We put the IT in city®

CitySmart Blog

Wednesday, March 8, 2017
Dave Mims, CEO

Dave MimsWe know. It’s the federal government. Yet, cybersecurity legislative trends show that security risks within government—whether it’s federal, state, or local—are being addressed because they affect national security and the privacy of citizens. There’s an incentive for Congress to help your city shore up its cybersecurity.

The federal bill is called the State Cyber Resiliency Act and it’s in the proposal stage. As a bipartisan bill, it has a higher chance of making it through the House and Senate depending on Congressional priorities. Matt Zone, President of the National League of Cities is quoted as saying:

“Cities manage substantial amounts of sensitive data, including data on vital infrastructure and public safety systems. It should come as no surprise that cities are increasingly targets for cyberattacks from sophisticated hackers. Cities need federal support to provide local governments with the tools and resources needed to protect their citizens and serve them best."

The idea is that FEMA will administer grants for state, local, and tribal governments. Particulars about the grants are not clear at the moment as the text of the bill has not yet been submitted.

We’ve been concerned about city cybersecurity for a long time, and it’s reassuring to us that lawmakers want to help cities address this issue. An article from FCW points out some drivers behind this bill:

  • “[State, local, and tribal governments] typically devote less than two percent of their IT budget to cybersecurity.”
  • “…in 2015, 50 percent of state and local governments had six or more cyber breaches within the last two years.”

We’ll be tracking this bill (S.516) after its introduction last week. Stay tuned!

Wednesday, March 8, 2017
Dave Mims, CEO

Dave MimsSB 138, introduced in the Arkansas State Legislature on January 17, 2017, was passed in the Arkansas Senate on March 6 and now proceeds to the House. Why is SB 138 so important? And why are we, a municipal-focused technology company, pointing it out?

The bill states that an Arkansas municipal charter can get revoked (yes, revoked!) if the Legislative Joint Auditing Committee finds two incidents of non-compliance with accounting procedures in a three-year period. Revoking a charter is serious, rare, and extreme. That’s pretty much the end of your municipality.

The Arkansas Legislative Audit (ALA) includes both general controls and application controls around information systems. For municipalities, accounting systems are often the most important information system they oversee.

According to the ALA:

  • General Controls are mechanisms established to provide reasonable assurance that the information technology in use by an entity operates as intended to produce properly authorized, reliable data and that the entity is in compliance with applicable laws and regulations.”
  • Application Controls relate to the transactions and data for each computer-based automation system; they are, therefore, specific to each application. Application controls are designed to ensure the completeness and accuracy of accounting records and the validity of entries made.”

While this bill has yet to pass the Arkansas House and get signed into law, its appearance and passage by the Arkansas Senate is a sign that municipalities are being held more—not less—accountable for information security, compliance, and best practices related to information technology.

Even if you’re not an Arkansas municipality, you should still get ahead of the curve. Federal and state laws that urge stronger technology-related compliance and best practices seem inevitable.

In the meantime, you can track the Arkansas bill and read up on the different components of what the ALA examines in its audit.

Concerned about the state of your information security or compliance with the law? Reach out to us today.

Tuesday, February 28, 2017
Brian Ocfemia, Technical Account Manager

Brian OcfemiaA city had relied on an old, aging email server for 10 years. Purchased in 2007, the email server often froze up and hit storage limits constantly. With the excuse of “budget,” the city did not want to invest in a new server despite these issues.

As a result, employees were often forced to delete emails in order to free up space. A city policy said the employees needed to keep “important” emails. However, it was unclear what “important” meant and the policy only loosely defined how the employees should retain them. Some employees used flash drives, some used external hard drives, and some even transferred files onto personal laptops.

One day, an outside investigation began that concerned a city department. Allegedly, funds may have been stolen and investigators wanted to get to the bottom of what happened. Suddenly, all eyes were on the city as word got out to the media.

The media made several FOIA requests to see emails related to the city department under investigation. Once the city clerk began trying to carry out the requests, she hit a wall. Not sure who kept what, she began to fear that key emails were deleted. Sending out requests to city employees in that department, the city clerk received uncertain replies about who had the specific emails.

