We put the IT in city®

CitySmart Blog

Friday, April 26, 2013
Dave Mims, CEO

Budgeting season has arrived for most cities, and information technology is a critical part of a city’s annual spend. Yet, we find that many cities often don’t know where to begin when specifying their IT budget, or even if they should include it at all (other than in a lump sum line item).

We find that it’s important for cities to flesh out a fairly detailed IT budget to help uncover inefficiencies, save money, and better execute business and operational goals. In our multi-part series, we’ll look at how you can use your IT budgeting process to help fix what’s broken, find ways to save money in the long-term, and work to help execute your city’s strategic vision.

How Broken Technology Affects Your Budget

While it might seem like broken technology has little to do with city budgeting, your IT budget can actually reveal how obsolete hardware or underinvestment might be costing you money each year. Bad technology impacts your bottom line every day, and it’s often a hidden source of lost city revenue.

For a great place to begin analyzing your IT budget, ask yourself the following questions about your technology.

  • Is my data backup untested and unaudited? When cities use manual data backup (such as tape or external hard drives) that go untested and unaudited, all it takes is one data loss incident to significantly impact a city’s budget. If you cannot recover or use your data for days or weeks, you impact city operations and risk lost revenue. We also find that IT bills skyrocket for cities that use inadequate data backup, especially when a server fails and they cannot recover the data without time-consuming, expensive help.
  • Is my hardware more than five years old? Old hardware results in processing delays, server and desktop failure, and lost productivity. While you might feel you’re maximizing an investment by keeping hardware until it dies, hardware gives you significantly diminishing returns after 3-5 years. In fact, aging hardware actually begins to cost you money once it becomes obsolete, ineffective, and unable to meet the demands of city business.
  • When did I last think about my ISP or telecom provider? If you’ve used your current providers for many many years, or if you’re locked into a multi-year contract, those are clear signs that you could potentially shop around and lower your ISP/telecom budget. We’ve seen many cities unknowingly suffering from poor yet expensive service, when high quality and cheaper service exists. If you’ve neglected to examine or challenge this line item for many years, it may be ripe for potentially saving you money.
  • Are my IT support costs unpredictable and expensive? Many cities use IT vendors or contractors that seem inexpensive on the surface but usually gouge a city’s budget with expensive and unpredictable billing during the year. That’s because these vendors often sell you on a low yearly fee, but the hidden costs arise through reactive incidents billed at high rates. You need to examine if your annual IT support costs are too unpredictable, and if you can save money with a more efficient, predictable model that includes proactive IT support under a low monthly fee.
  • Am I paying for expensive software licenses? Another unchallenged area tends to be software. Maybe you bought an accounting system many years ago, or you just renew your Microsoft Office licenses automatically each year. But this may be habit more than budgetary sense. Software has been revolutionized in the past few years by cloud computing. That means that you could potentially get rid of expensive software servers and licenses and instead “subscribe” to software (per user) over the Internet. This software model gets you the same (and sometimes better) software for a much lower cost.

By examining these important questions first, you’ll often find low hanging fruit and ways to slash your IT budget immediately. These reductions can often be significant, even for smaller cities where it might not seem like you’re spending a lot on IT. Whether it’s reexamining telecom contracts or replacing broken hardware, there is plenty of opportunity on a first pass to see if you can both fix your technology issues and save some money in the process.

In our Part II post, we will look more at the long-term investment side of technology, and how you can budget to maximize the money that you’re spending.

Thursday, April 25, 2013
John Miller, Network Infrastructure Manager

Lengthy telecom contracts – those giant documents that mostly go unread – often contain language and conditions that work against your city’s best interests. In most cases, telecom works much like a utility. You purchase it once, become accustomed to its quality of service (good or bad), and rarely think of it again.

When beginning our work with a new city, we usually find old telecom contracts and technical setups that are expensive, low quality, and relying on outdated technology. All this despite new technology existing that works better, faster, and cheaper. For less cost, cities could experience a quantum leap in quality of telecom service.

