We put the IT in city®

CitySmart Blog

Wednesday, March 7, 2018
Nathan Hall, Network Infrastructure Consultant

Nathan Hall Just as internet access is standard at nearly all organizations, Wi-Fi access to the internet is nearly at that same level of expectation. Most organizations rely on it internally and guests expect it. So many employees use untethered devices such as laptops, smartphones, and tablets—and those devices often work best with wireless access.

Simply buying a few retail wireless routers and setting them up yourself may not meet your needs. It’s not uncommon to see cities with spotty wireless access, slow wireless internet connections, and even a risk of data breaches through unsecured wireless access points.

If you’re struggling to provide quality, consistent, and reliable wireless access for your guests and employees, then you may want to explore these four ways to improve your situation.

Wireless Icon

1. Look at your technology foundation.

The root of many wireless issues goes deeper than your wireless equipment. You may want to assess your:

  • Internet service provider: Have you reviewed your ISP options lately? Your city needs a stable and reliable solution. Look at your uptime and make sure you’re getting business-class (rather than a consumer-class) service.
  • Network equipment: Are your network systems able to handle your wireless needs? Your network includes switches, routers, and firewalls appropriate for your needs.
  • Modernized hardware: You may have great wireless equipment but lack devices that can use it properly. Aging laptops will often have trouble connecting to wireless access points.

2. Make sure you’re using scalable, business-class wireless equipment.

If you’re tempted to buy your wireless equipment at a retail store, don’t. Consumer-grade wireless equipment will likely not fit your needs—especially when you have to scale as more employees and guests use it.

As one example, many consumer-grade wireless routers only provide what’s known as “single band connectivity.” At home, you might connect to one 5 GHz or one 2.4 GHz band at a time. Now imagine if all your city employees tried to get onto that single band through your home router. Like a rush of traffic on a single lane highway, your internet will slow down. By contrast, business-class wireless equipment provides you dual band or triple band connectivity options—giving you more “lanes” so to speak. These “lanes” help you accommodate all your users’ needs—including high-bandwidth activities like accessing videos or large files.

3. Ensure proper wireless coverage appropriate for your city.

Walls, floors, and other equipment (such as electronic devices and appliances) can all affect your wireless connectivity. You might have employees in a basement or on a top floor struggling to get a good wireless connection. Part of your wireless access planning needs to involve coverage. Who needs wireless access? What equipment will provide an appropriate range? How much equipment do you need to provide multiple access points? Without proper planning, cities may have too little equipment for their needs.

4. Secure your wireless access and improve your wireless security policies.

Why is security important for wireless access and reliability? When you aren’t managing your wireless access, you don’t know who is on your network, how many users are on your network, or what they’re doing.

In a previous post about wireless access security, we recommended that you:

  • Secure and lock down all wireless devices.
  • Remove physical wireless access hardware from the public or unauthorized employees.
  • Apply patches and upgrades to wireless devices.
  • Use appropriate wireless hardware and configure it properly.
  • Monitor and maintain your wireless network for security risks.

If someone is abusing your wireless access, then you could see significant slowdowns when employees try to access the internet.

Is your wireless access unstable or unreliable? Reach out to us today.

Tuesday, February 27, 2018
Patrick Perry, Network Infrastructure Consultant
Patrick Perry

We secure our cars, but we don’t drive Batmobiles. We like to unlock our car doors with one click but it’s still possible for a criminal to smash the window and grab something inside. It’s a trade-off.

We secure our homes, but we don’t live in a fortress with a moat surrounding it. We can unlock our doors with a key and perhaps a security system with an easy-to-remember code. Yet, if someone really wants to enter your home, it’s still possible. It’s a trade-off.

Similarly, your information technology needs to allow your city staff to easily perform work while keeping them secure. Sure, you could remove all access to the internet—but then you would get very little done. Sure, you could whitelist every single website that employees visit—but that takes excessive oversight and IT support.

What’s the right balance? If you are too lax with your information security, then you make yourself an easy target for bad actors (such as hackers). If you are too strict, then employees become unproductive, frustrated, and trapped.

Here are a few best practices that can help you balance both user productivity and security.

1. Monitoring and alerting for suspicious activity

Monitoring and alerting technology, coupled with proactive IT, provides early identification of suspicious activity and anomalous incidents before they become serious. For example:

  • An employee’s email account is being accessed remotely from Kazakhstan.
  • A large download or upload of data starts occurring in the middle of the night.

By proactively noting suspicious activity, you may be able to stop a data breach or data loss before it happens.

2. Enterprise-grade antivirus

Enterprise-grade antivirus is quite good at shielding and blocking obvious risks when employees accidently do something wrong. This software will flag and stop many viruses before they are activated, and it will also help prevent employees from entering suspicious websites or clicking on malicious email attachments. It’s not perfect, but antivirus software stops a lot of obvious breaches that result from employee error.

