We put the IT in city®

CitySmart Blog

Friday, October 26, 2012
Dave Mims, President

Recently, Fairfax County, Virginia experienced a notable failure in its online payment system when the website went down on the day of an important tax deadline. According to the article, the county handled the situation poorly—telling citizens they would still be charged late fees despite the online payment option being unavailable. Obviously, citizens were angry. The county later relented and provided an extension.

With revenue and money on the line, the failure of an online payment system can be one of a city’s most embarrassing and noticeable failures. Many online payment vendors exist, and the breadth of choices and costs can be overwhelming. On the most basic level, though, a city cannot simply choose the cheapest vendor or be wowed by features. At its core, you have to know it’s going to work and truly serve citizens in a high quality fashion.

We have provided ten questions to ask your online payments vendor—whether you’re already using one or you’re looking for options. There are plenty of questions to ask beyond these—especially considering your business processes, desired future payment capabilities, and specific features—but these questions cover the basic fundamentals that are too often glossed over when looking for an online payments solution.

  1. Where is the website hosted? Is the online payment system part of your existing website? Or will it send citizens to a third party website? You want to make sure you know enough details about where the site is hosted to make sure it is meeting your needs and adheres to best practices.
  2. Will the online payment experience be seamless for the customer? Will it feel like customers are still on the city’s website, without an abrupt jump to another website? Abrupt jumps on a website can cause customer wariness. The online payment system should either plug in seamlessly, or website design and development resources should be available to make that transition smooth for customers.
  3. What is the guaranteed uptime of the online payments site? A robust cloud solution should push this to near 100%, but ultimately you want to make sure something as service-focused as paying online is working nearly all of the time. If you are hosting your own servers or using a data center, make sure you vet the hosting provider thoroughly. If peak times, such as the day when everyone is likely to pay their bill, crash the server, then that is a major red flag.
  4. What is the security of the online payments site? Cities should expect the same security from an online payments vendor that they would expect from their personal online banking. That means an industry standard level of encryption, strong authentication, strong passwords, regular auditing, and the ability of the vendor to provide documentation proving that they are testing their security controls on an ongoing basis. In addition to these basic technical requirements, it should also be clear who can access and change any payment information. Permissions and access need to be controlled with sufficient rigor and protection.
  5. How is the data backup and disaster recovery? If a server goes down, what is the time to recovery? Again, having a cloud solution helps immensely, but any online payment system should have significant data backup, disaster recovery, and business continuity.
  6. How is customer support? If people experience technical problems, how is the technical helpdesk in terms of responding and resolving those problems? Customers should not be left hanging with issues, and the most common user issues should be resolved by clear forms, helpful error messages, and ways for users to help themselves.
  7. What is the system’s ease of use? An online payment system should be easy to use, understand, and navigate from step to step. Using clear simple English (instead of technical jargon), it lets people know what step they’re at in the process and orients them at all times. Your most non-technical user should be able to use and understand it.
  8. Are there a variety of payment options? A good online payment system should provide a variety of payment options such as checking accounts, multiple credit cards, etc. It should also remind customers that they can also pay in person or by phone. Sometimes if people balk at using an online payment system, they resort to the phone or in person in panic. Provide as many options as possible to reassure citizens.
  9. Are logins and passwords easy? The login and password process should be easy, and it should not be a problem in case someone forgot a username or password. Capchas and difficult login credentials should not be an obstacle to using the online payment system. Otherwise, less people will use it.
  10. Is administrative access easy to use to resolve problems? Can someone at city hall make sure simple problems are resolved? You should not have to rely on technical support for simple problems such as a customer filling in a form incorrectly or disputing a simple billing error.

While we can only speculate about the source of Fairfax County’s online payment issues, from our experience we’ve seen similar problems occur when there is poor website hosting, lack of planning for peak use times, and a lack of strong technical maintenance and support. These kinds of problems are preventable if you have the right IT infrastructure in place to handle your customer demand.

Contact us if you’d like to discuss online payment systems in further detail.