But where to begin? Here are some common questions to ask when starting to sift through your telecom contracts and services.

  1. How long have you had the same service? It’s not uncommon to find cities using the same telecom service without change or challenge for 10-15 years. That’s too long to go without taking a look at alternate solutions and technologies. Telecom services evolve for the better, and those services can often be purchased for significantly lower cost than what you’re paying for your current service. If your city has had the same telecom vendor for more than three years, that’s a red flag.
  2. Are you locked into a multi-year contract? If so, this is a major source of concern. You should not be locked into a multi-year contract. Long-term contracts serve the interest of telecom companies, not you. What if the service is low quality or you find a better solution? You will be penalized if you break the contract. And those penalties are expensive. If you’re in a multi-year contract, talk to an objective telecom expert immediately to analyze your situation. (Also be careful of auto-renewal clauses.) Ideally, all contracts you sign should have a 30-day notice of termination built in.
  3. Have you mostly seen telecom salespeople, and rarely a telecom support engineer? For many telecom companies, salespeople are incentivized by commissions. When you sign a long-term contract, a salesperson makes commission on all ongoing revenue. Follow the money – that incentivizes the telecom company to sell you the service, not change the product in any way (unless they upsell you), and not rock the boat. In other words, instead of concern about the best, most cost-effective solution for you, telecom companies will usually not contact you if it means threatening their revenue stream. Any consultative, useful, and objective analysis from engineers might potentially lower a saleperson’s commission. If you’ve only seen salespeople, that usually means you do not have a true telecom support advocate.
  4. Are you paying your telecom provider for services that you could bring in-house? One common example is when cities pay for monthly site-to-site connectivity to a provider instead of investing in the infrastructure to do it themselves. In some cases, you might also be paying for extra support or bells and whistles that you can handle in-house. Don’t ask the telecom provider about what you could bring in-house! (They will obviously not want you to bring anything in-house that you are currently paying for.) Instead, talk to an objective consultant who is not incentivized by the cost of your telecom services. They will be able to assess what you can bring in-house to lower your telecom bill.

We’ve been amazed that so many cases exist where cities are simply paying too much for inferior technology and poor service. If you haven’t examined your telecom services in a long time, you have the opportunity to save a great deal of money. These situations apply to rural and non-metro cities too, especially with the advent of increased high-speed broadband connections and mobile services. Whether you’re a large metro city or a small rural city, it’s worth taking a critical look at your telecom contracts.

To discuss your telecom contracts in more detail, please contact us.

Friday, April 19, 2013
Clint Nelms, COO

While more and more government organizations are moving their email to the cloud, backed up by significant examples that it is one of the safest places for your email, we still see many cities clinging to old or obsolete email hosting methods. Unfortunately, hosting your email improperly or through a method that is no longer a best practice can put your city at risk.

Those risks can involve security, compliance, retention, and responsiveness to open records requests. Poor email hosting jeopardizes the safety of your emails and opens your city up to legal troubles—especially if people need to find and retrieve specific emails in response to an official request.

Here are five things to look out for with bad email hosting. If any of these situations applies to you, it is imperative that you begin to consider enterprise cloud email hosting.