3. Patch management, software upgrades, and browser security

In addition to antivirus software, patching and upgrading your other software helps prevent employees from exposing your city to a virus or data breach. Patches often contain fixes to security vulnerabilities, and up-to-date software is built more securely than older software. Your accounting, office productivity, operating system, web browser, and other software all need regular patching and updating.

For example, keeping modern browsers up-to-date (such as Chrome, Firefox, or Edge) ensures that each browser’s built-in virus and malware protection helps prevent users from entering risky websites. When a user clicks on a bad website, a clear warning will often appear. It is important to keep your browsers updated to the latest version and with the latest patches.

4. Access and authorization

At a policy level, you need to restrict access to your software applications and data. Each person should be assigned the least security privileges required for them to do their job. For sake of ease, many cities allow administrative access (or full access) to many employees—even if those employees should not have access to sensitive information. By restricting access, you mitigate the risk of stolen, deleted, or corrupted data.

5. Wireless network security

It’s not uncommon to encounter an easily compromised wireless access point at a city. Warning signs include:

  • No password needed to connect.
  • An unencrypted or weakly encrypted connection.
  • A default admin password identified in the original wireless access point packaging.

It’s essential that you require employees (and everyone) to log into a secure wireless network that you host. Also, make sure that wireless access points are set up by authorized IT staff or an IT vendor.

6. Physical access

Any employee shouldn’t be able to wander into a server room or have physical access to a computer. Protecting equipment through locks, encryption, and passwords is a sensible security precaution.

7. Application controls

Software that deals with important data needs controls over data input, processing, and output. Otherwise, employees could accidently (or intentionally) delete, alter without logging, corrupt, or even steal data. You also don’t want users seeing data they should not be able to see.

8. Content filtering

Content filtering can help block bad websites—and unfortunately many good websites. Whitelisting websites is very secure but it’s a pain for employees as they must submit many legitimate websites to someone within the city for approval. However, certain temp employees or employees focused on simple tasks may not need full internet browsing to do their jobs. Content filtering may work well to keep them focused.

9. Creative training

Employee error is the root cause of a high percentage of data breaches, viruses, and permanently lost data. All it takes is one employee to click on a malicious email attachment or website and you’ve got a potential data breach on your hands.

Consider training that is:

  • Ongoing: This helps reinforce cybersecurity lessons for existing employees while training new employees.
  • Test-oriented: For example, IT can periodically test city employees with mock phishing attacks to see if employees will click on malicious emails. If a user gets fooled, especially multiple times, they may need extra training.
  • Leader-oriented: City leaders such as the city manager, city clerk, and department heads need to buy into the importance of cybersecurity training. Otherwise, no one will take it seriously.

These best practices will help you balance employee productivity with security in a way that won’t overwhelm or slow employees down. If you need help finding a right balance, reach out to us today.

Wednesday, February 21, 2018
Jessica Zubizarreta, Network Infrastructure Consultant

Jessica Zubizarreta 

When we begin working with many of our city customers, we often see the need to modernize dated hardware, software, and systems. We know this is sometimes a scary prospect.

First, old habits die hard. City staff get used to familiar servers, computers, or the way their network operates. Second, the budget for new equipment often seems too expensive. As a result, it becomes tempting to stick with old equipment until it dies to “maximize the investment.”

However, there are five major reasons why modernizing your hardware is important and should take place on a regular replacement cycle (or better yet, why you should move to a cloud platform that eliminates the need for some hardware).

Computer at a desk1. Old hardware is more likely to break down.

Treating hardware like a junker car is not wise. When you use hardware until it breaks down, you don’t know when it will break down, what it will impact, and how you will stay operational. What if your hardware breaks down during a busy time of year? What if your dead server impacts payroll for weeks? How long will it take you to order new hardware, transfer all the data (if you backed it up), and get a new server up and running? Waiting for hardware to break down begs for unnecessary disruption.

2. Old hardware freezes up and slows down more often.

As hardware ages, it impacts your city’s operations more and more. Signs of disruption include:

  • Servers and computers crashing.
  • Servers constantly needing rebooting or restarting.
  • Computers and software applications slowing down to a crawl.

Like an old car that constantly breaks down, these problems can become expensive—so expensive that simply buying modern hardware will save you money in many cases. Just add up the costs of wasted employee time and billable hours for IT vendors. After a certain point, your older hardware is just bleeding money.

3. New software and applications often don’t work on old hardware.

Technology evolves quickly—so quickly that older hardware has trouble running newer software and applications. This problem only increases with time. Just think about your smartphone. Why do you think so many people upgrade every two years? The more sophisticated mobile apps become, the more they need the latest hardware to run properly and efficiently.

