configuration and/or data, ruining your investment and interfering with employee productivity.

3. Software Performance

In addition to helping your software simply function, patching also leads to new features and improved performance. Especially today, software vendors continually add updates, features, and functionality that help make your work easier. For example, your word processing software might add features like autosaving or collaborative editing that would assist you in your day-to-day work.

4. Threat of Data Loss

When software breaks, malfunctions, or gets hacked, you risk data loss. Not patching threatens access to valuable data that—without proper data backup and disaster recovery—may get permanently lost. This is especially a risk when you use outdated software that’s not supported any longer by the original software vendor. It’s not unusual to see cities using software that is 8-10 (or more) years old and hasn’t been supported by the software vendor for a long time.

In addition, even having a data backup and disaster recovery solution in place may not work effectively with older, unpatched software. That’s why modernizing and regularly patching software also affects your data backup and disaster recovery strategy.

5. Compliance

If the above four reasons don’t convince you, then compliance should. Plenty of existing and proposed federal and state laws are requiring cities to follow basic cyber hygiene—including patching—to protect sensitive and confidential information. While citizens can choose to share information with businesses, they don’t have any choice about sharing information with cities. As a result, cities absolutely cannot be lax in their protection of that information. Otherwise, lawsuits, public outrage and embarrassment, job termination, and other consequences are possible results from such poor cyber hygiene practices.

While seemingly extremely tactical, patching is a part of compliance as cities make sure they are securing and protecting the information of citizens. As we noted in a recent post:

Federal and state compliance is getting serious. In May 2017, the President signed a cybersecurity executive order requiring departments and agencies to follow the same cybersecurity standards and best practices placed upon the private sector. And Arkansas signed SB138 into law in March 2017. Arkansas cities can now lose their charter from noncompliance with IT-related accounting practices.


To protect your city, you need IT support that helps you guard against cyberattacks by keeping your computers patched, protected, and healthy. Otherwise, you introduce a great deal of risk to your city that can lead to some dangerous consequences.

Are you patching regularly? Are you struggling with the budget and resources to handle this task? Reach out to us today.

 

Tuesday, October 10, 2017
Dave Mims, CEO

Dave MimsBeginning as a city built up around the SAM (Savannah, Americus, Montgomery) railroad line in 1891, Lyons has grown into a bustling part of the Vidalia Micropolitan Statistical Area while also serving as the county seat for Toombs County. Today, this family- and business-friendly city boasts an award-winning downtown with plenty of events, restaurants, shopping, and entertainment that attracts people from all over the South.

As Lyons continues to grow and serve citizens, its technology backbone needs to support all these efforts. Yet, the city began to reassess its technology costs and support structure—suspecting that it may have been paying too much to too many vendors for uncertain results.

Challenge

In 2015, the City of Lyons began a study to examine its technology costs. At the end of the study, the city uncovered two important insights:

  • Too many vendors: The city had many different vendors that all played some part in managing and overseeing its IT infrastructure. Roles such as troubleshooting, backup and recovery, document management, email, web hosting, telecom auditing, and product management were all split up among these different vendors. Plus, the city also paid three ISP companies each month for various services.
  • Liability risks: The city lacked proper document management and vendor management and, in some cases, did not meet federal or state compliance regulations. For example, the city’s email component was not compliant with open records and security laws. These deficiencies left the City open to liability claims and lawsuits on top of the day-to-day struggles that Lyons encountered with lackluster support from vendors.

It was clear that Lyons needed to make a choice about its technology future. While hiring a full-time lT person seemed tempting, the city’s size, budget, and staffing model did not allow for this option. Instead, the city reached out to vendors that could provide IT services that addressed the city’s challenges.

Solution

After evaluating many vendors, the City of Lyons eventually chose Georgia Municipal Association’s “IT in a Box” service and began working with Sophicity in January 2016. According to Jason Hall, City Manager of Lyons, “What impressed us most with Sophicity was the fact that they seemed to understand more than the others how a city functioned.”