  1. You’re using free email hosting. You get what you pay for. While free email may seem cost-effective and easy to use, it comes with a host of problems for government organizations. When you have a technical problem, who do you call? Free means little to no support built in to your email services. Free email hosting providers will also not be concerned with strong antispam, giving your city much email storage space, or making sure users can focus on their work without having to see constant advertisements.
  2. You don’t know where your email is hosted. We often encounter cities that cannot tell us where their email servers are located. In many cases, especially with cheap email hosting, email servers are located offshore—where compliance and security might be more lax. The IT staff overseeing your data center may not have criminal background checks and yet have access to sensitive city information. And how are your email servers maintained by this IT staff? How rigorously? If you don’t know where your email is hosted, that implies other potential problems.
  3. You host your own email servers. While you might be competently hosting your own email servers, you are also paying for the cost of those servers, the software running on those servers, the software licenses, and the staff or vendor that must support those servers. With cities needing to cut costs, you cannot ignore cloud email business models that improve your quality of service while cutting costs. Shop around and explore if you can save money.
  4. You’re in danger of permanently losing email if an email server goes down. Especially with laws that dictate retention policies for email, you will be in legal trouble if you lose email because of a server failure. In addition, your staff relies on email as the lifeblood of their work at your city. Losing email is a productivity and operations killer, and if you don’t have a data backup and disaster recovery plan for your email, then you are placing your city at great risk.
  5. Your email hosting does not meet security and compliance standards. Email often contains sensitive city information about personnel, legal disputes, public safety, citizens, etc. We’ve found that cities with free email hosting, unknown hosting, or onsite hosting often have major security issues and gaps from poorly configured servers, bad maintenance, or lack of effective setup and support. Cities are held to a much higher standard than most private sector businesses. Taxpayers will find it inexcusable if a city, in trying to cut corners, allowed social security numbers to be exposed through a breach in a free email hosting account. Legal repercussions can also be devastating.

Cloud email hosting from experienced, widely used vendors (e.g. Microsoft) eliminates these problems by offering enterprise level service and support, documented security and compliance policies and procedures, and data backup. And with a lean, scalable model (usually per user) that does not require expensive onsite hardware, software, and licenses, that means you can pay (like a utility) for exactly how much email hosting you need.

Especially on the cyber liability side, considering cloud email hosting becomes less of a “nice to have” service and more of a required service. If you cannot guarantee that you are following essential security and compliance related to your email hosting, then you need to leave it up to experts that regularly host email for many government institutions.

To talk more about email hosting, please contact us.

Tuesday, April 16, 2013
Dave Mims, CEO

“Metadata” is an intimidating word, often sounding very technical and from the complex world of search engines. Quite simply, metadata is data about data. Let’s say books are data. How would you describe and order groups of books? Probably by genre, by author (A to Z), and maybe even by “most popular” or “bestsellers.” Those categories of genre, author, and “most popular” are metadata, and that metadata helps you navigate through a bookstore—instead of just sifting through a giant pile of books.

In a document management system, you probably know the feeling of sifting through information when it is poorly labeled and organized. You search over and over for something, you get too many search results in return, and it seems like keyword searches just don’t work right. Those kinds of document management systems often have poor metadata.

So where you do start if you’re a metadata novice? While we recommend also talking to someone technically conversant with your document management system (and if you’re a large city, you might want to have an information architecture expert in the mix), we focus here on some metadata basics that we notice when we help cities with their document management systems.

  1. Look for pain points with your city staff. The first place to start is with the existing experience city staff has when they search for documents. How do they search? What do they search for? What results come up? For example, do users get frustrated looking for accounting documents when they can’t separate out accounting from all other city documents? City staff will often tell you through their actions how they need the information to be labeled and organized, and what terms they think of when they search for documents.
  2. Involve different groups when deciding what metadata you need. When you sit down to discuss how you want to describe and categorize your documents, make sure you involve multiple groups to assess their needs. Your finance department may have stricter metadata needs than parks and recreation, for example. At the same time, you don’t want to make your categorization so complex that basic users can’t easily upload and label documents. By discussing your needs together, you will arrive at a good categorization system that works for everyone.
  3. Create custom views for different departments. One of the biggest pain points with document management metadata is separating out views at the highest level, such as finance, public safety, information technology, or parks and recreation. When users have to sift through documents across all city departments for every search, it prevents them from easily finding what they need. But when metadata clearly indicates different departments, projects, or organizations, then users can go to the area that exactly meets their needs.
  4. Make users enter basic metadata. When users upload documents, work with your document management vendor and IT department to make users enter basic metadata. There should be minimum requirements for what users need to fill in such as a title, author, department, description, keywords, etc. If you’re not enforcing metadata capture, then your document management categorization and search capabilities go to waste. After a while (and some grumbling), filling out metadata will become habit for users and your document management categorization will become much more rich and thorough.
  5. Manage and audit your metadata. If no one is overseeing your document management system’s data, which includes your metadata, then it’s easy for people to lose the habit and go astray. Also, over time your data needs might change, or your data might become unruly and chaotic. If your needs grow more complex, such as with new financial requirements or a piece of legislation, you can push down new metadata requirements to users. If you find that users are not helped by either simplistic metadata (such as too many documents with the same category) or overly complex metadata, you can balance it out by adjusting top-level requirements for users based on feedback.