At your city, you need the ability to run important software for activities such as accounting, records management, or utility billing. Even basics like web browsing, email, and productivity software require modern hardware. When you modernize your hardware and move some applications into the cloud, you are able to use modern software and applications—which increases your capabilities and productivity as a city.

4. Older hardware becomes harder to support.

Your city staff or trusted IT vendor might be able to put out your hardware fires to get you by for a few more days or weeks, but that’s often a temporary solution. As hardware gets older, it’s less likely that the vendor will continue to support it. That support includes patches for security vulnerabilities and updates that fix bugs.

With cybersecurity so important today and cities constantly targeted with ransomware, viruses, and phishing attacks, it’s a major liability to use old, unsupported hardware. Keeping it around increases your risk of a data breach. Modernizing your hardware makes your information more secure.

5. Older hardware hits annoying storage and memory limits.

To function as a city, you require appropriate information storage. Yet, many cities find themselves in awkward storage “battles” with their servers and computers. Offloading information to external hard drives, deleting emails, or erasing older information before you want it deleted are all signs that your hardware cannot handle your demands.

Especially think about your records retention, body camera video, or email needs. Do you really want old, aging hardware dictating what you must keep or delete? Modern hardware also contains plenty of storage for affordable prices. By modernizing your hardware, you will likely have plenty of affordable storage for your needs as well as retention compliance.

We’ve worked with many cities where upgrading from aging hardware to modernized hardware made a night and day difference to operations. Benefits included:

  • Cloud applications that are automatically updated, supported, and accessible anywhere/anytime over the internet.
  • Servers with increased, affordable storage that accommodated modern software application performance and storage requirements.
  • The ability to use software and applications that enhanced city operations and productivity.
  • Higher security that reduced the risks of data breaches.

Ready to explore hardware modernization? Reach out to us today.


Wednesday, February 14, 2018
Dave Mims, CEO

Dave MimsAs the “Jewel of the Delta” and an important business hub in Eastern Arkansas, Forrest City rests almost exactly between Little Rock and Memphis. I-40, Arkansas Highway 1, and two railways go through Forrest City—making it an important location for both businesses and residents.

Doubling in population since 1950, the city has continued to see steady population and business growth in recent years. To support more businesses and residents, Forrest City’s staff at city hall needs reliable technology. However, some uncertainty and technology issues started to hinder the city from not only serving its citizens but also complying with the important Legislative Audit.

Forrest City City Hall


Forrest City has four primary locations that each had its own technology challenges.

  • City Hall: In many cases, challenges arose with things such as printing issues and employees needing help accessing their computers. The city’s technology support had trouble even completing such simple requests. Uncertainty with data backup and a lack of clear policies also worried the city about passing Legislative Audit.
  • Library: Because the library needs to give public access to specific computers, some security issues existed related to that access. The software and support for enabling public access also led to inefficiencies and problems with authorizing users. Online, the library’s website looked outdated and needed a refresh while making it easier for library staff to update information.
  • Public Safety: With aging, outdated technology infrastructure, public safety’s systems needed an upgrade and some modernization. Some uncertainty also existed with their data backup and disaster recovery.
  • Court: Computers often froze and locked up, and the city’s vendor support was not capable of quickly handling these issues remotely. Onsite visits were expensive and not timely—leaving employees without working computers for days. Some uncertainty with data backup and recovery existed. Issues with IP phones also lingered, and the city did not have someone on staff to engage technically with the vendor to thoroughly understand and solve these issues.

While some problems overlapped across city departments, many unique problems made it challenging for the existing vendor to serve the city. With the current vendor not up to the task and the city worried about passing the legislative audit, it was time for a change.


Needing experienced IT professionals who also had significant municipal experience, Forrest City chose the Arkansas Municipal League’s “IT in a Box” service.

Once Sophicity began to implement the IT in a Box service, Forrest City had many of its technology issues resolved fairly quickly. The services within IT in a Box included:

