We put the IT in city®

CitySmart Blog

Monday, May 20, 2019
Kevin Howarth, Marketing & Communications

We hope to see you at the following city event this week!

Regional Cybersecurity Workshop
May 23, 2019
Bethel Heights, Arkansas

Friday, May 17, 2019
Kevin Howarth, Marketing & Communications
Wednesday, May 15, 2019
Jessica Zubizarreta, Account Manager
Jessica Zubizarreta

If this question alarms you or you can’t answer it, you’ve got a problem. Testing is quite possibly the most important part of a data backup and disaster recovery solution—short of actually backing up the data. Even cities with expensive data backup solutions and systems sometimes find they fail when an actual disaster occurs. The tools and technology were fine. The city just didn’t test that it worked.

Testing is a critical data backup and disaster recovery practice for multiple reasons, and it’s something you need to do on a periodic schedule. Here’s why.

1. Make sure your data backup is actually working.

Let’s start with the most obvious reason. No matter what kind of data backup solution at your city, only testing ensures that it will actually work when needed. So many times over the years, we’ve heard stories about:

  • Tape backups not restoring fully.
  • External hard drives failing because of data corruption.
  • Data backup servers not backing up all important data.
  • Malfunctions in the data backup system that affect backup and restoration.

By doing regular testing, you will ensure that your data backup works properly and will not fail you when an incident or disaster occurs.

2. Correct errors.

Data backup testing is also a great way to correct errors that may affect the restoration of your data. Errors may include:

  • Misconfiguration of the data backup system.
  • Critical data not selected for backup.
  • Data backups not occurring on a regular schedule.
  • Power outages or servers accidentally turned off.

By addressing errors during a test, these errors won’t affect you during an actual incident or disaster.

3. Ensure that your critical data is backed up.

If you use a consumer-grade data backup solution, dated tape backup, or manual backup process, a high chance exists that a default setting or a non-technical employee overseeing the backup will lead to your most critical data not getting backed up. Many cheap or consumer-grade data backup solutions often have trouble backing up databases, specialized software, or specific files. Plus, storage caps may sometimes occur without you necessarily knowing.

Having experienced IT engineers overseeing your city’s data backup will ensure that critical data such as databases, applications, and important records are all backed up—especially those critical to city operations or that need to follow a retention schedule by law.

4. Enact your plan effortlessly when disaster strikes.

Police train all the time so that they know what to do in a sudden, chaotic situation. Firefighters train so that they know how to handle a fire without conscious thought. Soldiers train and train so that they instinctively perform in a battle situation.

Similarly, your data backup plan will get enacted in a crisis that strikes out of nowhere. Ransomware hits. A tornado wipes out city hall. A fire rages through your building. You will likely not be warned.

What do you do in such a situation? Many cities panic, flail, and call for help from expensive experts when they did not plan for the worst. But data backup testing allows you to go through a worst-case scenario periodically so that you know the drill by heart.

A plan will help you understand:

  • Who does what? What are the roles and responsibilities of city staff and IT vendors?
  • How fast will the data be restored? This gives you a sense when specific city operations will come back online during data recovery efforts.
  • What order will things happen? You will have a process for restoring data that follows a specific sequence of actions.
  • Where will you access the recovered data? What if city hall gets destroyed? You will have a better understanding of where you might relocate. Once you have access to the internet, you will be able to access your data and set up a temporary remote site.

Testing your data backup gives you a huge sigh of relief because you just enact your known plan confidently when a crisis hits.

5. Document your plan so that others can enact it.

Testing your data backup forces you to also document your plan. Documentation helps you clarify your plan and captures it in writing so that others may follow it. In many cases, the idea of a city’s data backup plan resides in one person’s head. If that person leaves the city or is not available when a disaster strikes, city staff can be left not knowing (and not even having access to) what to do. Documentation makes your data backup plan transparent, shareable with other city staff, and easily followed.

Data backup testing goes far beyond just ensuring it works. It helps you think through your data backup and disaster recovery strategy, planning, and tactics. You will learn a lot about the severity of a disaster, how fast you will be able to access your data, and what impact will occur to city operations.

As the saying goes, failing to plan is planning to fail. Not testing is part of planning to fail.

Are you testing your data backups? If not, reach out to us today.

Friday, May 10, 2019
Kevin Howarth, Marketing & Communications
Wednesday, May 8, 2019
Victoria Boyko, Software Development Consultant
Victoria Boyko

A few years ago, we wrote a post about ADA-compliant websites in anticipation that the Department of Justice would create enforceable regulations in 2017. Since then, the nation has seen a spike in ADA-compliance lawsuits that include the targeting of municipalities. These lawsuits have become so numerous that municipalities fear getting hit with a lawsuit.