Thursday, October 25, 2012
Clint Nelms, Network Infrastructure Practice Manager

A few months ago, we wrote a blog post about severe weather threats. Those continual threats highlight the need for every city to consider and implement a serious data backup solution. Since that post, Hurricane Isaac came hurdling through the Gulf of Mexico and threatened many of the same areas that Hurricane Katrina compromised back in 2005. Right now, Hurricane Sandy is projected to hit New England and threaten many of its cities.

Too many cities still have ineffective data backup and disaster recovery solutions. They may still use tape backup, manually back up data with disks or tape, or keep all of their servers onsite. They may consider an offsite backup solution as storing data in a different building or in a bank vault a few miles away. Considering the nature of disasters, these solutions are not good enough to meet the high standards of modern data backup and disaster recovery best practices.

Instead of simply finger wagging about best practices, let’s imagine a nightmare scenario and how it would play out. Then, let’s examine that same scenario through an “ideal” lens—that you can easily make a reality.

The Nightmare: Long Time to Recovery and Permanently Lost Data

Let’s say a disaster affected your city. It doesn’t matter what—a hurricane, severe thunderstorms, wildfire, a tornado, fire, or theft can all have the same impact. These are also relatively common scenarios, and not hard to imagine. We’ll assume you’re doing at least some data backup. (If you aren’t backing up any of your data, it’s clear what would happen in case of a disaster).

Let’s say that all of your servers are located onsite. Your city clerk takes tape backups to a bank vault every week. In the disaster, your servers are lost or destroyed. They are no more. Based upon our experiences from assessing many cities over the years, here is a sample scenario detailing what you can expect to happen:

  • First, you need to order new servers. Based on the time it takes to order hardware, expect about 3-4 weeks until they arrive.
  • The city is out of business until the servers arrive. Even though the city manually backed up its onsite data onto tape, it has no offsite or remotely accessible data to rely on while the new servers are in transit. For 3-4 weeks, the city is reliant upon any services that are paper- or cloud-based. It will have to set up some temporary processes of dealing with data (e.g. property taxes, fees, payroll, etc.) until the servers arrive.
  • Finally, the servers arrive—three weeks after the disaster. It’s time to get the tape backups loaded onto those servers.
  • You recall that the city clerk does a weekly manual backup on Fridays. Since the disaster happened on a Thursday, you realize you have no data from the previous Monday through that Thursday. You’re starting off realizing you’ve permanently lost four days of data.
  • After loading the tapes and transferring the data (which takes a long time), you eventually discover that about 30% of the tapes fail. There goes 30% more of your data. When you probe into the matter, you find out that no one on the city staff was testing the data backups. They had just assumed the tape backups were working.
  • You are able to restore about 70% of the city’s previous data, but it takes a while for everything to restore properly. The city’s IT staff person and IT vendor had not done disaster simulations, so they run into a variety of technical issues as they try to get the data up and running.

Finally, eight weeks after the disaster occurred, 70% of the city’s data is now running and functional. But eight weeks is a long time. The city wound up losing 30% of its data, was out of commission for 3-4 weeks while the hardware arrived, and then spent 5 more weeks until the 70% of the saved data could be used with full functionality.

You never need to find yourself in this situation. Let’s look at the ideal—which is actually reality for many cities following disaster recovery best practices.

The Dream (That You Can Easily Make a Reality)

Your situation: You have onsite and offsite data backup. It runs automatically and is handled by an IT vendor. You test often and simulate a disaster on a quarterly basis. Your disaster recovery plan covers all possible disaster scenarios, from a simple server failure to a full catastrophe.

In the disaster, your servers are lost or destroyed. They are no more. Based upon our experiences assessing cities over the years (especially from the cities we work with), here is a sample scenario detailing what you can expect to happen:

  • Since your backups are hourly, your last data backup snapshot was from 11 a.m. on Thursday when the disaster hit.
  • Since you have offsite data backup, your data is stored in two separate data centers thousands of miles away from your city.
  • The city calls the IT vendor after the disaster hits. New servers are shipped to the city, fully loaded with the city’s data.
  • Those servers arrive 24 hours after the disaster. They are fully functional and ready for operations.
  • These servers work like a charm, since they are regularly tested and audited.
  • While the city does not have a functional City Hall, it has decided to set up in a room at the public library as a temporary location. Since all email, document management, and website data is stored in the cloud, these services were not affected by the disaster. Employees have been accessing these services at home or at the library through a simple broadband Internet connection.
  • For all intents and purposes, other than losing their physical building to a disaster, the city is running and fully functional.