Within days, she realized the city may not have been able to fulfill the FOIA request—even with a delay. The crushing realization settled in that emails the city was required to keep by law may have disappeared. Once the media suspected this happened, they began reporting on the city in a negative light—casting suspicion over the city in the local paper. The stories spread to various other papers around the state. Investigators also noted the serious nature of these missing emails and began to talk of misdemeanors, fines, penalties, lawsuits, and even possible prosecution for employees who possibly destroyed records.

Preventing This Disaster

Even for FOIA-related circumstances less serious than this situation, cities can feel painful repercussions when retrieving emails that are public records. Delays, excessive hours consumed searching for emails, storage limitations, and uncertainty about locating emails all increase your risk of liability. Let’s look at some errors in our story that the city committed.

Error #1: Relying on an old, aging email server.

The city thought it maximized its original email server investment. But holding onto an aging server presents too many problems that impact the accessibility and security of the information you store on it.

  • Cost: It’s expensive to maintain the hardware and software on a server that breaks down a lot, fails to operate at full capacity, and often isn’t supported by the hardware and software vendors any longer.
  • Threat of Server Failure: Whether you have data backup or not, a server failure is disruptive to your operations. Eventually, you will have to buy a new (unbudgeted) server if it fails.
  • Risk of a Data Breach: Older servers are less secure because vendors often stop providing security patches and updates after a specific period of time.

Error #2: Ignoring email storage limits.

Hitting email storage limits is no excuse for not following state retention laws. Today, many cloud email options exist that provide more than enough email storage space for an affordable price. Employees should never have to worry about deleting important emails or storing them in a separate location just because of email storage caps.

Error #3: Relying on employees to manually archive and retain emails.

This city lacked policies and procedures to ensure proper records retention—and they passed along their lack of problem solving to employees. It’s not a good idea to rely on employees to manually store emails in a consistent, legal way. Most employees have the best intentions—but they get busy, forgetful, or overwhelmed by their roles and responsibilities. They are not necessarily going to retain those emails in the most secure, consistent way.

Error #4: Following a weakly enforced policy not aligned with records retentions laws.

State records retentions laws specifically note how emails (and other public records) must be archived, retained, accessed, and deleted. Modern email servers can automate much of this process to align with laws. This city clearly needed to leverage technology more to help them automate the records retention process. Too many steps were reliant on manual, uncertain processes.

While it’s less likely that a scandal or investigation will happen at your city, it’s not impossible. On whatever level you respond to FOIA requests, it’s your legal duty to provide the information requested. If you can’t, then you’re asking for trouble.

Questions about your ability to respond to a FOIA request? Reach out to us today.

Tuesday, February 21, 2017
Nathan Eisner, COO

Nathan EisnerWhen is offsite data backup not offsite data backup? The following story offers an example—and a warning—to cities.

A city was already backing up its data onsite using an extra server. If the server failed at city hall, the other one would take over to restore the city’s data. However, some department heads urged the city to also consider an offsite data backup plan in case of a major disaster. The city manager researched some options and brought in a few IT experts to talk about possible solutions.

After some outside IT experts reinforced and reiterated the idea of creating both an onsite and offsite data backup plan, the city took a shortcut. The city manager didn’t like the idea of sending data off to a data center. He viewed it as unnecessarily expensive. Plus, he wanted control—to “see” the data when he wished. And so the city nixed the idea of offsite data backup located far away from the city.

As a result, the city worked around these parameters to build an “offsite” data backup plan. Working with their local IT vendor, the city set up a backup server in a building they owned located just down the block from city hall. The city manager argued that this building was separate from the city hall building and, thus, “offsite.” If something destroyed city hall, this server would contain all their data. Problem solved.

Or was it?

One day, a huge EF3 tornado descended upon the city. With winds upward of 150 miles per hour, the tornado destroyed many buildings in a swath of downtown. As the city assessed the damage, they discovered that the tornado destroyed not only city hall but also all buildings on that block—including the “offsite” building that stored the city’s backed up data.

With its data permanently lost, the city found itself at a crippling disadvantage at the very moment when citizens needed city hall and public safety operating at full capacity as soon as possible after the disaster. And even beyond the disaster, the city would have to deal with permanent data loss affecting its operations for a long, long time.