Currently, lawyers are aggressively identifying city websites that aren't ADA-compliant and then suing the city. These lawsuits are difficult to fight as measured against the ADA, and the award usually includes the city having to pay attorney fees and a requirement that the city’s website become ADA-compliant.

To give a brief overview of this situation, we’ve answered a few of your most common questions below and then provided additional resources if you want to learn more.

Why are there suddenly so many ADA-related website lawsuits?

While no single clear answer exists, a few data points suggest why there is increased legal interest:

  • 2017 changes to Section 508 of the ADA that impact federal agencies: While these Section 508 changes only apply to federal agency websites, they also have an indirect impact on how people scrutinize and interpret the accessibility of state and local government websites. According to the US General Services Administration (GSA), “Even when Section 508 doesn’t apply, many non-federal websites are still required to be accessible under other laws, such as Section 504 of the Rehabilitation Act of 1973, or state or local laws.” The ADA says, “The Americans with Disabilities Act (ADA) and, if the government entities receive federal funding, the Rehabilitation Act of 1973 generally require that state and local governments provide qualified individuals with disabilities equal access to their programs, services, or activities unless doing so would fundamentally alter the nature of their programs, services, or activities or would impose an undue burden.”
  • More cases going to trial setting legal precedents: According to Blank Rome LLP, “One significant contributing factor to this upsurge in litigation is a 2017 ruling by a Florida federal court judge in what is believed to be the first of these cases to go to trial. In that case, the judge held, after conducting a non-jury trial, that supermarket chain Winn-Dixie discriminated against the plaintiff (a blind man who sued more than 70 companies) because: ‘The factual findings demonstrate that Winn-Dixie’s website is inaccessible to visually impaired individuals who must use screen reader software . . . . Therefore, Winn-Dixie has violated the ADA because the inaccessibility of its website has denied Gil the full and equal enjoyment of the goods, services, facilities, privileges, advantages or accommodations that Winn-Dixie offers to its sighted customers.’”
  • Legal and regulatory ambiguity: Again, according to the GSA, “The Department of Justice (DOJ) says that ADA requires any person, business, or organization covered under the Act to communicate effectively about their programs, services, and activities. This includes information provided through your website. In its Supplemental Advance Notice of Proposed Rulemaking on State and Local Government Web Accessibility, the DOJ explained that it was considering proposing WCAG 2.0 Level AA as the accessibility standard for websites and web content. The DOJ noted that WCAG 2.0 has become the internationally recognized benchmark for web accessibility. The Revised 508 Standards are based on WCAG 2.0. However, a final rule specifying technical standards under the ADA has not been adopted. Until the DOJ adopts specific technical requirements for web accessibility in a final rule, if you’re subject to the ADA, you have more flexibility in determining how to make your website compliant with the ADA’s general requirements of nondiscrimination and effective communication. Remember, you still must comply with applicable regulations (Title II for state and local governments, or Title III for public accommodations and commercial facilities).”

Altogether, the updates to Section 508, increased legal precedent, and regulatory ambiguity (or “flexibility”) have opened municipalities up to increased lawsuits.

Then why are municipalities getting sued?

Municipalities are not only incredibly visible public-facing entities, but they are also often lagging in website modernization. This lagging includes having websites that do not implement ADA-compliant best practices whether from a lack of capability, expertise, or staff knowledge. While businesses may commit equal or worse violations, municipalities are easy targets—especially if they haven’t modernized their websites.

Why isn’t the law clearer?

Two elements come together to create such legal ambiguity:

1. Vagueness in the 1990 ADA law: Passed in 1990 before websites existed, the ADA states that organizations cannot discriminate against people with disabilities when providing “public accommodation.” When “public accommodation” includes cyberspace, that notion comes with a completely different set of standards compared to making a physical place accessible in the real world. The 1990 law has not been comprehensively updated to account for cyberspace.

2. Lack of regulatory clarification around websites: According to a National Retail Federation article, “At one point the Department of Justice attempted to issue guidance for website accessibility. But the guidance was never finalized, possibly because the DOJ is not granted clear authority under the ADA to promulgate regulations. More recently, the DOJ announced that it would not issue any guidance as part of the Trump administration’s efforts at deregulation.” This leads to a political conundrum that often makes partisan politics unfortunate. Sometimes laws and regulations exist that hinder, rather than help, commerce and government operations. In these cases, regulatory clarification can help set a clear standard for organizations to meet. Otherwise, we see with the ADA that a lack of regulatory clarification means organizations must uphold a standard that’s not defined.