Our advice in this article focuses primarily on the business side of metadata, and less on the technical side. For most cities we work with, they just need to be using metadata on a basic level so that users can more easily find documents. With larger cities, document management and metadata grow much more complex, and we recommend bringing in more technical expertise at that level. Otherwise, as long as you can get your users labeling and categorizing documents consistently, and in a way that makes them easy to find, then you’re on the right track.

To discuss document management and metadata in more detail, please contact us.

Wednesday, April 10, 2013
John Miller, Network Infrastructure Manager

When we sit down to talk with cities about vendor relationships, many of the war stories center around how vendors waste a city’s time. An important part of any vendor relationship boils down to two things: expertise and communication. Can the vendor do the job, and can they communicate about issues and problems effectively?

To this day, we are still amazed at some of the stories we hear. You would think that vendors would learn from the best in the business or listen to the feedback that municipalities regularly share at events and conferences. Many vendors unfortunately prey on cities, secure the deal, and then take a hands off approach to the engagement.

Cities need to understand that wasted time equals wasted money. Here are some warning signs to look out for.

  1. Calling the helpdesk is always confusing. There may be different support numbers for different problems. Or perhaps you dial in and you have to navigate several levels deep into a menu of “press 1”s and “press 4”s. When you speak to someone, they might be confused about your request and route you to several other people. Calling the helpdesk should be easy – you either talk to someone knowledgeable immediately or you receive a call back within a short amount of time.
  2. Bills for onsite visits pile up. Reputable IT vendors will often include the cost of site visits within a reasonable, predictable monthly bill. But some IT vendors use site visits as ways to log many billable hours that you did not budget for. We’ve seen quite a few cases where an IT vendor will arrange a deal with a city that appears like a low monthly fee on the surface, but they end up making most of their money through “unpredictable” issues that require billable site visits. Look for escalating, unexpected, and unpredictable support bills as a red flag.
  3. You’re often told, “That’s not included.” This timewaster is probably our biggest pet peeve. Many cities agree to “24/7 IT support” and the assurance that nearly every area of their IT environment is covered. However, the fine print says otherwise. A problem is identified, and the vendor tells you, “That will cost extra.” Lots of problems start to occur, and most of those problems are “not included.” That means approving discretionary budget and delaying problem resolution because you are signing additional statements of work.

The shame about these issues is that problems often do not emerge until you start working with a vendor. If you are researching IT vendors, make sure you have a senior experienced IT person at the table. Have them ask tough questions about the vendor’s experience, processes, and problem resolution. Talk to customers who work with that vendor. And if you’re seeing too many of these negative signs with your current IT vendor, then it’s time to start looking for a new IT vendor.

If you want to discuss these vendor management problems in more detail, please contact us.

Friday, April 5, 2013
Clint Nelms, COO

While very large cities and other large organizations find website design an expensive but necessary proposition, expensive website design is something small- to medium-sized cities should avoid. It’s tempting to read the press about what the latest government websites should offer, but the press usually reports on very large government entities that use cutting-edge social media, big data and open data applications, and extensive mapping software.

From our experience, budget-conscious small and medium cities need essential website functionality and a professional appearance, but they often lose money when website vendors oversell them on supposedly “must have” features and custom design. Here’s a quick list of what small and medium sized-cities need and don’t need in their website design.