Preventing This Disaster

Does this scenario seem unlikely? That’s what all cities, businesses, organizations, and people often think...until after the disaster strikes. With increasing numbers of tornadoes each year in the United States that grow bigger and more devastating, it’s not unlikely that your city may face this threat—or any other similar threat.

Let’s look at the errors in our story and how your city can avoid them.

Error #1: The city’s definition of “offsite” is not really offsite.

Offsite does not mean down the block. It does not even mean two blocks away. True offsite data backup means many many miles away. When your data is stored in a geographic location far away from your city, it’s likelier to be protected from a localized disaster such as a tornado.

We often recommend that you send offsite data to at least two data centers (for example, one on the East Coast and one on the West Coast). It takes some time to set up the technology and the automated data transference to these data centers. But once set up, the offsite data backup runs without the city having to do much of anything. And if a city block is destroyed, your data is safe and accessible from multiple data centers. Your city can start operating within hours of the disaster while you are in the process of ordering new servers.

Error #2: An improper risk assessment focused too much on cost instead of the cost of a disaster.

Sure, it might be cheaper to set up another server in a building down the block. It’s also cheaper to buy health insurance with high deductibles that don’t cover serious medical conditions. In each case, the costs are astronomical when a disaster hits. Cheaper isn’t better and it’s a poor tool to judge a data backup solution’s ability to mitigate risk.

What’s the cost of losing your data? How will your community be impacted if all city records are lost? That’s the cost you should assess. From there, you can make a better case for investing in a disaster recovery solution that mitigates risks by storing data in a geographical location far from your city.

Error #3: A need to “see” the data and keep it close.

An ability to “see” and be near where your data is stored doesn’t mean it’s more secure. A server inside your city can lack the most basic security protection and be more open to hackers than your offsite data backup locked down with the highest security standards in a data center far away. Focus on security and an ability to recover from a disaster, not proximity to your data.

Error #4: A lack of a disaster recovery plan.

Clearly, this city did not think through the consequences of a disaster. They didn’t think through scenarios such as a tornado that can affect a wide area. Not prepared for a probable worst-case scenario, the city found itself completely without its data or a plan if it lost its data. Instead, it assumed that a disaster destroying both buildings was so unlikely that they didn’t have to worry.

For cities, a disaster recovery plan needs to include proper offsite data backup. We recommend that any offsite data backup plan considers:

  • A minimum of daily backups sent offsite.
  • Sending those backups to a data center in a distant geographic location.
  • A minimum of quarterly testing to ensure that your data backups are working.

Questions about your offsite data backup and disaster recovery plan? Reach out to us today.

Tuesday, February 14, 2017
Mike Smith, Network Infrastructure Consultant

Mike SmithA city wanted wireless access for guests and employees. Easy, right? The city manager told a trusted non-technical employee to “make it happen.” Going to the nearest popular retail electronics store, the employee picked up a wireless router that seemed to do the trick. The wireless router box said it covers 12 devices, so the employee picked up two routers to cover the city’s 20 computers.

Back at city hall, the employee tinkered around until they set up both wireless routers—one on the first floor and another on the second floor. Following the instructions to set it up, the employee got it working. People could now hop on a wireless network with their laptops, smartphones, and tablets.

For a few weeks, employees enjoyed the perks of wireless. So easy! They didn’t even need their on-call IT vendor to help set it up. City council loved the internet access at meetings. Employees could now access their desktop and documents while meeting in a conference room. Guests could now access the internet. How wonderful.

One day, a representative from the state’s bureau of investigation informed the city of a data breach. An unknown person hacked into the city’s server using a stolen password and collected sensitive information about taxpayers. That information appeared on an online black market for sale. Not only must the city now inform taxpayers that they are at risk for identity theft but the city may also need to pay for identity theft protection services for hundreds of taxpayers.

This event hit the city administration like a bolt of lightning. They thought through the repercussions. Loss of citizen trust. Bad media exposure. Money lost. What caused the data breach? When they performed an IT audit to figure out what happened, the answer became obvious.

