We put the IT in city®

CitySmart Blog

Wednesday, June 27, 2018
Dave Mims, CEO
Dave Mims

Last weekend at the 85th Annual Convention of the Georgia Municipal Association, I participated on a panel in a session titled “Cyberattacks and Georgia’s Cities.” Joining me on this panel were Brittany Denney (Public Relations Manager, City of Hinesville), Cam Mathis (IT Director, City of Savannah), and moderator Kenny Smith (City Manager, City of Griffin).

Over the last year, quite a few Georgia cities have experienced the high cost and painful results of successful cyberattacks related to ransomware, malware, and hackers. I pointed out that every city—not just those recently affected—is at risk of a cyberattack. But that risk can be lessened. I talked about how bad password policies, lack of patching, and a failure to train employees about cybersecurity are the root causes of most cyber incidents. To help cities better prepare against these inevitable threats, I offered tips, best practices, and advice centered around concepts of what I call the Wall, the People, and the Escape.

To find out more about how you too can lessen the risk of a cybersecurity incident at your city, check out my entire presentation here.

Questions about your ability to fend off cyberthreats? Reach out to us today.

Friday, June 22, 2018
Jeremy Mims, Account Executive
Wednesday, June 20, 2018
Dave Mims, CEO
Dave Mims

Recently, I participated on a panel in a session titled "Social Media and Cybersecurity” at the 2018 Arkansas Municipal League Annual Conference. Joining me on this panel were Kevin Settle (Vice Mayor of Fort Smith), Officer Carmen Helton (North Little Rock Police Department), and Christopher Smith (Communications, City of Herber Springs).

My contribution to the panel focused on the cybersecurity risks every city faces today. I shared stories about cities that have been victims of cyberattacks, the contributing factors that led to such cyberattacks, a list of warning signs that cities can use to assess if they are at risk, the top three cybersecurity risks affecting all cities, and what a city can do to best prepare against the thousands of cyberattacks hitting cities every week.

Check out my entire presentation here.

Questions about your ability to fend off cyberthreats? Reach out to us today.

Friday, June 15, 2018
Jeremy Mims, Account Executive
Tuesday, June 12, 2018
Michael Chihlas, Account Manager
Michael Chihlas

The idea of an “IT guy” as a repairperson to fix your servers and computers is obsolete and, in today’s cyberworld, very risky. Even with cities that use a more sophisticated helpdesk through a vendor, these helpdesks can be frustrating, reactive, expensive, and staffed with unknowledgeable engineers who know little about municipal environments. In a recent case study with Forrest City, Arkansas, we noted that “challenges arose with things such as printing issues and employees needing help accessing their computers. The city’s technology support had trouble even completing such simple requests.”

With IT support, you need a sophisticated group of IT engineers who can handle the simple stuff, the complex stuff, and what’s unique to municipalities. How do you know if you’re getting it? Take this 5-question assessment to see if your IT support is helping—or hindering—your city.

1. When you call, are you hearing an awkward script or someone actually helping you diagnose your problem?

You know the feeling. You’ve got a specific problem, and you’ve called IT support many times. Yet, you can clearly hear a nervous entry-level or junior-level Tier 1 support person awkwardly stumble through a script full of obvious questions. You want to scream at them, “Stop with the script, listen to me, and help me now—or get me someone who can!”

A well-trained IT helpdesk works like a team. First, there are no junior-level Tier 1 support people. A team puts the experienced starters out on the court, not the green newbies. When you contact IT support, you expect an experienced engineer who is ready to address your issue. The person on the phone should help diagnose your problem in a specific, helpful way—troubleshooting, collecting useful information, and eliminating any obvious problems. Then, either they fix the problem or escalate the issue to another team member who has more experience with your issue.

In other words, when you contact IT support you are engaging not a call service or a junior engineer but someone who can help and address your issue.

2. How long does it take for your IT helpdesk to respond?

During our conversations with cities over many years, we’re often appalled by the amount of time it took previous IT support vendors to get back to cities. Days, sometimes weeks. Why are you paying for IT support if they don’t get back to you? Taking too much time to return a phone call or email can be the difference between your city functioning or not functioning that day.