What You Need in Your Website Design

  • Professional Look and Feel: As long as your website looks clean and professional, without any chaotic or amateurish design elements, it will hold up to positive public scrutiny. Many template websites are available that have been designed by high-end professional designers and have been used by many smaller cities. A professional look and feel should also incorporate a consistent city logo through the website.
  • Online Payment Processing Capability: Since citizens often want to pay utilities, taxes, and fines online, it’s best to have payment processing built in as part of a website design. Years ago, this would be an expensive addition. Today, many template or low-cost websites can easily accommodate this feature.
  • Calendars, Department Pages, and Other Common City Content: There are a few areas that all cities tend to have on their websites such as community calendars, pages for departments (City Hall, Public Safety, Parks and Recreation, etc.), city council agendas and minutes, and news updates - to name just a few. Most basic websites can accommodate such content without expensive design.
  • Ability to Add Pages and Modules: If a city wants to add additional common pages or modules, it should not require another redesign or expensive fees. It’s to be expected that a city will grow and expand over time, and a website design should plan for that growth without a website vendor billing you for each addition.
  • Ability to Put Content Onto the Website: Cities should not have to rely on a third party to put content onto their website. Instead, the website should be designed with a content management system on the back end so that city staff can update webpages without having to code or understand anything technical.

What You Don’t Need in Your Website Design

  • Expensive Multimedia: Too many cities are wooed with the ability to showcase expensive Flash imagery, videos, and photos. Often, this multimedia is not very functional and wastes money. If a city needs to use videos or photos, they need to be functional and reasonably budgeted.
  • 100% Custom Design: Building a website from scratch is risky in terms of time and outcome. Even if it’s done well, it will cost a great deal of money and tends to be overkill for a small or medium city. Stick with templates that are minimally customized.
  • Bells and Whistles: We’ve seen so many cities pay for expensive website design that included sophisticated social media apps, forums, and RSS feeds that often go unused. A city should not be tempted by nice-to-haves. Instead, each aspect of a website needs to be justified and its functionality proven by a business need.
  • Expensive GIS Mapping Tools: Geographic information systems (GIS) continue to be popular at municipalities, and the rich mapping data can greatly enhance websites – especially for certain departmental pages and citizen-friendly website applications. However, many GIS website tools and applications are overkill for all but the largest cities. Integrating live GIS data onto a website is extremely costly. For smaller cities, it’s often better to use a static map, such as having the city’s GIS data manager export a graphic representing the data and have the person managing the website content post the static map to the webpage.
  • Rebranding: We’re not against rebranding. However, website vendors sometimes lure cities into using a website design as a way to also do a complete rebrand of the city’s look-and-feel. If you’re at this stage independently of a website design, fine. But if you’re rebranding just because your website vendor is urging you to develop new logos, taglines, imagery, and colors for the city’s visual appearance, then you’re potentially being ripped off.
  • Amateur Work: On the other end of the spectrum, we still see many cities hand over a website redesign to a single design intern or to a friend of a city employee who has “designed a few websites.” While this may have been acceptable back in the late 1990s when websites were still novelties, it’s unacceptable today. While cheap, the end result will usually be a poor design, hard-to-manage functionality, and a website that breaks down too much. As one example, we see something as simple as fonts crash city websites, especially when amateur designers try to get fancy or make too many words blink. Leave website work to professionals.

These tips give you a quick idea about what you need and don’t need in website design. As you can see, in most cases website vendors are good at upselling design aspects that small or medium cities just don’t need. Sure, some of these aspects do create great-looking websites. There are some great custom website designers out there, and some slick features and apps that can really enhance a website. But those features really only start to make sense once thousands and thousands of people start to visit a website, usually at large cities over 100,000 people.

To discuss website design in more detail, please contact us.

Wednesday, April 3, 2013
Dave Mims, CEO

One of the most common yet overlooked tasks of anyone taking care of servers and workstations is basic hardware maintenance. That includes monitoring hardware, applying patches, and upgrading software. Like a car, basic maintenance ensures that your investments run smoothly from purchase to decommission.