The city’s unsecured wireless router—the one their trusted employee set up “so easily.”

Preventing This Disaster

A recent study from Kaspersky Lab confirms that this situation is all too common. They estimate that about one in four Wi-Fi hotspots lack even the most basic security. We find that cities often don’t realize the gaping security holes their wireless routers pose.

Let’s look at the errors committed in our story.

Error #1: Buying a consumer-grade wireless router.

A city is not someone’s house. It’s a government entity that conducts important business, serves citizens, and carries out the law. You need business-class equipment that includes enterprise-level wireless routers. These kinds of routers are better equipped to handle the demands and complexity of your city. They will provide better coverage, security, and scalability as your city grows.

Error #2: Tasking a non-technical employee to configure the router.

No matter what the back of the box claims on the consumer-grade wireless router, you need an IT professional to configure this equipment. Just setting it up out of the box is not good enough and you risk leaving open gaping security holes. Configuration involves a complex array of settings that only IT professionals thoroughly understand. They will make sure your wireless router is set up securely (such as making sure you encrypt information) and restricts who can access your wireless network (such as from a “guest” network).

For example, we see too many instances of a Wi-Fi hotspot secured with a default administration password (such as “admin”). With such a weak password, even an amateur hacker can access your most sensitive city information.

Error #3: No ongoing monitoring and maintenance of the wireless router.

In our story, the city doesn’t use proactive IT support. If they depend on reactive IT support, then security breaches could take place and the city wouldn’t know for weeks or months. With proactive support, IT professionals will monitor your network environment and make sure it’s patched, secure, upgraded, and healthy.

Are your city’s wireless routers secured? They are one of the most common hacker targets because 25% of hotspots have pretty much zero security. Unfortunately, that 25% applies to cities.

If you haven’t assessed and addressed your wireless security, then it’s just a matter of time before you’re hit with a data breach. Deal with this problem as soon as possible.

Need help assessing your wireless security? Reach out to us today.

Tuesday, February 7, 2017
Brandon Bell, Network Infrastructure Consultant

Brandon BellImagine a small city with a small public safety department. Budgets are always tight and so they have used the same server they purchased back in 2003. Plus, both the police chief and the one-person IT vendor who they call on an hourly as-needed basis know this server well. They are used to it like the feeling a person gets when they sit in their favorite comfy chair.

However, extended support from the hardware vendor ended years ago. That means the operating system no longer gets security patches and bug fixes on a regular basis. The as-needed IT person checks the server every now and then for issues and makes sure nothing really bad happens to it.

Unfortunately, that became a harder job as time went on. Even in good times, the police officers all complained how their computers (which access the server) are so slow. The server froze a lot and the police chief often reset it. When the problems got really bad, they called the IT person who would inevitably fiddle around with the server until it started working again. The billable hours for this IT person kept increasing month by month, but the police chief thought, “It’s probably still cheaper than getting a new server.”

One day, the server just...stopped working. The police chief called the IT person and assumed the usual fiddling would get it back up. Well, the IT person fiddled...and fiddled...and fiddled. Nothing. The server became as useless as a stone.

“Not to worry,” said the police chief. “We back up to an external hard drive every day. Or at least mostly every day.” The IT person tried to recover the server’s data but found that the files were incomplete and some were corrupted. The backup wouldn’t restore.

As the IT person told the police chief that the data was lost, for good, a sinking feeling entered his stomach. Now, his job—and the public’s safety—was completely at risk. Lost evidence and records, risks to active investigations, how to respond to citizen and press requests, and thinking about what would happen if a lawyer calls were only a few of the things that came to his mind as he envisioned the horror of the next few weeks and months.

Preventing This Disaster

The police chief’s approach to using and maintaining a server offers up several lessons to help you avoid this nightmare. Use this story and the following error checklist to see if you’re headed for a disaster related to server failure.

Error #1: Using hardware over five years old.

You might skirt by in life using a 2003 car. But your city flirts with significant danger by using a 2003 server. In this story, the public safety server is so old that the vendor doesn’t even support it anymore. That means it can’t be professionally fixed, secured, or updated. It’s not a matter “if” it will break down, but “when.” And “when” can be any day if it’s over five years old. Your city needs to budget for and replace server hardware every 3-5 years.