In this situation, who gets to decide the standard? Courts. The decisions of random judges create a legal path with many arbitrary zigs and zags as some courts are more lenient than others. It’s rare that a coherent standard emerges from such a path. With no national standard of ADA website compliance, court rulings are unpredictable. The only people that benefit in this situation are the lawyers, as this deregulated environment combined with a vague ADA law gives law firms plenty of lawsuit opportunities.

Are cities really at risk?

Yes. According to a Governing article, “Since 2011, more than 142 municipalities were sued on the basis of accessibility non-compliance. Federal lawsuits are on the rise as well, with the number of federal website accessibility lawsuits nearly tripling in 2018 compared to the year prior, to 2,258 suits. Municipalities are not only vulnerable to lawsuits from local citizens who are seeking fair access. According to many reports, serial plaintiffs are browsing the Internet, seeking violations in a variety of public and private sector industries. Recently, it has been municipalities that have become easy targets for those searching for violations and seeking injunctive relief, and even monetary damages.”

More specifically, an Orlando Sentinel article notes, “Over the past year, a flurry of lawsuits have been filed in federal courts contending that many of the public documents on government websites and businesses are not completely accessible to people who have problems seeing or hearing. Nearly 2,000 suits were filed in 2018 alleging website accessibility issues for the disabled. The lawsuits demand that websites should be equipped with software that allows the legally blind to read documents. Deaf people, or the hard of hearing, should have videos with closed-captioning of government meetings, the suits contend. For example, Daytona Beach resident Joel Price, who is legally blind, recently sent a letter to Altamonte Springs City Manager Frank Martz requesting that the city make available on its website budgets for the past four years and all City Commission agendas, along with backup material, since 2015.”

These ADA-compliant website lawsuit threats are real and could happen to your city, although most of the lawsuits have originated in New York and Florida.

What can cities do?

The best advice is still the advice we gave in 2017: be proactive and get ahead of any laws, regulations, and lawsuits. Making your website ADA-compliant is the right thing to do, regardless of how the law threatens you about it.

Here are some resources that can help you:

Also, keep in mind that your website technology alone won’t solve your compliance problems. A key ADA-compliance risk is with your content management system (CMS). Anyone who adds website content needs to be familiar with implementing accessibility guidelines. Otherwise, they may add website content that is not compliant.

Need some help and guidance around making sure your website is ADA-compliant? Reach out to us today.

Friday, May 3, 2019
Kevin Howarth, Marketing & Communications
Monday, April 29, 2019
Kevin Howarth, Marketing & Communications

We hope to see you at the following city event this week!

2019 Alabama League of Municipalities Annual Convention
May 4 - 7, 2019
Mobile, Alabama

Friday, April 26, 2019
Kevin Howarth, Marketing & Communications
Tuesday, April 23, 2019
Cale Collins, Network Infrastructure Consultant
Cale Collins

Antivirus software is commonly used for desktop and laptop computers. You install software, always keep it running, and let it prevent viruses from executing upon your computer. However, antivirus software gets a little tricky on mobile devices.

While mobile devices still use operating systems and software applications, software runs slightly different on mobile devices than it does on desktops and laptops. Therefore, antivirus software works slightly differently on mobile devices too.

What makes this situation more confusing is that Apple and Android mobile devices are built extremely differently from each other, and that affects the antivirus approach for each type. Let’s look at the similarities and differences between each device.

Apple Mobile Devices

The myth that you often hear about Apple’s mobile devices is that they don’t get viruses. Be careful here. It’s a fool’s game to think you are 100% safe! Yes, Apple devices are a closed ecosystem—both the hardware and software—but as long as there is a connection to the internet or a means to connect to a device, you’re at risk. There is no magical way that Apple avoids viruses.

Without getting too technical, Apple constructs its devices like a heavily guarded building. Think of Apple devices like the White House. It may annoy some people that they cannot just walk into this building. However, the White House is incredibly secure. Similarly, Apple devices are heavily locked down by Apple so that they operate and work in the same way for everyone.

Because of this tight security, a few unique things occur on your Apple device:

  • Hardware manufacturers and software developers cannot mess with the iOS operating system or change it without breaking or considerably weakening the device.
  • Apps are “sandboxed” by default. This means that even if you upload a malware app (or even a legitimate security app!) to your iPhone or iPad, that malware app is prevented from accessing your city email app or banking app. All apps are walled off from interacting with other apps on your Apple device (unless you give permission).
  • You can only download apps from the Apple App Store, with no exceptions.