By using GMA’s IT in a Box service, Lyons addressed many of its challenges. The services within IT in a Box included:

  • Vendor management: The city did not have to worry any longer about frustrating calls with vendors about software issues or hardware procurement. In addition, Sophicity reduced costs by reducing the number of total vendors.
  • Document management: City records were now protected, and staff could easily apply record retention schedules.
  • A highly available and dependable email system: The city switched to hosted email on its own city domain that included email archiving, shared calendars and contacts, and 50GB of mailbox storage per user.
  • Help with open records requests: The city was now better prepared for Open Records Requests, and Sophicity helps the city process them.
  • Data backup and offsite data backup storage: Lyons received unlimited offsite data backup storage and retention for disaster recovery and archiving. No longer did staff have to worry about data backup with Sophicity’s real-time monitoring and quarterly testing.
  • 24x7 helpdesk: Sophicity provides 24x7x365 support to city staff in the office, working from home, and on the road. Experienced senior engineers address any IT issue — ASAP.
  • Server, desktop, and mobile management: Sophicity now proactively keeps computers patched, protected, and healthy to guard against cyberattacks—taking this task off the plates of non-technical city staff.
  • A new city website: Lyons received a modern fresh website design with Sophicity hosting the website and managing the content. Plus, city staff can now also edit and update website content themselves.

Results

Hall noted many beneficial results after Sophicity implemented GMA’s IT in a Box.

  • Data backup saved the day: After a major failure of two workstations, Sophicity got the city back up and running within 24 hours while providing city staff with alternative access to documents while those workstations were in the process of being replaced. During this incident, the city experienced no loss of data and they are now confident of their data backup when considering any future worst-case scenarios.
  • The city now easily responds to open records requests: Within just a few days, Sophicity was able to provide the city attorney with some emails that were required during a lawsuit. Hall says, “We would have been at a loss before our partnership with Sophicity.”
  • Sophicity found $900 per month savings from renegotiating telecom and internet contracts: Sophicity reassessed the city’s telecom and internet contracts, which led to a renegotiation of $900 per month in savings. And Sophicity not only reduced costs but they also increased internet bandwidth—leading to faster, higher quality internet service. Hall says, “Sophicity’s technical knowledge when speaking with potential internet service providers allowed us to get superior products for minimal cost.”
  • Modernized hardware for a low price: Sophicity modernized the city’s aging hardware while also carefully negotiating prices that are beneficial for a local government. Aware that cities need to be good stewards of taxpayer dollars, Sophicity also made sure that the city had the hardware needed to improve productivity and citizen services.
  • Cost and productivity improvements with existing software vendors: Sophicity worked with the city’s financial and public safety software vendors to accelerate troubleshooting and find workarounds to ongoing issues that saved the city time and money.
Regarding Sophicity's day to day troubleshooting, their knowledge and timing are impeccable. Most of the time their IT staff can take control of our workstations and fix problems within minutes. More complex problems that require onsite staff are handled in short order. The staff is very pleasant and patient to work with each time we call. We receive calls from them to check up on us from time to time once an issue is resolved. Response time to emails and chats is almost immediate. We are very happy with our choice and feel that the service provided is well worth the monthly fee. - Jason Hall, City Manager of Lyons

Contact Us Today

If you're interested in learning more, contact us about IT in a Box.

About Sophicity

Sophicity provides the highest quality IT products and services tailored to city governments. Among the features Sophicity delivers in "IT in a Box" are a website, data backup, offsite data backup storage, email, records/document management, video archiving, help with information security policy and compliance, Microsoft Office for desktops, server and desktop management, vendor management, and a seven-day a week helpdesk. Read more about IT in a Box.

 

Wednesday, October 4, 2017
Brian Ocfemia, Technical Account Manager

Brian OcfemiaCities—even smaller cities—eventually get to a point when they realize that information technology (IT) needs careful handling by professionals. Non-technical city staff can only do so much with IT, and liability concerns make it essential to hire professionals to address areas like data backup, cybersecurity, and compliance.