Error #2: Relying on an as-needed, reactive IT support person to barely maintain the server.

Just enough to get by. In this story, that’s the attitude the public safety department takes toward the server that holds its most important data. At home, do you handle an ant infestation just enough to get by? “Hey, there’s only a dozen ants crawling in my bed tonight. That’s good enough.” Of course not. Through many methods from cleanliness to spraying, you proactively prevent ants from entering your home.

By just band-aiding the server when it acts up, the public safety department is always barely warding off an inevitable disaster (and racking up unpredictable billable hours). Instead, all servers need to be managed, monitored, patched, and later upgraded when they reach end-of-life. Proactive IT maintenance will also alert you if a server is showing signs of a likelihood to fail in the future—preventing a disaster before it happens.

Error #3: Ignoring red flags such as slow computers and freezing.

Why do you use technology in the first place? To help you perform your job better. If a car can’t get you to work, it’s not much use. If a server interferes rather than helps with work, then it’s not much use. Slow computers, frequent memory and storage limits, and an inability to use modern applications are all signs that your equipment needs replacing before it fails.

Error #4: Failing to test data backups.

In the worst-case scenario, the server fails and your data is lost. Data backups can have problems and there are many reasons why data backups encounter possible issues. The city in our story did not test their data backups and assumed they were working. Even if a city does cling to an old server that’s soon to fail, they need to back up and test the backup on a regular basis to ensure that they can recover the data in case of a failure.

For a variety of reasons, sticking with an old server until it dies is not wise. Information security risks, slowed productivity, wasted billable hours, and lost data are only a few of the pitfalls. Modernize your technology and switch to a proactive IT support vendor to ensure that your servers don’t just fail one day and cripple your city.

Tuesday, January 31, 2017
Jabari Massey, Network Infrastructure Consultant

Jabari MasseyImagine that a city employee who works in the finance department opens their email in the morning. As they check their email, they see one message that seems to come from the city manager. Without thinking, the employee clicks on a zip file attachment assuming that it’s an important set of documents related to a meeting that day.

This employee is not technically savvy, so they are not too alarmed when they see something downloading onto their computer. A window pops up that says to accept something. The employee clicks “yes.”

Within seconds, a chill goes down their spine. Something is wrong. Multiple pop-up windows appear on the person’s computer screen and a new program seems to be running in the background. The employee tells their supervisor, and the supervisor places a call to their reactive IT support vendor who says they might be able to stop by tomorrow.

A day passes while the employee manages to continue doing work that involves accessing software on the city’s financial server. But the employee’s computer continues to slow to a crawl until they can’t use it anymore. The city manager persuades their IT vendor to send someone over today instead of tomorrow.

A junior IT support person arrives and pokes around on the employee’s computer. “Yep, there’s a problem,” they confirm. Figuring it’s a virus, they restart the computer and go into “safe mode” to try to eliminate the virus. Plugging into the financial server to make sure it’s working properly, the junior IT support person now gets a chill down their spine.

They cannot access any data on the financial server because it’s also infected with the virus.

Panic ensues. The junior IT support person calls a senior IT support person. By then, it’s too late. Both the server and the employee’s computer had not been patched in a while, and so many recent security patches had not been applied. Plus, the city runs a free version of some antivirus software that’s only updated when the IT vendor sends someone on site.

“Thank goodness there’s a data backup of the server,” says the city manager. But when the IT support vendor tries to restore the financial data from the backup...that backup doesn’t work. At all. “But we’ve been backing it up manually at least once a week,” says the city manager.

“Have you tested the backup?” asks the senior IT support person.

“No,” says the city manager. Everyone now realizes a nightmare scenario became real. The city’s financial data is lost. Permanently.

Preventing This Disaster

Some variation of this story is all too common for many cities. The good news? Cities can easily prevent a devastating virus attack by addressing some of the errors committed in this story.

Error #1: Lack of business class antivirus software.

Notice the reference in the story to free antivirus software? Many cities try to save money by installing a free, consumer-grade version of antivirus software on computers. This is a mistake because consumer-grade antivirus software is not sophisticated enough to protect city data at the server level. That usually leaves servers unprotected and computers reliant on employees making the updates.