One week after the disaster occurred, the city lost only a miniscule portion of its data (any data that was not saved after the last hourly snapshot at 11 a.m., Thursday). The city only had to worry about electricity. Once electricity was restored, the city just needed Internet access for most services (those based in the cloud) and only waited 24 hours for its onsite non-cloud servers to arrive. Within a week, it was almost as if a disaster had not occurred.

Some simple investments in data backup and disaster recovery ensure that a city is a leader—up, functional, and helping citizens from the minute the disaster occurs. When a city loses all or most of its data, it cannot help citizens when they need the most help. Make sure you have a workable, comprehensive disaster recovery program in place. Contact us if you feel your disaster recovery is lacking.

Wednesday, October 24, 2012
Dave Mims, President

Georgia Municipal Association helps city stabilize data backup, disaster recovery and email

The City of Flowery Branch, Ga. is a cozy community nestled on the banks of Lake Lanier with its history dating back to the late 1800s. Despite the town’s historical charm, Flowery Branch needed its network infrastructure to catch up to modern technology.


Antiquated and unreliable, Flowery Branch’s IT services concerned city officials. The stability and security of the city’s email, server hosting and data backup affected city operations and jeopardized the ability to recover from a disaster.

However, costs to implement and maintain technology upgrades also alarmed Flowery Branch’s city leaders. In their technology assessment, hardware, software and labor expenses to upgrade technology were higher than what the city had budgeted. It seemed like a lose-lose situation.


Flowery Branch engaged with the Georgia Municipal Association and utilized its “IT in a Box” service.

Powered by Sophicity, “IT in a Box” is a complete IT solution for cities and local governments. The service includes a website, data backup, offsite storage, email, document management, Microsoft Office for desktops, server and desktop management, vendor management and a seven-day a week helpdesk.


By leveraging vendor management, which is included with IT in a Box, Flowery Branch’s telecom contract was renegotiated creating a potential savings of $203,886.90 over a 10-year period. In the first year alone, the city saved $39,035 (or 48 percent) of the costs typically spent modernizing a network of its environment and size. These savings helped Flowery Branch stabilize its technology and create a predictable IT budget.

Additionally, “IT in a Box” helped Flowery Branch:

  • Mitigate the risk of data loss through onsite and offsite server backups
  • Ensure a highly available and dependable email system
  • Move to a faster Internet connection
  • Decrease spending on telecommunications services
“The City of Flowery Branch certainly feels as though we gained a partner in working through our IT issues. Sophicity has been responsive in showing us options that made operational and fiscal sense.”
— City Manager Bill Andrew

If you're interested in learning more, contact us about IT in a Box.

Print-friendly version of the Flowery Branch, Georgia IT in a Box case study.

About Sophicity

Sophicity is an IT services and consulting company providing technology solutions to city governments and municipal leagues. Among the services Sophicity delivers in "IT in a Box" are a website, data backup, offsite storage, email, document management, Microsoft Office for desktops, server and desktop management, vendor management, and a seven-day a week helpdesk. Read more about IT in a Box.

Friday, October 19, 2012
Dave Mims, President

While a federal law does not necessarily signify any local government requirements any time soon, cloud computing may soon become a requirement at the federal level. A new law (the 2012 Cloud Computing Act) presented to the United States Senate in September mostly outlines the definition of the cloud as it pertains to criminal and civil protections against unauthorized access. But NextGov highlighted some important verbiage at the end of the law.

Not later than 180 days after the date of the enactment of this act and not less frequently than once each year thereafter for four years, the head of each federal agency described in section 901(b) of title 31, United States Code, shall, consistent with Cloud First policy outlined in the document of the Office of Management and Budget titled "Federal Cloud Computing Strategy" and dated Feb. 8, 2011, submit to the administrator of the Office of Electronic Government and Information Technology of the Office of Management and Budget a three-year forecast of the plans of the agency relating to the procurement of cloud computing services and support relating to such services.