  • 24x7 helpdesk: Sophicity provides 24x7x365 support to city staff. Experienced senior engineers are ready to address any IT issue both remote and onsite—ASAP. Forrest City staff no longer had to wait for an unresponsive vendor to solve issues or look up different random IT vendors in the phone book that were not familiar with the city’s IT environment.
  • Server, desktop, and mobile management: Many of Forrest City’s issues resulted from a lack of proactive IT management. Sophicity now proactively keeps computers patched, protected, and healthy to both keep computers operating properly and to guard against cyberattacks.
  • Policy and compliance: Through implementing proactive IT best practices, Sophicity also went a step further by:
    • Addressing security issues related to Legislative Audit: Sophicity helped resolve Forrest City’s issues with information systems management, contract / vendor management, network security, wireless networking security, physical access security, logical access security, and disaster recovery / business continuity.
    • Drafting policies to help the city comply with Legislative Audit: Because Sophicity works with cities that must comply with Legislative Audit, policies and procedures were quickly created that met the demands of auditors.
  • Data backup and offsite data backup storage: Forrest City received unlimited offsite data backup storage and retention for disaster recovery and archiving. No longer did staff have to worry about data backup with Sophicity’s real-time monitoring and quarterly testing.
  • Vendor management: The city did not have to worry any longer about frustrating calls with vendors about software issues or hardware procurement. Sophicity deals with any technical issues related to the city’s IP phone system, the email/fax system, the library software, and other specific technology-related vendors.
  • New city websites: The library immediately received a modern fresh custom-designed website with Sophicity hosting the website and managing the content. Plus, library staff can now also edit and update website content themselves. With such a great example already in place, city staff are currently working on a new version of the city’s website.


After the city switched over to IT in a Box, they experienced many positive results.

  • Forrest City passed Legislative Audit with the burden of the process managed for them: With their systems secure and the right policies in place, Forrest City passed Legislative Audit without a problem.
  • Responsive IT support led to increased productivity and employee morale: Employees who grew frustrated with IT issues in the past that affected their productivity for days are happy to now receive remote or onsite IT support for issues that are often resolved in minutes or hours. The ability to call Sophicity 24/7/365 and receive a quick response and resolution to issues has made a big difference.
  • Data backup helped prevent the permanent loss of data: The city experienced a few incidents—including a virus outbreak—where previously the risk of permanent data loss would have been high. Instead, Sophicity used IT in a Box’s data backup solution to get the city back up and running.
  • Sophicity untangled several complex IT problems that addressed employee frustration and lack of productivity: Some complex issues related to the city’s network system setup and library software were unraveled and addressed by Sophicity—leading to long-term permanent solutions rather than the city fighting mini-crises every day.
  • Modernized hardware for a low price: Sophicity modernized the city’s aging hardware while also carefully negotiating prices that are beneficial for a local government. Aware that cities need to be good stewards of taxpayer dollars, Sophicity also made sure that the city had the hardware needed to improve productivity and citizen services.
“I recommend that cities consider using IT in a Box. They especially helped us with the Arkansas Legislative Audit. For a city with limited staff, it’s a headache for one person to sit down and get all those policies in place. Also, Sophicity is there if you need them for overall IT support. At first, we thought the service was a little costly. But after getting IT in a Box up and going, we all now realize we should have done this a long, long time ago.” – Derene Cochran, City Clerk / Treasurer, City of Forrest City, Arkansas

Contact Us Today

If you're interested in learning more, contact us about IT in a Box.

Print-friendly version of the Forrest City, Arkansas IT in a Box case study.

About Sophicity

Sophicity provides the highest quality IT products and services tailored to city governments. Among the features Sophicity delivers in "IT in a Box" are a new city website, data backup and offsite data backup storage, records and document management, email, video archiving, information security policy and compliance, server and desktop management, vendor management, and a 24x7 U.S.-based helpdesk for remote and onsite support. Read more about IT in a Box.

Wednesday, February 7, 2018
Dave Mims, CEO

Dave Mims

If you are a member of the Georgia Municipal Association’s (GMA) property and liability fund (GIRMA), then you are eligible to receive a grant from GMA’s Safety and Liability Management Grant Program to reimburse your city for up to 25% of the annual IT in a Box subscription fee.

GMA’s Safety Grant program exists to provide a financial incentive for members to improve their employee safety and general public liability loss control efforts through the purchase of training, equipment, or services. Information technology and cybersecurity remain major sources of liability for many cities. By not addressing cybersecurity threats, data backup uncertainty, and lack of cyber hygiene (such as software patching, antivirus, proactive monitoring and alerting of IT systems, etc.), cities increase the risk of a major incident such as a data breach, ransomware attack, or permanent data loss.

Save money by contacting us today. We will complete the grant application for you and work through the submission requirements on your behalf, making the whole process easy.

Your participation in GIRMA and IT in a Box makes such a grant possible. Thank you!



Tuesday, January 30, 2018
Cale Collins, Network Infrastructure Consultant

Cale CollinsOn December 17, 2017, the Hartsfield–Jackson Atlanta International Airport experienced a power outage that lasted for about 11 hours. The outage was disastrous on all levels because:

  • An electrical fire destroyed both the main power system and the backup system that were located right next to each other.
  • The outage lasted far longer than airport security experts said should happen.
  • Passengers had very little idea what was going on most of the time.
  • Airlines lost millions of dollars in revenue (with Delta alone losing up to $50 million).
  • As the world’s busiest airport, flights were massively disrupted around the world.