Error #2: Reactive IT support not maintaining and monitoring servers and computers.

The IT support people in our story weren’t getting paid to do ongoing, proactive IT support. Thus, they only updated the antivirus software when the city called on them for an onsite visit. Plus, it appeared that they did not have a process in place for regularly updating the antivirus software and testing the city’s data backups. Experienced IT professionals need to regularly audit antivirus software to confirm that it’s installed on every machine and that virus definitions (which help detect nearly all known viruses) are up to date.

Error #3: An employee clicked on an email attachment.

You might have thought we’d mention this error first. However, your employees cannot be the front line for preventing viruses. We all occasionally make mistakes by clicking on a malicious email attachment or website. That’s why you need a strong foundation in place—business class antivirus software, regularly tested data backups, and proactive IT support—to stop as many viruses as possible from activating. And even if an employee clicks on something malicious, you need to be able to recover from a virus that has been activated.

Because a virus can still get through strong defenses, employee training is a must. Train your city staff about common sources of viruses such as email attachments, websites, online software, and games. With training, you can make your employees more aware about online threats that are easy to avoid if they know how to spot them.

Concerned about a virus crippling your city? Reach out to us today.

Tuesday, January 24, 2017
Ryan Warrick, Network Infrastructure Consultant

Ryan WarrickBefore you start reading this post, take our short password self-assessment.

  1. Do you have your password written down somewhere on your desk to help you remember it?
  2. Do you use a simple, easy-to-remember password (such as your kid’s name, your pet’s name, or your birthdate)?
  3. Do you use the same password for many websites and applications you access?
  4. Do you share your password with co-workers just to make things easier?
  5. At work, do you save your passwords on your web browser so that you can log in without typing your password?

If you said “yes” to any of these questions (or feel as a supervisor that your employees would answer “yes”), then you’ve got a security risk on your hands.

Why? First, simple passwords are easier to crack. Nowadays, even inexperienced hackers have access to automated password cracking software. This software can easily crack short, common, and simply constructed passwords with ease.

Second, writing down or sharing passwords with co-workers may give others unauthorized access to data and applications. What if a disgruntled employee sees your password on your desk? What if someone you think is a trusted employee uses the password you share with them to gain access to unauthorized information?

Finally, even saving passwords on your web browser (like you do at home) is not wise when working for a city. All it takes is an unauthorized person to sit at your computer or a hacker to gain access to your device to access sensitive information on applications that you use.

So, what do you and your employees need to do? Implementing the following best practices will help plug these security gaps.

1. Do not write passwords down and leave them visible.

This is an easy security tip but you need to make sure employees follow it. If they have trouble remembering their passwords, then suggest they write them down on a piece of paper and keep it in their wallet or purse—like how they protect their driver’s license, credit cards, and money from public view.

2. Use a password on all devices.

Many employees often use passwords on their desktop computers but it’s easy to forget to set up a password on laptops, tablets, and smartphones. Mobile devices are perhaps even easier from which to steal information. A thief or disgruntled employee can steal a smartphone in seconds and quickly gain unauthorized access to city email and applications. Protect all devices with passwords.

3. Do not use simple or obvious passwords.

Instead, use strong passwords such as long passphrases (like “The brown fox is 2fast!”) or complex passwords consisting of a mix of letters, numbers, and special characters. Strong passwords go a long way toward preventing hackers from getting into city applications. And if your password is one of the top 25 worst passwords below (according to Splashdata), change it NOW!

4. Do not save passwords to websites and applications.

You may do this at home so that you can easily stay logged into your favorite websites and applications. However, you don’t want to do this at your city. If someone gets access to your device, then they can gain access to unauthorized information without even needing to crack a password. Enforce a policy at your city that employees cannot save passwords on even their most frequently used applications.

5. Change passwords regularly.

Yes, this annoys employees but it helps with security. The longer a password is in use, the more likely that hackers will be able to crack it. The more you change passwords, the more difficult you make a hacker’s job.