While some in the media have noted problems with the law (scope, wording, potential overregulation), we tend to view such legislative attempts—whether they succeed or fail—as signs of things to come. And the law does highlight some of the key reasons to invest in the cloud.

  • Cost savings By reassessing your hardware and software investments, you’ll often find that the cloud will save you money. The federal government’s Office of Management and Budget estimates $5 billion in savings if more agencies use the cloud. While your savings may be more modest, they will still be significant.
  • Efficiencies gained Because your services are managed by high-end vendors who operate on a massive scale, you gain efficiencies that are hard to obtain if you or a traditional data center manages your hardware. Almost 100% uptime, quick speeds, minimal technical problems, 24/7 support, and full data backup and disaster recovery are only a few of the efficiencies gained with cloud services.
  • Pay for what you use Probably one of the greatest selling points about the cloud is that you only pay for what you use—like a utility. In the past, many cities have had to invest in expensive servers and software licenses that were often more than they needed. If the city needed to scale up or scale down, it was nearly impossible to do so on short notice. With the cloud, if you need to add or subtract a server, a user account, or a software license, you can do it with a click of a button.

In addition, we’ve also seen cloud computing alleviate some of the worries that the law talks about related to data privacy, retention, and security:

  • Data privacy While many cities worry about the privacy of sensitive data in the cloud, the reality is that the cloud often requires stricter and more comprehensive privacy standards than cities can craft themselves. Cloud vendors are often massive companies with too much to lose if data does not remain private—and so they employ the best security standards and policies when handling your data. Plus, because the data is not stored on personal devices, there is less chance of employees accidentally sharing or leaving private information on an unprotected or stolen device.
  • Data retention The cloud offers stricter and more robust ways of archiving, retaining, and purging data. This is especially useful when dealing with open records requests, audits, and documenting information. To avoid future liability, the higher expectations for data collection and retention can be handled well by cloud solutions.
  • Data security One of the greatest bargains with cloud computing is the high level of security. Since major vendors often offer cloud services, they have some of the highest security standards in place. When combined with a city’s policies, your data ends up protected from hackers, encrypted, and restricted to only authorized users. With increased attempts at hacking happening every day, this level of security is becoming standard.

Despite some lingering issues about the law (such as its vague definition of cloud computing), know that you’re heading on the right track if you place more of your services in the cloud. The cloud saves you money, increases efficiency, and helps you avoid many future liability issues. And eventually, it may even be the law.

If you'd like to discuss these issues in more detail, feel free to contact us.

Tuesday, October 16, 2012
John Miller, Network Infrastructure Manager

Lately, a lot of articles are discussing the pros and cons of teleworking and employees bringing their own device to use at work. Since these activities are such a cultural change for organizations, these same debates are probably taking place at your city. In this post, we review some of the most recent discussion points and guide you toward what you need to be thinking about concerning telework.

A Teleworking Calculator Shows Budget Impact

A variety of government technology publications recently wrote about a telework calculator created by Govloop and HP. By individual or team, the telework calculator shows (roughly) how much you might save by taking into account:

  • The number of days you’d telework per week
  • Round trip miles per day
  • Vehicle type
  • Average time spent commuting per day

Not only does the calculator point out an annual cost savings per employee but it also shows productivity gained in terms of hours and money. While the calculator can only provide rough estimates, these calculations do accurately represent the kinds of indirect benefits that a technology upgrade and shift to teleworking can have on cities.

We have written about the benefits of telework before, so it’s interesting to note some reinforcement of our ideas by this fact (shared on Govloop after you calculate your savings): “The average employer will pay nearly $10,000 per employee towards energy, real estate and production costs each year.” If you can even shave a fraction of these employee costs through teleworking, you’re saving real dollars in your city budget.

Security Concerns With Teleworking

Unless you purchase computers for all employees upon which they can only perform city business, then your employees are probably using their own desktop computers, laptops, and smartphones to do their telework. While this may save money and ease the act of teleworking, the dark side of this trend is poor security.