Your IT helpdesk needs to respond in a timely, consistent, and predictable fashion. In other words, you know they will get back to you in a reasonable amount of time. That way, you address problems quickly. Going days or weeks without a response is unacceptable.

3. How many people are a part of the IT helpdesk?

A small IT vendor faces similar challenges that a city sees when it hires an in-house IT person such as:

  • What happens when they are helping someone else?
  • What happens when they get sick?
  • What happens when they are on vacation?
  • What happens when they leave?

You need a helpdesk with enough people to provide staffing redundancy so that resources are always there and ready to help when you call.

4. Is there continuity of service from your IT helpdesk?

In other words, when a member of your IT helpdesk ends their shift or 5 p.m. hits, is there seamless continuity with a different person the minute you pick up the phone? Even if you talk to a different person, are they up to speed on your problem because they have your notes and status right in front of them?

Some cities struggle with IT helpdesks where the left hand doesn’t know what the right hand is doing. After working on a problem, you shouldn’t have to explain the entire problem again to a next person who has no idea what’s going on. Continuity means your IT helpdesk seamlessly supports you and resolves problems as a team.

5. If you call after hours, are you interrupting dinner or waking up your helpdesk?

If you’re interrupting dinner or waking up your helpdesk after hours, it’s not a proper helpdesk. Relying on an “IT guy” or repairperson who may or may not answer the phone after hours puts your city at risk. Just think about public safety—a department that runs 24/7—to consider the risk of relying on someone who might be asleep when a server crashes.

To serve a city, your helpdesk needs to operate 24/7 with fully staffed, knowledgeable engineers as ready to solve a problem for you at 1 a.m.. as they are at 1 p.m.


Because of cybersecurity risks, modern citizen service demands, and increased legal requirements and scrutiny for cities, it’s essential to rely on an experienced IT helpdesk that serves municipalities 24/7. That includes addressing any IT issue both remote and onsite—ASAP.

Need to reassess your IT helpdesk? Reach out to us today.

Friday, June 8, 2018
Jeremy Mims, Account Executive
Wednesday, June 6, 2018
Adrian McWethy, Network Infrastructure Consultant
Adrian McWethy

We know we’ve mentioned the Atlanta ransomware attack many times, but we must mention it again as inspiration for today’s post because of a quote from a recent Atlanta Journal-Constitution article about the city losing years of dashcom footage. Buried toward the bottom of the article was this paragraph:

“Employees have to back up documents,” [Chief Erika Shields] said. “Even if it’s not related to a criminal investigation, if it is of some value to you, you have got to be backing this stuff up. I think it was a painful but useful lesson in IT security for all of us.”

Employees have to back up documents? This is so clearly not a data backup and disaster recovery best practice that it’s startling. Data backup and disaster recovery is not the responsibility of employees. Otherwise, you set yourself up for failure.

However, we are involved in IT every day. We live and breathe data backup and disaster recovery, but many non-technical city staff do not. Therefore, it’s reasonable to assume that their perception and our perception of data backup are different.

Here are a few common assumptions about disaster recovery that are incorrect, dangerous, and risky. Ask yourself if your city makes these assumptions.

It’s not disaster recovery when you rely on employees to back up information.

Let’s start with the Atlanta example. Data backup and disaster recovery is both the responsibility of your city’s decision makers (approving the means) and your IT team or vendor (implementing and managing the solution). Employees are not IT experts. They have jobs and skills that do not include the requirement of ensuring that your data will be recovered in the event of a disaster. They are distracted, busy, untrained, and inexperienced when it comes to IT-related responsibilities.

Ideally, an IT vendor should deploy, configure, manage, monitor, and regularly test your onsite and offsite data backup and disaster recovery solution. Only IT professionals can ensure that you’re properly backing up information and complying with policies and the law—as well as reducing liability while knowing you’re able to recover from a disaster.

It’s not disaster recovery when you manually back up data with external hard drives or flash drives.

Let’s say you’ve given someone the “role” of backing up your data by telling a non-technical employee to back up servers and/or computers with an external device. Then, you might store that external hard drive, flash drive, or other storage device in a vault, an employee’s home, or a room in city hall.