The shocker? Hartsfield–Jackson Atlanta International Airport did not have a clear plan for a power outage that took out the entire airport.

Your city may not be the world’s busiest airport but you can learn some important lessons about your disaster recovery plan from this actual disaster.

1. Create a true disaster recovery plan that accounts for a complete disaster.

You’re not building a “mild inconvenience recovery plan.” Disaster recovery needs to mean what it says. What happens when a real disaster hits like a massive power outage, a tornado, a flood, or a fire? Then, work backward from there. For example:

  • Who’s here?
  • What are the priorities?
  • How will you get your technology up and running after a disaster?
  • What data will you restore, and in what order?
  • What contingency plans will you create while specific data and information is not accessible?

2. Ensure that you have an offsite data backup component as a part of your disaster recovery plan.

If a disaster strikes, then your backups cannot exist in the same physical location as the information you’re backing up—even if they are right next door. You will need a distant offsite component as a part of your disaster recovery plan to ensure that your information is protected. Ideally, that offsite backup is stored in a geographical location far from your city. During a disaster, your data is safe—and you’re even able to access it while you wait for new equipment to arrive. By having an offsite data backup component, you also make sure you don’t have a single point of failure.

3. Test your disaster recovery plan.

The City of Atlanta and the Hartsfield–Jackson Atlanta International Airport admitted later that they had plans for partial outages but not a plan for a full outage because it was a “one in a million chance.” However, that’s the entire point of a disaster recovery plan. Be prepared for the worst that can happen. If you can handle the absolute worst-case scenario, then you can handle less serious scenarios.

The only way to know that you will be able to handle that worst-case scenario is to test your plan. And yes, test your plan regularly. Is your critical data actually getting backed up? Are you able to recover your data and use it in an operable fashion if a disaster hits? It’s not uncommon to find cities that never test data backups and find out too late that they do not work. By testing on a regular basis, you ensure that your disaster recovery solution works. You are not hoping that it does—you know that it does.

4. Include communication as part of your plan.

While not a technical component, communication is essential and should form part of your disaster recovery plan—both communicating to citizens and communicating internally to your staff. The Hartsfield–Jackson Atlanta International Airport communicated poorly to people and the media—leading to a lot of uncertainty, fear, and conjecture.

In case of a disaster, who will communicate to the public? Who will communicate to city staff? What happens if someone is unable to fulfill their duties? Who takes over? Communicating basic information such as the nature of the problem, how long it will take to get resolved, and what contingency plans are activated in the meantime will help you manage uncertainty. Otherwise, people panicking and barraging you with questions just adds more problems to your plate.

Learning from the Hartsfield–Jackson Atlanta International Airport’s power outage can save you some unnecessary trouble in case a disaster hits your city. Citizens depend upon you to safeguard important information and keep city operations running no matter what happens. They will depend upon 911, public safety, and city hall after a flood, tornado, or other catastrophe. If you plan and test for the worst, then you have the confidence of knowing you will be able to handle any disaster.

Need help with your disaster recovery plan? Reach out to us today.

Wednesday, January 24, 2018
Jeff Durden, Senior Engineer and Team Lead

Jeff DurdenThe city of Spring Hill, Tennessee experienced a ransomware attack in early November that shut down many city operations for weeks. According to SC Media on November 16, 2017:

“The attack has essentially stopped the city from being able to conduct many of its usual functions as its IT department attempts to rebuild the database from backed up files. The attack has locked city workers out of their email accounts, and residents are unable to make online payments, use payment cards to pay utility bills and court fines, or conduct any other business transaction.”

An update on November 30, 2017 from the Columbia Daily Herald said, “The city’s financial software remains offline…” Almost a month after the attack, a major piece of software was still inoperable. While this and other articles do not give many details about what exactly happened, why, and what steps the city took to recover, we can deduce some problem areas in this situation that cities may be able to avoid. There are ways to more quickly recover from ransomware rather than letting it affect you for weeks or even months as in the case of Spring Hill.

1. Build a highly available data backup and disaster recovery solution.

A recent study shows that “Almost all (99 percent) of the professionals surveyed admitted to conducting at least one potentially dangerous action, from sharing and storing login credentials to sending work documents to personal email accounts.” Your employees pose the biggest risk for allowing ransomware into your organization—so you need to first prepare for the worst.

Modern data backup and disaster recovery solutions allow you to create “snapshots” of your data and systems at a given point in time. If the ransomware began to affect your organization at 2:30 p.m. on a Tuesday, you can restore all your data to a point in time before the infection hit that moment on Tuesday.

While Spring Hill lost two days of data, it’s also significant that it took them weeks to rebuild and, in some cases, more than a month for their financial systems software. That raises the question of whether the right data backup system was in place. Can you afford to be down that long? Most organizations cannot…and survive.