6. Do not use the same password for all systems you access.

We know—another annoyance! But think about it. Let’s say an employee uses the same password for five different software applications that give access to confidential information at your city. If a hacker or disgruntled employee gets one password, then they have access to all five applications. Mitigate the chance of a data breach by requiring different passwords for each application.

Cybersecurity continues to evolve. In the future, passwords may go away and get replaced by different forms of authentication. But in the meantime, passwords are here to stay and they often represent a gaping security hole for hackers. By following the best practices outlined above, you will make your city’s cybersecurity much stronger.

Questions about the state of your city’s cybersecurity? Reach out to us today.

Wednesday, January 18, 2017
Victoria Boyko, Software Development Consultant

Victoria BoykoLike the tree in the proverbial forest that no one hears when it falls, do you think that anyone “hears” your city website in a forest of internet information? In many cases, probably not. That’s unfortunate because city websites already have a few advantages that other businesses and organizations would love to have.

  • City websites are highly trusted.
  • People will search for information on your website. You’ve already got a ready audience of hundreds or thousands of people.
  • People often need your information such as news, event postings, city council minutes, or services. You’ve already got demand for your information.

Yet, many city websites seem nonexistent and disappear on the internet when people search for them. Remember that most people will look for your website on a search engine such as Google or Bing. To show up on the first page of search results, your website must follow a few best practices and show constant activity to prove to these search engines that your website is trusted, useful, and relevant.

How can your city website emerge from the internet forest? Here are a few tips.

1. Share a link to your website with reputable organizations.

Because you are a city, many organizations want to link to your website. If people are researching for city-related information on another website, then you want your city’s website listed there to help people find you. Examples of websites where you want your city’s website listed are:

If there isn’t a self-service feature to upload your own website link, then reach out to the organization and ask if you can provide a link to your city’s website. Many of these organizations will be more than happy to oblige. Make sure you focus on reputable websites. Don’t reach out to sketchy, suspicious, or little-used websites and online directories that may harm rather than help you.

2. Share links to timely and interesting city information on social media.

Facebook. Twitter. YouTube. Use them if you can. Many of your citizens and other people interested in your city use these social media sites all the time. Share timely information such as emergency alerts, news, press releases, events, and photos. Any urgent or newsworthy information will be useful to people and they are likely to share it.

When people share your links on social media, it helps your website feature more prominently on search engines. Don’t be afraid to ask people to share posts on social media by including a “call to action” (such as “Tell a friend!”).

3. Share your website link with newspapers and magazines when they write up stories about you.

Another advantage for cities is that they are automatically of interest to media. When newspapers, magazines, and industry publications report on news or write up stories about you, make sure you provide your website link for them to feature on their websites. Media outlets are usually highly reputable sources on the internet. When reputable media publications link to your website, the search engines will see it as a sign to display your website higher up in search results.

4. Link to other websites on your city’s website.

To get links, you must give links. If there are pages on your website where it would be useful to provide links to other websites, then do it. For example, you might provide links to tourist attractions or websites that help people find jobs. Linking to another organization’s website makes it more likely that they will reciprocate and link back to you. However, don’t abuse the sharing of links. Make sure each link provides useful information to people.

5. Produce regular, timely, useful content on your website.

Search engines don’t like dead or stagnant websites. Those kinds of websites disappear in search results. That’s because Google or Bing considers those websites as not useful or vital—rather like an abandoned house. If you want people to find and link to your website, then you need to provide a stream of timely, useful content for people. That can help supply your social media feeds with new information and keeps people coming back to your website in anticipation of new content.

Start with these five tips and you will begin to see your city’s website rise in visibility on search engines, social media, and other organization’s websites. This process can take a while but the steady investment of time is worth it. After all, you want your website to be seen. These tips will help you make it happen.

Questions about getting your city website more visible and out there in the world? Reach out to us today.

Wednesday, January 11, 2017
John Miller, Senior Consultant

John MillerIn Part One, we talked about warning signs such as lack of data backup, aging hardware, and non-technical staff handling IT issues. In Part Two, we discuss five more warning signs that may lead your city toward a disaster.

Warning Sign #6: Unknown IT assets and inventory.

One of the most overlooked security risks is simply not knowing the total amount of hardware and software you own. And even if you do know that you own something, you may not know where it’s located. You can only secure what you can locate.