This is dangerous and risky on many, many levels. First, you’re relying on a person to conduct a manual process every day or week who may forget, get sick, or go on vacation. Second, hard drives and flash drives may not capture all the information you need in a recoverable way as your data and systems evolve over time. Often, we find that the dataset captured by storage devices used in manual processes is incomplete or even corrupted—meaning the data is not really backed up. Third, you may be in some dodgy legal and compliance territory by the way you’re handling the backups. And finally, you don’t have a proper offsite data backup component if you’re storing the external devices too near the original data (as seen by the following point).

It’s not disaster recovery when your “offsite” data backup is really just more onsite backup.

We wrote about the issue of the real definition of offsite data backup a few years ago and will summarize some scenarios that do not constitute offsite data backup:

  • Scenario 1: A city stores its data backups “offsite” at the fire station down the street.
  • Scenario 2: A city stores its data backups “offsite” on a flash drive at the mayor’s house.
  • Scenario 3: A city’s IT provider stores its backups at their house.
  • Scenario 4: A city’s data backups are stored at a building about six miles away from City Hall.

All these scenarios are not offsite data backup. Why? They are too close to the original location of the data. (Plus, scenarios 2 and 3 repeat risks from the above point about hard drives and flash drives.) True offsite data backup is geographically distant from your city and completely separate from your onsite data.

It’s not disaster recovery when you don’t test your data backup and disaster recovery solution.

For us, the saddest data backup and disaster recovery scenarios are at cities where they do many things right...but fail to test their solution. After making significant technology investments, a disaster finally happens and they are unable to restore their data. Why? They did not regularly test.

Testing flushes out problems before an actual disaster that may include:

  • The solution not backing up all critical data
  • Corrupted data
  • Problems restoring data, despite its capture during the backup process
  • Time to recovery issues

Without testing, these surprises threaten a successful data restoration—impacting city operations and citizen services. You also risk permanent data loss.


Remember, what you think may be data backup and disaster recovery may not actually fit the definition. Worse, your current solution may fail you when you need it most.

Ready to reassess your data backup and disaster recovery solution? Reach out to us today.

Friday, June 1, 2018
Jeremy Mims, Account Executive
Thursday, May 31, 2018
Nathan Eisner, COO
Nathan Eisner

Do you conduct cybersecurity training? If not, your city is taking on great risk.

For example:

- How would ransomware get into your city network?
- Who would receive an email with ransomware?
- Who might click on a malicious website link or open a malicious file that contains the ransomware?

The answer: City staff or some other end user on your network.

But how could they let that happen? How could they not see the danger or know better?

Well…have you trained them on how to spot these warning signs?

Today, training employees about cybersecurity is more important than ever. Cities are targets for hackers and criminals who use ransomware, malware, viruses, and other cyberattack tools to harm city operations, networks, and data. Hackers use techniques that trick employees into handing over access to your systems—and criminals know that people can be the weakest link in your security.

To ensure that your staff receives the best training possible, here are some essential topics to consider for making your cybersecurity training more effective.

Phishing

Phishing today takes many forms that can trick anyone. Hackers still successfully send out broad emails that spoof organizations (like banks or retailers) hoping to get you to enter your personal and financial information. More sophisticated phishing attacks known as “spear phishing” specifically target people at your city. A hacker might pretend to be the city manager asking for information from the city clerk, such as trying to get the city clerk to make a large financial transaction into the hacker’s bank account.

Employees can learn how to spot signs of a phishing attack:

  • Email scams: Emails may contain poor grammar, URLs that are clearly not from the presumed organization contacting you, and email addresses that look incorrect (or even bizarre). Employees can learn to spot such obvious signs of an email scam, such as this well-executed scam email fended off by the City of Paris, Kentucky.
  • Phone scams: Phone scams can be a little trickier, and this is where training needs to focus on following your city’s policies and procedures. Employees should learn never to give out usernames and passwords. A legitimate IT person or customer support representative does not need your account username and/or password to perform their task. Period. In addition, employees need to follow a process for setting up new vendors—especially when giving vendors access to systems or authorizing payments to them.
  • In-person scams: While rare, a criminal will occasionally play the role of a new vendor or employee to extract information from unsuspecting people at city hall. They may even follow someone through a door and later walk out with city assets (such as equipment or data).