However, cities often have limited budgets and want to make sure they invest that money appropriately. A tempting solution is to hire a full-time IT employee. That way, a city will have someone onsite every day to handle IT problems and concerns.

We’re not against the hiring of full-time IT professionals. Sometimes, that can make sense for a city. However, we’ve found through many years of experience that the disadvantages usually outweigh the few advantages for cities.

One of our customers—a city with a population of about 4,500 people—recently told us that they faced the choice between hiring a full-time IT person or contracting with a vendor. When assessing the two choices, many disadvantages cropped up for the full-time option.

Salaries Too High for City Size, Budget, and Staffing Model

While salaries obviously vary around the country, for simplicity’s sake we’ll look at a median salary across the United States. According to PayScale, the median salary for a systems administrator is $60,843. Let’s round the salary down to $60,000 to simplify our example.

That means a city would have to budget around $60,000 plus about $18,000 for employee benefits. The systems administrator (or any other IT-specific role) would be limited to specific roles and responsibilities—meaning that person would lack knowledge about other IT areas. That’s $78,000 a year for an IT employee who is limited in knowledge.

Not only is $78,000 per year expensive but it also conflicts with staffing models appropriate for smaller cities. A full-time person on site for 40 hours per week may be overkill if a city only has a small amount of IT systems, hardware, and software.

One Person’s Limited Bandwidth Hurts You in Multiple Ways

Nowadays, IT is not a 9-to-5 profession. Think about public safety operating 24/7. Think about city council meetings taking place in the evening after business hours. Think about employees traveling, working from home, or in the field. For such a high demand area, a 9-to-5 job just won’t cut it—even if you add some on-call hours or overtime requirements to the job.

Some simple scenarios show how the problem can get worse:

  • What if they get sick?
  • What if they go on vacation?
  • What if they decide to leave your city for another job?

In each situation, you’re stuck. Data backups not getting done. Problems going unresolved. Liability increasing. Over time, it’s easy for a limited resource to get bottlenecked. If a member of your city staff has an issue—even a simple issue—they may have to wait a long time until your IT employee gets to it.

An IT Employee’s Experience Will Be Varied and Inconsistent

Typically, your $78,000 will go toward someone with limited experience. Often, IT employees will lack municipal experience and not understand how cities work. There are also many areas of IT. It’s impossible to find someone experienced in everything such as network and systems support, data backup and disaster recovery, server management, software upgrades and maintenance, hardware upgrades and maintenance, website hosting and maintenance, document management systems, email software, open records requests, policy and compliance, and video archiving.

Attracting and Retaining IT Talent Will Be Tough

For many smaller cities, a dearth of local IT talent can affect hiring. Many IT professionals gravitate to a handful of highly populated metro areas. If you’re more than an hour outside one of these areas, it can be tough to find, attract, and retain IT professionals who are constantly bombarded by IT recruiters. You’re always competing with the market, even if you’re lucky to hire a very talented IT professional in your area.

Advantages of Contracting with a Vendor

Contracting with an experienced IT vendor is often a great alternative to a full-time employee because:

  • You can receive 24/7/365 support from municipal-experienced IT engineers for less than the cost of a full-time employee. On cost alone, the comparison between what a full-time employee can accomplish versus what a vendor can accomplish is not even close in terms of both financial investment and getting things done.
  • A 24/7/365 vendor doesn’t take a break. They won’t get sick, go on vacation, or leave you suddenly because they got offered a better job. That leads to ongoing IT stability and continuity.
  • A team of municipal-experienced IT engineers covers all aspects of IT. Instead of relying on the knowledge of a single person, a vendor’s team will cover all aspects of IT from data backup to website hosting, from video archiving to document management. It’s like having the IT expertise that only large companies used to enjoy.

The customer mentioned above eventually chose us after making these evaluations. It made more sense from a cost and knowledge perspective to go with us. When you face a similar dilemma, make sure you weigh your options carefully.

Ready to increase your IT support? Reach out to us today.

 

| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 |