Disaster: On a two-year-old spreadsheet that lists 20 laptops, you can only track down the location of 17. You had not updated this spreadsheet in a while and you are not sure if a former employee walked off with the laptops. Because the laptops contained sensitive information, you may have a potential data breach on your hands.

Prevention: Part of asset management includes monitoring and maintaining any “live” hardware, software, and networking equipment. If you’re not using an asset anymore, then it needs to be decommissioned by an IT professional. Asset management also includes technology-related warranties, licenses, and upgrades.

Warning Sign #7: Reactive IT support putting out fires.

Imagine someone arrived at your house every week to make continual bare bones fixes to your roof, floors, or plumbing. You barely keep leaks, pests, and the outside elements at bay. Would you consider that a proper home? Instead, if a major problem occurs then you likely eliminate it once and for all by addressing the root cause. Yet, many cities put up with reactive IT support that never fixes the root cause of serious problems.

Disaster: After a lot of publicity, you offer a new payment system on your city’s website for citizens. Within weeks of its debut, the website continually crashes. For months and months, your reactive IT support vendor makes temporary fixes but the root problem keeps occurring. Citizens grow frustrated and complain to city council about wasted taxpayer dollars going to online services that don’t work.

Prevention: Ongoing, proactive IT support not only more quickly addresses technology issues but it also involves IT professionals implementing modern technology and best practices to eliminate issues before they occur. In the case of our website example, a proactive IT support team might upgrade an aging website or revisit what vendor hosts the website.

Warning Sign #8: Unknown network hardware configuration.

Network hardware helps ensure that your technology is secure, connects you to the Internet, and ties together technology between various city buildings and departments. When IT professionals don’t oversee the setup of firewalls, switches, routers, and other networking equipment, then you can open yourself up to major security threats.

Disaster: A non-technical city employee buys a firewall and sets it up. While the employee has a bit of amateur technology savviness, they improperly configure the firewall. Ports are open that allow hackers to easily gain access to city servers and steal information.

Prevention: Trained IT professionals need to configure all network hardware so that it works properly and keeps you secure. Then they need to monitor, maintain, upgrade, and replace network hardware as part of your ongoing technology support.

Warning Sign #9: No one monitoring and maintaining technology.

While related to the reactive IT support point above, this problem still often appears even when some “proactive” IT vendors serve cities. Technology monitoring and maintaining includes patching, upgrading, and threat monitoring.

Disaster: An employee keeps complaining that their computer has gotten slower and slower and slower over a period of six months. The IT vendor checks some type of diagnostics and says things look fine. They even suggest that the Internet service provider might be having issues. One day, the employee clicks on a malicious website by accident and gets a virus that leads to a data breach. After a virus cleanup and audit, an IT professional notices that the computer had not been patched in six months—including various important security patches that would have prevented the virus from getting accessed or downloaded.

Prevention: Ongoing patching, upgrading, and threat monitoring allows IT professionals to detect anomalies and address problems before they become disruptions. Keeping technology updated often fixes major security and functionality issues.

Warning Sign #10: Physical security for technology is weak.

Servers in offices where anyone can wander in. Computers left on so anyone can sit down and access sensitive information. Wireless routers left out in the open. These are signs of weak physical security for technology. Often overlooked in lieu of information security, data breaches related to physical security are just as important to prevent.

Disaster: After hours, a disgruntled employee sits down at another employee’s computer to steal confidential personnel information about staff on the city’s payroll. The data breach is later deduced through security camera footage.

Prevention: We recently talked at length about physical security policies. At a high level, you need to lock up core technology (such as servers and networking equipment) in secure rooms, escort any visitors, and require employee computers to lock after a few minutes and request a password to log back in.

Use these 10 warning signs (including those from Part One) as a self-assessment to see if you’re headed for a disaster. If you notice any weak points, don’t wait to fix them. Waiting until a technology disaster is like leaving your door unlocked at home or going without car insurance. The costs of a technology-related disaster at a city can seriously harm your operations, employees, citizens, and bottom line.

Reach out to us today if any of these warning signs worry you.

| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 |