Ransomware

Ransomware is a form of malware that encrypts data to hold it hostage until you pay the criminal a “ransom” to unencrypt it. Since 2017, it has become a common form of malware that leaves a trail of destruction at cities. Examples include Atlanta, Spring Hill, Tennessee, and Cockrill Hill, Texas.

Because ransomware often originates from malware in email links and attachments, phishing training (above) can help prevent ransomware infections. In addition, IT staff and city decision makers need to learn about preventative measures such as patching and updating software, using enterprise-class antivirus software, and backing up data (both onsite and offsite).

Cities should never pay a ransom—and we’ve written in depth about this issue in a past blog post. Quite simply, it’s not guaranteed that you will get your data back from criminals. Furthermore, a very high percentage of organizations do not get their data back after the untraceable funds an organization pays are long gone. Training should reinforce that cities should instead rely on data backup and disaster recovery plans to restore data.

Top Reasons for Security Compromises

It’s good to review with employees why security compromises occur. The top three reasons include:

This last point is especially important to discuss during training. Employees tend to ignore procedures and trust someone too quickly on the phone, in person, or through email. Just because someone says, “This is Dave from IT and I need your password to…” doesn’t mean that you should hand over a password.

Important Recommendations

Training should include recommendations that will impact employee behavior in a positive way. For example:

  • Require employees to use passphrases or complex passwords. Too many compromises occur because of poor passwords. Passphrases tend to be more secure because there are more letters—and they are easier for people to remember because they are meaningful (such as the passphrase “ILike2Hamburgers!”).
  • Encourage the use of Two Factor Authentication (2FA) to greatly decrease the risk of a hack. A second form of required authorization (such as a passcode sent to your mobile device) alongside your regular username and password can make you as hard to hack as finding a needle in a haystack. The hacker can even know your username and password but not be able to log in because they don’t have your phone.
  • Ensure that cities are regularly patching and updating software through a patch management strategy. Too many compromises occur from unpatched servers and computers such as the Equifax Data Breach, Petya Ransomware, and WannaCry Ransomware.

Also, train often! At a minimum, you should provide annual cybersecurity training for employees. But more frequently is better. People can easily forget the information shared during a training session. Plus, cyberattacks constantly evolve and adapt. Employees need to stay on top of new threats.

If you don’t involve everyone in training, it’s less likely that people will take it seriously. For example, if the mayor, elected officials, city manager, city clerk, and department heads all don’t care about cybersecurity training, then it’s less likely employees will care. Conversely, if only senior-level employees get training, then it’s less likely that this knowledge will trickle down to all employees.

A great way to supplement cybersecurity training is to simulate a cyberattack. For example, simulated phishing attacks will identify susceptible employees. You can then provide additional training and communication with them to make sure they are better able to spot phishing attacks.

Additional Reasons for Security Compromises

Employees should be aware of additional reasons that security compromises occur such as:

  • Outdated systems (servers, computers, and hardware no longer supported by the vendor).
  • Unsecured and misconfigured systems such as devices, servers, and workstations.
  • No clear, working data backup and disaster recovery plan.

Additional Points to Make During Training

Decision makers at cities especially need to understand how proactive IT investments help mitigate cybersecurity risks. Training should review how:

  • Upgrading and modernizing systems while engaging IT professionals to perform ongoing management and maintenance will help reduce issues that lead to successful cyberattacks.
  • Ongoing management and monitoring of systems (including all devices, servers, and workstations) helps spot cyberattacks or security vulnerabilities before they can impact your city.
  • A comprehensive data backup and disaster recovery plan (with regular testing) can help a city recover even after a worst-case scenario (such as ransomware).

As you can see, there are many ways to make cybersecurity training more effective and engaging. Most importantly, you need to conduct ongoing cybersecurity training. It’s one of the best ways to mitigate the risk of cyberattacks.

Need help or assistance with your cybersecurity training? Reach out to us today.

Friday, May 25, 2018
Jeremy Mims, Account Executive
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 |