However, in our many network assessments over the years, we’ve found that lack of server and workstation maintenance often crops up as a critical problem at many cities. The city’s IT staff might be inexperienced or strapped for time, or the city’s IT vendor might not be maintaining equipment at a professional level. The result? Slow servers, poor computer performance, unhappy employees, and city operations interrupted.

While hardware maintenance involves many complex technical aspects, we are providing a high level overview of five basic activities that your IT staff or vendor must perform to keep your hardware optimally running.

  1. Proactively monitor health and performance. Too many cities simply react when a server fails or a workstation breaks down. We recommend having an experienced IT professional proactively monitoring the health and performance of your hardware. Many 24x7 monitoring and alerting tools exist that raise red flags when issues arise. However, those tools alone will not make a difference unless you have an expert analyzing the results and knowing how to identify, escalate, and deal with performance issues.
  2. Patch, upgrade, and leverage support. While it seems simple that patches and upgrades that solve security and performance problems should be applied to servers and workstations, we’ve analyzed many environments where this is just not happening. You are paying for expensive software, so why not apply patches and upgrades delivered as part of the vendor software support? Leverage any included support related to your hardware, especially when you are unable to solve a problem yourself.
  3. Replace aging hardware. Natural wear and tear, storage and memory limits, and evolving technology all eventually make hardware obsolete. Don’t wear out hardware for too many years and only replace it when it dies. You need a plan to replace your hardware, usually every 3-5 years. Your IT staff or vendor needs to be on top of your hardware asset management and track the purchase, deployment, depreciation, and decommissioning of all hardware.
  4. Apply strict security. Especially at a city, you need to make sure your servers and workstations are protected as much as possible from hacking, phishing, and other unauthorized attempts at access. Apply an enterprise firewall, properly configured to close off all gaping security holes. Enterprise antivirus should be applied across all servers and workstations, and strong antispam and content filtering help protect city staff from clicking on phishing emails or dangerous websites that can open up a security hole in your network. Do not compromise in any way on hardware security.
  5. Back up all data on your hardware. Despite your best proactive maintenance, servers will fail and computers will be lost or stolen. A data backup plan that provides daily backups and full disaster recovery is essential for covering all unexpected situations. At cities, it’s usually a good idea to use onsite data backup that takes hourly snapshots of your information. That means if a server fails, you should be up and running within an hour or two. For disasters, you should be up and running within 24 to 48 hours by using offsite data backup.

When you buy a car, you can decide to worry about maintenance only when it breaks down. But you know that your car performs better when you have your oil changed every three months, tires rotated every six months, and a full inspection at least every year. Server and workstation maintenance works similarly, although much more frequently. With 24x7 monitoring and maintenance by experienced IT professionals, a data backup and disaster recovery plan, and a hardware lifecycle replacement strategy in place, your hardware investment will be maximized and run in the most optimal fashion.

To talk more about hardware monitoring and maintenance, please contact us.

Friday, March 29, 2013
Nathan Eisner, Network Manager

Even at smaller cities, it’s easy for your IT assets to get out of hand. Servers and workstations accrue, software lingers after being purchased many years ago, and data backup media piles up. A good question to always ask about your IT assets is, “Am I using them?”

Taking a look through your existing assets can be enlightening, and sometimes shocking. Often, valuable real estate, power, and IT staff time is consumed maintaining assets you don’t need. Here, we take a look at some common IT infrastructure assets and offer ways to eliminate or trim them down.