Government Technology’s recent article is representative of these concerns, pointing out that securing and supporting these devices is creating a headache for IT staff. In addition, the bring your own device trend can also create a headache for city administration. How much is a city obligated to offset the costs of teleworking? That means:

  • How much should I subsidize the use of a device (laptop, tablet, smartphone)?
  • How do I secure the device?
  • How do I support the user when they have problems with the device?

In the past, we’ve discussed our recommendations about employees bringing their own device. We believe in enabling teleworking, but you need to be strict about employees’ personal devices.

  • When you’re dealing with sensitive government data, being overly nice and accommodating to employees is not going to work long term. There needs to be some clear restrictions and policies.
  • Probably the best solution to consider that can make everyone happy (or happiest) is a cloud solution. Cloud solutions can be secured and supported as much as you want, regardless of what device is being used.
  • In addition, if you’re noticing too many IT support calls related to old or poorly maintained employee-owned devices, you might just consider buying new city-owned devices to standardize and simplify your IT support.

Read more about these topics from some of our past articles:

Why Teleworking Works for Local Government
How City Employees Can Bring Their Own Devices Without Risk
Dear Local Government: Be Enthused About Cloud Computing

If you have questions about teleworking and employees bringing their own devices to work, please contact us.

Thursday, October 11, 2012
Clint Nelms, Network Infrastructure Practice Manager

It’s easy for non-technical people to zone out those who work in information technology. IT changes all of the time, involves decades of in-depth knowledge, and uses an “in the know” speak that is hard for non-technical people to crack. In the business of local government, that knowledge and language divide can be harmful if each side does not understand each other.

Without great communication with your IT staff or vendor, all of your technology investments do not mean a thing. That may sound like an extreme statement, but plenty of articles show that communication-related breakdowns lead to failed technology progress.

Communication, of course, is a two-way street. Based on our many years of experience working with cities, we offer up some communications tips that you can use to test your current IT vendors and staff. Then, assuming you have a top-notch staff or vendor, we’ll share some advice about what kind of communication makes them happy.

Testing Your IT Staff or Vendor’s Communication Skills

Information technology staff or vendors can often seem intimidating and unapproachable because of their level of knowledge. They throw around complicated terms and are technical masters of some of your core business systems. But that doesn’t mean there should be a communication barrier between you and them.

  • All information technology projects, initiatives, and maintenance should be explained in business terms. No matter how complicated the technology, it’s supporting a business function. Every technical person doesn’t necessarily understand the highest level business function, but you should be in communication with someone who can clearly explain the business rationale for any technology - in language you can understand.
  • Helpdesk support calls should be pleasant, understandable experiences. No matter who is staffed on helpdesk, communication is the most important ingredient. If an engineer cannot talk to a non-technical user in plain language—which shows that the engineer understands the problem and how it will be resolved—then they won’t be able to effectively help end users.
  • Reports and metrics should be available, and written in business-friendly language. You should be able to read about things like website traffic, hardware issues, data backup success, and costs without wading through jargon and complicated spreadsheets. All reports should clearly show the end results of your technology investments in clear, measurable metrics.

Ultimately, your IT staff or vendor should be able to tell you why they’re doing something, help you when problems arise, and report to you in understandable language.

How You Can Communicate Better With Your IT Staff and Vendors

On the flip side, you might wonder if there are things you can do to improve your communication with IT staff and vendors. Based on our experiences working with some great customers (including many superb cities), here are some tips you can apply when communicating with your IT gurus.