2. Monitor systems to proactively detect issues and contain damage.

It’s unknown how the ransomware entered the city’s systems and how long it festered. However, we can note that it affected a large variety of systems: email, online payments, 911, public safety, etc. That’s very widespread.

The earlier you catch ransomware, the likelier you can contain damage to a single computer, server, or area. Ways to prevent such widespread damage include:

  • Proactive monitoring and alerting of systems. When IT professionals—with the help of 24/7/365 automated software—monitor your systems and get alerts when something is wrong, then you are more likely to detect a virus or ransomware. Suspicious activity usually sends up a red flag if you’re proactively monitoring systems—and you can catch an incident much sooner.
  • Enterprise-grade antivirus: Relying on free or consumer-grade antivirus is not enough to fully protect you from dangerous ransomware. With enterprise-grade antivirus, IT professionals can manage the platform to receive alerts in real-time, more effectively block attacks, and analyze better where ransomware has specifically infected your systems.

3. Modernize and maintain software.

Older software has more likelihood of containing security vulnerabilities and crumbling under a security issue. We don’t know the age of the software at Spring Hill, but many cities often have older versions of software that lack vendor support or security features to protect against new forms of viruses like ransomware.

In addition, many software platforms are often not regularly patched and updated by cities. Altogether, this leads to situations where software becomes extremely vulnerable to ransomware when it spreads. In the case of Spring Hill, ransomware affected software across a surprisingly variety of functions—email, online payments, 911, and public safety.

4. Separate critical systems from less critical systems.

It’s interesting that 911 and public safety were affected along with city email and online payments. If departments share servers or systems and they go down, everyone goes down with the ship. When possible, segment and separate critical systems. This way, ransomware may have limited impact on fewer systems.

While Spring Hill survived their ransomware attack, it sounded quite rough according to the news reports. Be best prepared by following the tips outlined above, along with other recommendations we have shared in earlier posts, so that you don’t become the latest ransomware victim on the front page news.

Worried about how you may recover from a ransomware attack? Reach out to us today.

Wednesday, January 17, 2018
Dave Mims, CEO

Dave MimsIn the fall, a Georgia city “learned” of a data breach—meaning it was unclear when the data breach actually occurred. 12 days later after learning of the incident, the city determined that someone gained unauthorized access to personal information on a server. After alerting citizens by letter, the city experienced a backlash that was even reported in the media.

Why? Citizens grew concerned over the lack of information about the incident and the ways the city offered to mitigate the risk. Providing only free credit monitoring for a year and some tips to help citizens protect themselves, the city angered citizens who complained that the response didn’t reassure them that the city was taking proactive steps to protect their personal information.

If your city hasn’t yet experienced a major data breach, it may just be a matter of time. Learning from this incident, your city can implement some best practices that will lessen the risk of exposing your citizens’ personal information to hackers or unauthorized individuals.

1. Practice proper cyber hygiene.

You shower and brush your teeth every day. You change the oil in your car every few months. You clean your house regularly. Similarly, information technology systems require “cyber hygiene”—a series of ongoing tasks and processes that mitigate the risk of a data breach. Three major cyber hygiene tasks include:

  • Antivirus: Enterprise-class antivirus overseen and managed by IT professionals is necessary to block dangerous viruses that employees may download by accident when browsing the internet or checking their email.
  • Software patching and updates: Even massive ransomware attacks like WannaCry mostly hurt organizations that did not apply basic, regular software patches. If organizations had simply patched their software, they would not have been vulnerable to WannaCry or many other threats. Applying software patches and updates is one of the most important cyber hygiene tasks that help prevent data breaches.
  • Data backup and disaster recovery: Unfortunately, even your best defenses may get breached. For example, a user may open an attachment or click on a link that unleashes a virus—mistakenly letting a hacker right in the door. In addition to stolen and exposed data, your data may also get deleted, corrupted, or held for ransom by an attacker. To alleviate the risk of permanently lost data, you need a data backup and disaster recovery plan that ensures you can recover your data in a worst-case scenario.

2. Implement strict policies to help you comply with the law.

How is your city specifically protecting citizens’ personal information? Policies around vendor contracts and management, network security, wireless security, physical access security, logical access security, disaster recovery, and application controls (such as data input, processing, and output) are needed to prevent unauthorized users from accessing sensitive information.

It’s not uncommon to encounter cities that don’t have clear policies about authorized access. The result? Situations where too many people have administrative access, passwords are weak, and information is not properly encrypted and secured.

3. Increasing your ability to identify a breach.

The longer it takes to discover a breach, the more scrutiny you will receive when it’s revealed to the public. A data breach can go undetected when an organization does not have a proactive IT mindset that includes:

  • Ongoing monitoring and alerting of systems: A blend of automated software and the oversight of your systems by IT engineers is needed to detect issues such as suspicious activity.
  • Proactive management of applications and systems, vendor access, network access, wireless access, physical access, and user access to ensure that only authorized users are accessing your systems.