  1. Data backup. We often see a lot of waste here, especially from manual data backup processes. Tape, external hard drives, or other transportable media not only adds manual risk to the process of data backup but also wastes physical space. Manual media is usually not tested or audited, and so you are often storing backup media that won’t work when you need it. Modern data backup systems can mostly back up remotely, freeing up space and eliminating your need for portable media.
  2. Servers. With advances in cloud computing, many servers are simply taking up space at cities. Dedicated servers for email or specialized software can often be eliminated and replaced with cloud services that require no onsite servers. In addition, completing an assessment of your current servers can help analyze if they are really worth the maintenance or software license costs. Do you have expensive software on a server used by very few employees? Do you have an email server that is hard to maintain? Be brutal and have your IT staff or vendor help you figure out if you absolutely need each server.
  3. Workstations. Typically, a lot of waste pops up with workstations. Over time, if employees needed workstations, they were bought on the fly with discretionary budget, without much thought as to what city staff actually needed to perform their work. Are there computers not being used by anyone? Are those computers still being maintained? Similar to a server audit, it’s good to look at your workstations (including laptops). Are the machines a fit for how they are actually being used? If not, you might consider decommissioning, selling, or stripping down the features and services attached to each machine.
  4. Printers. Printers are often overlooked as a major IT asset, but they are networked machines that tend to proliferate too much within an organization. For example, people tend to buy printers for themselves rather than maximizing the use of a printer for an entire department. With an assessment, you’ll often find too many printers, unused printers, and potential to trim down your annual maintenance costs.
  5. Telecom, Internet, and Wireless. Traditional phone systems and unruly wireless systems can also be a waste. You might have expensive phone equipment that could be eliminated and replaced with a more streamlined VoIP phone system that relies on an Internet connection. Also, organizations tend to accrue wireless devices that people buy on impulse to solve a temporary need, and then sit unused. Your city might benefit from an inventory of telecom, Internet, and wireless equipment to see if you can reduce some hardware and maximize the usage of fewer devices.

IT infrastructure is expensive, so you want to make sure you are using all of your assets wisely. Even hardware and equipment that you bought three to five years ago can potentially be reduced or eliminated by newer cloud services. And any organization, unless you’re rigorously auditing your IT assets on a regular basis, can find itself with too many servers, workstations, printers, and other equipment that is excessive or lies unused. Cities can’t waste a penny, and so it might be time for your city to do some IT spring cleaning.

To talk more about reducing your IT infrastructure clutter, please contact us.

Tuesday, March 26, 2013
John Miller, Network Infrastructure Manager

As cities transition to an online payment system or reevaluate their online payment vendor, it’s good to look at the basics of what makes a city’s online payment information safe and secure. In this multi-part series, we will cover the basic Payment Card Industry Data Security Standard (PCI DSS) requirements one by one, teaching you about what a city and its online payment vendor needs to be compliant.

The basics of secure online payments starts at the network level, and the PCI DSS requirements begin by examining firewall and password policies. These best practices also correspond to many other IT-related services and provide good questions for other aspects of your city business.

Use enterprise-level firewalls for your network.

Both you and your online payment vendor need at least an enterprise-level firewall to handle sensitive payment data. Coupled with enterprise-level antivirus, this essential network configuration creates strict access for outside sources wishing to communicate with you.

As you may know, firewalls work rather like a border crossing or airport security. Only specific approved information is allowed inside your network. When you’re dealing with sensitive online payment data, it’s imperative that any information requests are authentic—both inbound and outbound. Hackers are always trying to access valuable data, and payment data is worth more to them than many other kinds of data. Not only must your online payment vendor have sufficient firewalls, but you should also make sure your firewalls match their high standards if possible—especially since it’s likely that online payment data will cross in and out of your environment (e.g. in your accounting software, on your website, etc.). Hackers look for gaps to exploit, and it would be unfortunate if your network was their way into your online payment data.

Use strong passwords and user authentication.

You may have had the experience of accessing online payment websites and...suddenly the experience changes. There are different passwords. Maybe a passkey, or another kind of user authentication. The URL on your browser switches to a higher level of security and encryption. That’s because the level of authentication needs to be higher when sensitive online payment data is involved. That means password best practices that include:

  • Strong passwords. That means long passwords with numbers, letters, and a mix of characters that are irregular and unusual—and difficult to hack.
  • Training and guidance about phishing. It should be clear to users when an online payment site is authentic, and when it is not. This may involve a secure URL, a passkey, or some other kind of unique identifier that—if lacking—should alert a user that they may be on the wrong website.
  • Considering 2 factor authentication. An extra level of password security is not a bad idea. That means authorizing a person’s computer by, for example, getting an authorization code send to their mobile device.