  • Take recommendations seriously. You are correct to be wary around bad vendors and to be skeptical even with good ones, but if you are working with good IT vendors or trusted IT staff, take their recommendations seriously. We understand that you sometimes cannot act upon all recommendations immediately, but it’s the job of good IT people to point out red flags, danger areas, and things you need to do so that the city keeps operating. Ignoring valid, important recommendations breaks down communication quickly.
  • Meet to discuss ongoing progress and future planning. We often see key stakeholders skip quarterly reviews and planning sessions. However, it’s these meetings that contain the most communications gold. That’s when you get to ask in-depth questions, clarify expectations, learn more about the technology you’re investing in, and continually improve the end results of your investment.
  • Don’t get angry, hasty, or panicky. Again, sometimes bad vendors may drive you toward these emotions, but when something goes wrong it’s easy to hop on the phone and tell your great IT staff or vendor to “SOLVE MY PROBLEM NOW!” Instead, it’s best to relate the problem objectively, listen to how the IT person is assessing the issue, and allow them sufficient time to research, assess, and address the problem. That objectivity helps keep communication smooth, even when a high-pressure problem arises.

Like any relationship, communications are not perfect all of the time. But when we notice both parties apply the above advice, most communications issues are averted. That’s why it’s important to find a vendor or IT staff with business acumen, mid- to senior-level helpdesk experience, and full transparency about results. If you have that foundation, then all you need to do is engage your trusted staff or vendor fully by listening to recommendations and being part of their ongoing service.

To put our communications to the test, feel free to contact us.


Tuesday, October 9, 2012
Dave Mims, President

Back in August 2012, Government Technology and the Center for Digital Government held the 2012 Best of the Web Awards. The first place city website winner was Louisville, Kentucky. For a city of about 750,000 people (and a metro area of about 1.4 million people), it may seem like Louisville’s magnitude has little in common with the website needs of smaller cities.

However, a recent interview with Beth Niblock, CIO of the City of Louisville, suggests that there are some ideas that can transfer over to smaller city websites—and still fit your budget.

In her GovTech video interview, Niblock discusses three important city website features:

  • Search — A city website needs an easy-to-use search capability. Louisville’s website contains a highly visible search box in the upper righthand corner of nearly every page. In addition, under each tab on top of the homepage you will find a variety of “megamenus” that expand when you hover over each tab. With the search box and megamenus reinforcing each other, Louisville makes it easy for people to find information.
  • Mapping and Geospatial Awareness — The city uses mapping and GIS when appropriate for specific services. Check out their use of crime maps, a construction permits map, and an online property search. These website features help with data visualization and also provide a value-added service to citizens.
  • Social Media — The city’s website allows people to share any page via nearly any social media channel you can think of. There is also a social media center that clearly outlines the various services, organizations, and people who have social media presence on a variety of platforms (Facebook, Twitter, YouTube, Flickr, etc.).

All of these features are important no matter what your city’s size. We work with even the smallest cities to make sure they have search and social media capabilities on their websites. The City of Oakwood, Georgia is an excellent example of a smaller city providing both a convenient website search option along with an easy way to connect on Facebook.

To add to Niblock’s excellent city website takeaways, we want to note some other great features of Louisville’s website that even the smallest cities need to have.

  • Pages for Each City Service Under the Residents tab, Louisville generously provides pages for all key city services: city hall, public safety, vehicles and transportation, utilities, etc. It should be easy to find the most common city departments on a city’s website, and citizens should not get lost on your website looking for that information.
  • Online Payments Louisville provides online payments for parking tickets, utility bills, permits, licenses, and other fees. People have come to expect online payments for most services, and your city needs to meet those expectations.
  • Sharing Government Information That means city council agendas, meeting minutes, videos of city business, and other important documents are made available to the public. Louisville posts up-to-date PDFs of City Council agendas and minutes along with video and audio files from a variety of city meetings. This kind of information sharing is useful for citizens and promotes transparency in government.

If you want to learn more about how these essential website features are within reach of your budget, please contact us.

Friday, October 5, 2012
Dave Mims, President

Last month, we wrote about the benefits of document management for city clerks. But one benefit that often gets lost in the discussion is security.

People often think of more pressing pain points when it comes to considering a document management solution—finding and accessing files, getting rid of paper-based systems, and better preparing for audits and open records requests. But security matters especially when you have documents that people want to steal. City documents fall squarely into this camp.

A recent article on Business Insider noted security as one of the five reasons for considering a document management system. We agree, and this Business Insider article inspired us to elaborate on the security component of document management.

Security Benefits of Document Management

If you are thinking about switching to a document management system, these additional areas related to security will help you make the case.