4. Transparently notifying your citizens after a data breach.

Many state data breach notification laws require that you contact anyone affected. Laws vary by state but usually you will need to let victims know what happened, what information was breached, and what you are doing to remedy the situation. The Georgia city from our introduction sent out a letter to citizens that described the incident, tips on how to protect themselves, and free credit monitoring.

However, some citizens felt dissatisfied by the city’s response and the media reported as such. For legal, law enforcement, or security reasons, you may not be able to provide all the details people want but you should try to provide as much information as possible.

Especially after the Equifax data breach, people are more wary and distrustful of organizations that seem slack in protecting their sensitive data. Cities are stewards of sensitive citizen information. Many data breaches can be prevented by basic cyber hygiene that follow the steps above along with providing regular ongoing training for your staff. And remember, it’s also essential to have a data backup and disaster recovery plan in case hackers delete or destroy data as part of a breach.

Are you vulnerable to a data breach? Reach out to us today.

Wednesday, January 10, 2018
Sylvia Sarofim, Network Infrastructure Consultant

Sylvia SarofimEven if Uber does not operate in or near your city, its recent revealing of a massive data breach has important lessons to teach cities. Occurring in October 2016, the data breach affected 57 million users—and Uber hid it for more than a year. Even more, Uber paid the hackers a $100,000 ransom to delete the data.

While embarrassing for Uber, this data breach illustrates several important security policy and compliance best practices that apply to cities in a day and age when these kinds of data breaches can happen to any organization.

1. It’s the law to report a data breach within a specific time period and comply with the right notification requirements.

48 states each have their own data breach notification requirements. Obviously, you will need to follow the data breach notification laws in the state where your city is located. However, if you handle personal data from people in other states, then you must report the data breach to those states too.

Overall, you need a plan in place to respond legally to a data breach within a specific timeframe and with the right information to the state (or states). That plan includes:

  • Knowing what is and isn’t a breach.
  • Notifying appropriate state, federal, and law enforcement agencies.
  • Meeting state-specific reporting requirements
  • Understanding how the data breach happened.
  • Taking steps to correct the vulnerabilities.
  • Notifying people who were affected by the data breach.

Examples of state data breach notification laws include:

Talk to your city attorney, finance officer, and information security officer for more details about how your city is (or isn’t) equipped to respond to a data breach.

2. Don’t pay criminals.

Uber made a rookie mistake when they paid hackers $100,000 to delete the exposed data. Why would you ever trust the bad guys? They targeted you, stole from you, hold your property hostage, and demand a ransom. And yet they promise to put things back like they were, clean up their mess, and close the door on the way out - never to cross your path again. Right! Do you really think that criminals will delete information like you ask and never sell it on the black market? The federal government and law enforcement agencies recommend to never pay criminals. We’ve talked about this issue a lot with ransomware. It’s tempting to try getting your data back by paying a ransom and hoping the criminals will unencrypt your data. However, it’s not guaranteed. Even if it works, how do you know your data hasn’t been altered, resold, etc. And know, you’re funding criminal activity. The better response? Rely on your data backup and disaster recovery—and make sure you can recover your data in a worst-case scenario.

3. Maintain proactive security best practices.

Hackers threatened to expose sensitive data if Uber didn’t pay up. How did that data get exposed in the first place?

According to KnowBe4: “Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. […] If you read between the lines, that could very well be a simple credentials spear phishing scheme, done with some crafty social engineering, or perhaps careless developers leaving internal login passwords lying around online.”

To prevent similar issues, you need proactive security best practices in place that include:

  • Authorization policies: Who gets access to sensitive information? Where is that information stored? Who manages access? In Uber’s case, a GitHub coding site exposed sensitive information to unauthorized people. It was easy for hackers to then use that information to break into a more hard-to-access server.
  • Password policies: While we can’t confirm exactly what happened, it’s likely that passwords were stored on an unsecured third-party site. In the past, we’ve talked about password security risks related to human error such as writing passwords on sticky notes and leaving them exposed to public view on your desk. Sharing or storing passwords in unsecured online locations is just as, or even more, dangerous as leaving them laying on a desk. Employees need to protect passwords like they would protect their social security numbers or banking information.
  • Third-party access policies: When vendors or contractors work with you, what city information can they access? How do they access it? Data breaches can just as easily result from third parties, so it’s essential to create policies around how vendors, contractors, and outside users can access your systems and data.