As a result, such tight security doesn’t mean your Apple device cannot get a virus at all. But it’s like the White House—the chance of someone allowed inside the White House who can pose a security risk is greatly lowered.

This means your Apple “antivirus” strategy really comes down to your security updates—which you should be doing for your devices anyway. Apple releases frequent security updates that are consistent across all devices, and they are aggressive at getting users to update.

The only way to increase your chance of getting a virus on an Apple device is to “jailbreak” it. Such an activity is highly technical, but essentially it means you or someone else has removed Apple’s restrictions that are coded within the operating system and you’re now able to bypass those restrictions. However, that’s a huge, huge risk. If you get a virus, it’s likely that your device will not be fixed by a legitimate Apple security update because that update probably will not work on what Apple considers to be a broken phone.

Android Mobile Devices

If Apple devices are like the White House, Android devices are like a stadium or mall—an open ecosystem. Still secure, but in entirely different ways. The biggest difference is that the Android operating system is based on an open source platform. As a result, various hardware manufacturers and software developers create different versions of the Android operating system to suit their needs. They are also in control of how and when to release security updates, which may vary wildly across different manufacturers. Individuals can also alter their phones more.

Because anyone can see how the Android operating system works and because different versions exist that vary in security, just remember that hackers can also see this operating system as they develop viruses and malware to infect Android devices. The Google Play store is also less strict than the Apple App Store, and many virus- and malware-infested apps can be downloaded by users. In addition, you can download apps from non-Google Play stores. Some of these stores feature legitimate apps, such as Amazon or Samsung. But other sketchy third-party stores may be full of virus- and malware-infested apps.

Security updates can protect your Android devices, but it also helps to have antivirus software on them. An Android antivirus solution would:

  • Automatically scan for viruses, conduct periodic scans, and give the ability for your IT provider to manage the antivirus software.
  • Block access to malicious websites and attachments.
  • Scan apps for security vulnerabilities (such as an app that may leak sensitive or confidential information).

Security Best Practices for Both Apple and Android Devices

If you have an Apple device, you might think, “Wow, I don’t have to worry!” Yet, if you have either device, there are still some security best practices you should follow. As you can see, even your Apple device cannot prevent the following risky situations.

  • Apply operating system security updates when they are released. Both Apple and Android security updates are the most important updates you can apply to your mobile devices. These updates patch major security vulnerabilities.
  • Apply app updates regularly. Apps are notorious for being updated constantly, and some of those updates are security-related. Set your mobile devices so that your apps automatically update.
  • Be careful when installing apps (especially when giving permissions): Use discretion when installing apps. Many organizations invite you on their websites to install their mobile app “for a better experience" or some other enticing promise. Many people just go ahead and download them. While these apps may be legitimate, they also often ask you to allow access to your contacts, camera, calendar, etc. When you say “yes” to all these permissions, you may open yourself up to potential risk. Sometimes, apps legitimately need these permissions. But remain skeptical. Ask yourself, “Why does this app need access to my contacts?” For example, if you put sensitive information in your contact notes (which we don't recommend), then an app you install that requires access to your contacts will have access to that sensitive information.
  • Do not use jailbroken phones. While you may bypass the hardware manufacturer’s restrictions in some way, you open your phone to severe security vulnerabilities. We recommend that you don’t buy mobile devices used or from an untrusted seller.
  • Follow your city’s password policy. Many people do not protect their mobile devices with passwords. That’s a mistake. Use strong passwords. We recommend using passphrases (which are long phrases that are easy for you to remember but difficult for a hacker to guess). You can also use complex passwords (a long string of letters, numbers, and symbols).
  • Continue to be vigilant against phishing. No matter what device you use, phishing can still bypass all your security. Be careful what websites you go to, what links you click on, and what attachments you download. Especially be careful of phishing emails or unsecured wireless access points.

No matter your device, it helps to have your IT support managing those devices and ensuring they are secure. Apple and Android devices may have key differences, but each can be exploited by hackers in different ways.

Need help securing your mobile devices? Reach out to us today.

Monday, April 22, 2019
Kevin Howarth, Marketing & Communications

We hope to see you at the following city event this week!

2019 Kentucky Municipal Clerks Association Conference
April 23-26, 2019
Maysville, Kentucky

| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 |