  • Setting Permissions Unlike a paper-based, unstructured (Google Docs or Microsoft Office documents), or consumer-based document management system (like Dropbox), a more robust document management system will allow you to more rigorously set and manage permissions for who can access what documents. This feature prevents unauthorized people from gaining access to sensitive documents.
  • Receiving Security Notifications In a document management system, administrators receive notifications when people add, edit, or delete documents. These notifications serve as red flags for any suspicious activity.
  • Benefiting From Full Data Center Security Document management systems are typically stored and managed in the cloud or—at the very least—in high-end data centers. These data centers provide physical security, employee background checks, and the best security for your servers. (Read our recent article on how to assess a data center as it relates to website hosting.)
  • Ensuring Full Data Backup and Disaster Recovery Frequent snapshots of your data along with a full disaster recovery plan helps ensure that you won’t lose your documents if a tornado, fire, or theft occurs.
  • Encrypting Your Documents State of the art document management systems encrypt your documents so that if people somehow get hold of the information, that information is useless. If someone steals a laptop or gains access to a mobile device, the information will be inaccessible and worthless.

However, while these are security benefits of a document management system, all vendors are not created equal. Ask the following questions as you assess the security component of your document management vendor.

  1. How much do I know about their data center best practices?
  2. Is the document management system well known? Is it used by many other cities?
  3. Does the vendor audit their document management security? Are they willing to submit to a third party audit?
  4. What is the data backup and disaster recovery plan for your documents?
  5. How are permissions set? How does administrative access work?
  6. What do I know about the vendor’s employees who will have administrative access to my sensitive documents? Do the vendor’s employees submit to criminal background checks?
  7. What happens when a laptop or mobile device is stolen? How will my documents be protected?

Finally, also consider your own security policies. No vendor or IT staff can account for every security breach—especially breaches related to how you create and share information from a business process standpoint. Employees must be careful about where and how they access documents, giving out or sharing passwords, and understanding the nature of scams and phishing attacks.

For more about securing your document management system, contact us.

Tuesday, October 2, 2012
Clint Nelms, Network Infrastructure Practice Manager

When you see highly publicized attacks by hacking groups such as Anonymous on some of the biggest targets in the world, it can be easy to think there isn’t much one can do about website hacking. But while some of the world’s best hackers may seem hard to defeat if they decide to come after you, the reality is much more mundane—and preventable.

Groups like Anonymous are rare and few, but website hacking is common and prolific. Mediocre and below average hackers all over the world take advantage of poorly secured websites. The mistakes that organizations make in protecting their websites open them up to cyber liability.

Local government must especially be vigilant. Here is a scary but all too real story about the City of Haines City, Florida.

Cyber Liability for Website Hacking: The City of Haines City, Florida

In 2012, citizens trying to reach the City’s website were redirected to a Turkish gaming site. This was the second time in a year that had happened. The results?

  • Citizens could not make online payments.
  • Citizens attempting to make online payments could have been defrauded by the hackers.
  • Citizens’ computers could have had spyware and malware installed on them.

Unfortunately, we have seen similar hacking situations happen quite a number of times with cities. They usually fall into two common scenarios.

Cities outsource the hosting and management of their website to a cheap vendor. With technology constantly changing, it is often difficult to know what criteria should be used to evaluate a website hosting company. As a result, many decisions about website hosting vendors are based solely on price. Low-cost website vendors often host websites on servers located in other countries. The cheap vendors are cheap because they cut corners. Thus, the city’s website is not properly managed or secured.

Cities host their websites in-house with insufficient management and maintenance. Sometimes, city IT staff wear so many hats that it is difficult for them to keep up with the website server with regularity and efficiency. It’s easy with an overloaded schedule (or if IT staff are junior-level and inexperienced) to not secure a website properly, update security patches, and keep up with server maintenance.