4. Teach employees about “spear phishing” techniques.

You may have heard about phishing—when hackers try to use spam emails or other methods to get you to click on a dangerous website link or file that contains a virus. With spear phishing, a hacker specifically targets a high-level person in your organization. For example, we recently interviewed Stephanie Settles, the City Clerk and Treasurer at Paris, Kentucky, who was targeted in a spear phishing attack. The hacker cleverly imitated the city manager and even used his language mannerisms. Luckily, the odd requests from the “city manager” raised red flags with her that stopped her from transferring thousands of dollars to the criminal—but other cities might not be so lucky if they are caught unaware.

5. Teach employees about social engineering techniques.

When sophisticated criminals specifically target a city, they often use advanced social engineering techniques. That means they know how to act and manipulate you into giving up information. For example, let’s say you’re busy and stressed as you take many phone calls during the day. What if a “support engineer” calls you up and says they need your password to fix the “software issue”? The “software” is a system you (or your staff) uses and the support engineer sounds like he knows what he is talking about and comes across very personable—joking and making you laugh a couple of times. To be helpful, you give the password over the phone. Later, you find out that it wasn’t your support engineer at all. Instead, you allowed a hacker into your network—giving him or her the entry point they needed to breach your system.

Even if employees want to be helpful, they must follow strict procedures over the phone. That means even if a trusted employee or trusted vendor calls up wanting your password, say ‘no’. Again, say ‘no’. You must follow a policy and a process to provide them authorized and secure access to the system they want, and it won’t be by providing them your password.

Learn from Uber. If you haven’t created detailed security policies or reviewed yours in a while, then take the time to make sure your risk of a data breach is minimized. If you need help, then reach out to a vendor with municipal experience related to proactive cybersecurity best practices, policies, and compliance.

Are your security policies not in the best shape? Reach out to us today.

Wednesday, January 3, 2018
Michael Chihlas, Network Infrastructure Consultant

Michael Chihlas Free software. It sounds like a great bargain. However, a recent incident shows the dangers of freeware. Back in September, CCleaner (a common free software) experienced a major security flaw. When CCleaner pushed out a software update for its customers, the software update contained malicious code that could be used by hackers to control a person’s computer.

At first, this seems like a problem that any city—even if they work with IT professionals—could not have avoided. After all, a legitimate company pushed out the update. What can you do about such a situation?

Actually, there are quite a few lessons to learn from this situation—although the lessons are subtle compared to the warnings we would typically give about avoiding viruses or malware. Yet, the security issues and liability from using freeware may be just as serious.

1. If IT professionals aren’t monitoring, patching, and updating your software, then how will you know there is a problem?

If non-technical city staff use freeware software like CCleaner, then how will they know a security issue exists? If they are not keeping up with professional technology security news about software vulnerabilities, then they may not know about this issue for a long time. However, IT professionals will know about such issues within minutes or hours because they get the alerts and understand the implications.

2. If you do know about an issue, then...now what?

Okay, let’s say non-technical city staff find out about a problem with a software update. Now what? What will they do to make sure that hackers will not exploit this security vulnerability, control your city employees’ computers, and steal confidential or sensitive information?

Part of addressing such an issue means having an underlying understanding of the issue as a foundation and then the experience, processes, and tools to both quickly resolve and mitigate the risk moving forward.

3. What problems are you hiding by using freeware?

Do you realize the risk to your systems, records, data, finances, and citizens’ identifiable information that your city manages when you rely upon non-technical employees to perform computer maintenance? This is a great risk in today’s world.

Consider additional freeware tools other than CCleaner that your city may be relying upon for:

  • Antivirus: Employees in charge of their own antivirus software is a big risk, as employees may not keep antivirus definitions up to date.
  • Data Backup: You cannot guarantee that backups are occurring without IT professionals monitoring and testing them.
  • Email: To lessen liability, your city needs an enterprise email system with its own domain name (such as mayor@mycity.gov) instead of using a free service.
  • File Sharing: What processes are in place to ensure compliance? In other words, are only authorized users sharing authorized information in a secure transmission of data?

4. Is your freeware meeting policy and compliance standards?

Overall, enterprise software that is maintained by IT professionals helps ensure that you are following city policies and meeting compliance standards. Otherwise, your seemingly innocent use of freeware may break the law in multiple ways or increase your liability because of:

  • Risk of permanent data loss
  • Exposing confidential and sensitive information to unauthorized users
  • Installing viruses and malware onto your computer
  • Risk of untracked data changes or (even worse) fraud

With freeware, you’re increasing the likelihood of a data breach, compliance violation, virus, ransomware, malware, or data loss. Cities serve an important role—no matter how big or small the city—by safeguarding and protecting sensitive, confidential information. Don’t let a “bargain” like freeware compromise your stewardship of citizen information.

Worried about freeware, or wondering how to modernize your software? Reach out to us today.

| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 |