If your online payment vendor cannot confirm the rigor and security of these two items to your IT staff or vendor, then that lack of information should raise a red flag. But know that even if your online payment vendor can handle these requirements, you should also close the loop by providing your city with at least an enterprise-level firewall and a strong password policy. These two items form the basic foundation of securing a network from most common hacking and unauthorized access to data.

Having a strong firewall and password policy is like having locks on your doors and windows, along with personal security to make sure that only authorized people enter your house.

In our next online payments post, we will discuss encryption and other ways to protect data. If you want to talk about online payment security in more detail, please contact us.

Thursday, March 21, 2013
Clint Nelms, COO

The rise of cyber liability insurance matches a growing trend in which targets with valuable information (e.g. financial institutions), combined with weak IT security, create rich opportunities for hackers. Since municipalities store sensitive information such as social security numbers and tax information for businesses, then they become obvious targets.

Not only are municipal data breaches embarrassing, but they are also expensive. Computerworld recently reported:

The costs of simply investigating and responding to these losses—not to mention the resulting lawsuits and regulatory fines—can be staggering. For instance, the Ponemon Institute estimates that response costs can be as high as $200 per compromised record. It is not difficult to understand how total costs for a wide breach can quickly escalate well into the millions of dollars.

A great article last year from Dark Reading outlined the top 10 security breaches of 2012, and it’s sad for us to see how many of these breaches were caused by preventable IT best practices. Many municipalities still lack basic IT infrastructure, policies, and training to prevent even amateur hacking attempts.

Last year, we produced a series of articles addressing data loss, website hacking, and virus attacks, but we want to address some other common issues that impact cyber liability. These best practices can help lower your risk, which then lowers your cyber liability insurance premiums.

  1. Educate and train employees about phishing. This may seem very non-technological and simple, but phishing led to 3.8 million Social Security numbers and 3.3 million bank account numbers stolen from the South Carolina Department of Revenue last year. Employees need to understand that clicking on links from suspicious emails opens up a city to high risk. Better yet, couple training with good antispam software to ensure that most phishing emails never even reach a person’s inbox.
  2. Eliminate as much physical storage and manual processes as possible. Risk increases when you need to physically handle data. Even the combined clout of IBM and Iron Mountain could not prevent a massive data breach last year when those vendors were transporting data backup tapes. If you know us well, you know that we sound like a broken record when we tell cities to stop using tape backup. Day-to-day manual handling of tapes introduces too much risk at every step (theft, loss, forgetting to back up data, etc.). And in this case, yes – you can get fired using IBM.
  3. Create a strong password policy, everywhere. Hackers most often exploit weak passwords, either through bad server configurations or poorly maintained web applications. Many hacking outfits will use something called a SQL injection to break through, like a burglar kicking down a door with a weak lock. That means you need to force users to have strong passwords, train users to never give out their passwords over the phone or through a suspicious web link, and to have everyone—IT staff and non-IT staff—change passwords often. (Read about password best practices in more detail.)
  4. Encrypt laptops and mobile devices. Too many major data breaches arise because of stolen laptops or other mobile devices. Encryption (which the South Carolina Department of Revenue is still putting in place to prevent another data breach) means that users must enter a password to access any information on the laptop. This is different than simply logging in to Windows or your routine desktop applications. Encryption is an extra layer that means if someone doesn’t know the password, the data is useless. If a person steals a laptop, for example, they could not even hack into the hard drive without the encryption password.

Cyber liability is understandably a hot topic for cities, since the stakes have never been higher. Hackers have become more sophisticated and aggressive, and small to medium-sized cities become juicy targets—precisely because they often lack basic IT security measures. While the above cyber security tips sound simple—and almost obvious—they are exactly what lead to most data breaches.

In future posts, we will look more closely at some non-technical policies and procedures (such as working from home and employee background checks) that provide a strong foundation for your technical cyber liability. To talk about cyber liability in more detail, contact us.

| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 |