Whether a city is cutting corners by hiring a cheap vendor or if they are overburdening their IT staff, the end results are expensive. When citizens cannot reliably access a city’s website:

  • Trust erodes between citizens and government.
  • Online services go unused, which creates additional cost (from people having to call or come into city hall) and lost revenue.
  • A city’s website centralizes important business services for a community. If it’s not reliable or professional, new businesses that are considering your community will set up shop elsewhere.
  • Ultimately, think about how devastating this situation is to a city’s reputation. If the city’s website is used as a host for fraudulent activity, this creates not only a liability but also a public relations nightmare.

Preventing Website Hackers From Hacking Your Website

There are some simple tips you can use to prevent most of the world’s website hackers from turning your city website into a fraudulent Turkish gaming site (or any other type of fraudulent site).

  1. Know where your city’s website is hosted. Your vendor or IT staff should be able to give you a clear picture about where and how the city’s website is hosted. Plenty of details about the data center—how it operates, what type of staff maintain it, and how security and data backup is handled—should be information you know. It should be a place that is identifiable, legitimate, and even a place you could visit if you wanted. Remember, you are dealing with local government data. It is very sensitive information, so you absolutely must know about the data center’s operations. And ask for a copy of the data center’s last SAS 70 audit.
  2. Have your website audited for potential risks by a third party. If you are unable to have your website hosting provider submit to a third party audit, be suspicious! An audit is a good thing to do, regardless of how well your website is maintained. (At Sophicity, we do this for ourselves and our customers!) If your website hosting provider won’t submit to an audit or prevents and delays it from happening, that’s a major red flag.
  3. Regularly rotate passwords used to administer your website, and use strong passwords. We recently wrote an article about password best practices. Rotate passwords and make sure they are strong—especially for administrative passwords. Hackers have become excellent at figuring out weak passwords.

Remember, city websites are an important link to the citizens in your community and the businesses that generate a majority of your tax base. Plus, city websites often process financial transactions which allow citizens to make payments online using sensitive information. City websites have to be secure. The hackers might be good, but you need to be a step ahead.

Contact us if you’d like to discuss these issues. And stayed tuned for Part III of this series, which will cover virus liability and antivirus precautions.

Thursday, September 27, 2012
Dave Mims, President

The National League of Cities recently reported that cities continue to lose revenue, forcing them to cut staff, delay or cancel projects, and slash services. In these times, every dollar saved counts—which is why many cities continue to shift toward online payments.

Cities as diverse as Farmington, Michigan; Blaine, Washington; and Portage, Indiana have joined hundreds of cities around the country that have switched to online payments. (Blaine’s switch to online payments saved them $20,000 a year in credit card fees.) In case your city wants to make the switch or upgrade from an aging online payments system, here are some reasons why online payments will positively affect your city’s bottom line.

  • Less customers at city hall. You don’t need customers coming to city hall to conduct simple transactions. Online payments reduce foot traffic so that city staff focus more on higher quality, hands-on service.
  • Less processing time. Accepting and processing payments can take up a lot of staff time. It is tedious, mundane work that can be automated and tracked in an online payment system.
  • Increased processing volume. Once you gain some initial efficiencies, you’ll find that you can process payments faster and in higher volume. That means collecting revenue quicker and serving customers better.
  • 24/7 payment options. The city can collect revenue 24/7 instead of waiting for people to come in between 9am and 5pm. Many people often delay paying the city because it’s inconvenient to come in during the week. 24/7 payment options make it easier for people to pay on time, on their time.
  • Reducing error. Online payment systems collect and store information electronically, reduce a large amount of human error, and track data more effectively. By reducing error, you collect more revenue.
  • Ability for customers to set up recurring payments. With recurring payment options, customers submit their credit card information and set the day of the month they will pay. The city then collects their payments like clockwork. Fewer late payments and less time chasing down people to pay their bills means collecting more revenue.
  • Less paper and postage. With online payments, you eliminate massive amounts of paper and postage—which means more money back into the city’s budget.

Not only do you gain these immediate benefits, but you also increase your reputation as a modern, business-friendly city. Online payments are part of the minimum requirements that businesses and residents expect when dealing with modern municipalities. Providing something as simple as online payments signifies that you make services easy for people who may form part of your future tax base.

If you’d like to discuss online payments in more detail, please contact us.

| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 |