Digital Security in Your Municipality

With much of our communications transitioning from paper to digital, our computers, smartphones and other electronic devices have become a critical part of how we manage and govern our municipalities. This reliance on technology leaves us exposed to various risks that were never present in the nondigital world of the past.  From an innocent mistake by an employee to an malicious attack by a hacker, our communities could be irreparably damaged if the proper steps are not taken to ensure our digital communications are safe and secure.

While not an exhaustive list, the four points below will get your organization pointed in the right direction in terms of managing the risk associated with our new digital reality. In the coming months, we hope to build off of this list, with more in depth articles dealing with information technologies and your communities online presence.

Step One: Create an Email Policy

If you don’t already have a email policy, then you should have one.  This policy outlines what should and should not be sent via email. For example, has any employees sent taxpayer’s confidential information through email? Is personal business being conducted on the town’s email system? Is the municipalities email system being used in ways is was not designed for (i.e. as a chatroom, a file backup system, etc). There should be some attempt to regulate how the employees are using email.

Step Two: Ensure Passwords are Strong

Most of the passwords we use to protect ourselves are surprising easy to “crack” by anyone with a computer and a minimal effort.  Therefore you need to educate everyone in your organization about the minimal requirements for a strong password. Short, easy to remember passwords should be replaced with longer more complex passwords. It would also be wise to ensure all employees have, and know how to properly use, an encrypted password database app like 1Password or LastPass. These apps are easy to use and simplify the real world usage of strong passwords.

Step Three: Avoid Social Engineering Mistakes

Real world hacking doesn’t look like it does in the movies, where a nerdy guy sits behind a terminal typing away while a colourful visual representation of the internet is displayed on his screen.  That’s Hollywood, not real life… a hacker is more likely to get access to your computers on your network via an infected file sent by email, or by simply asking an unsuspecting employee for access. 

Therefore, you and your employees should:

  • Never open an email attachment unless you know what it contains. When in doubt, follow up with the individual who sent you the attachment and confirm whether it is a legitimate or not.
  • Never divulge passwords or any private information over the phone or email – regardless of who they say they are. No legitimate bank would ever call and ask for your banking PIN.
  • Never blindly follow the instructions of an email without first considering whether it’s a legitimate request. Hackers will often create a fake email, perhaps to look like your ISPs mailings, to trick you into giving them your login information or personal data.
  • Avoid conducting municipal business while on an unknown public WiFi hot spot. Public WiFi hot spots are often NOT secure, hackers can easily intercept and read nearly anything you send over a unsecured WiFi network. If you must use public WiFi then you should use a Virtual Private Network (VPN) to create a encrypted connection to your municipalities network.

Step Four: Have a Solid Data Protection Plan

A good data protection plan will ensure that your community is prepared for the worse. Whether a hard drive fails, or an unauthorized individual gains access to your network, or your municipal office burns to the ground, you will need to be to recover any lost, modified or corrupted files quickly and efficiently. 

Network and computer based backups should be done on an hourly, daily and monthly basis, with those backups being stored both on and offsite. Those backups should be encrypted, to avoid unauthorized access, and should be physically secure – you do not want someone walking off with your backup drive under their arm.  

You will also want to ensure your computer operating systems are up to date with the latest security updates – particularly if you are using a computer with the Windows OS.  All computers should also have a professional anti-virus and anti-malware software packages installed, and updates should be automatic.

These four steps are the minimum you should be doing to ensure your municipalities digital assets and taxpayers information is safe and secure. Watch this space in the future, as we plan on publishing a series of more advanced articles relating to digital security.