This article originally appeared on Sophicity's CitySmart blog.
Someone attempted a $90,000 transaction from my machine. What do I do?
Let that sink in. As the finance officer, city clerk, treasurer, or city manager, how would you feel? What would you do? How did it happen? Where would you look?
When a person, externally or even internally, attempts to steal money or data from a city, investigators will start looking for information to help them find the culprit. So, what information will lead them to finding the person who committed the crime?
Unfortunately, your city may not have the right policies in place to not only prevent unauthorized access to information but also to track who accesses it, what’s accessed, and when it’s accessed. That leaves your city with security holes that open you up to hacking, theft, and even fraud.
What can you do as a city to make sure only authorized users have access to sensitive information? Look carefully at the following areas.
User Access and Authorization
First, begin with making sure your systems and software allow you to set different levels of permission for different users. For example, some users may not need access to payroll information. Modern technology systems allow for granular user permissions within servers, websites, and applications. If you don’t set these permissions appropriately, you risk users looking at information that they should not access—and they may possibly misuse, change, or delete that information. Users should only be able to access information relevant to their job function.
Often overlooked, it’s important for cities to physically secure important technology like servers. An unauthorized person should not have physical access to your servers or be able to walk into your server room as if it’s the breakroom. All it takes is one disgruntled employee to steal information or damage your computer equipment and hardware (which may lead to permanent data loss). Secure rooms with servers so that only authorized employees can access them. Require use of a key fob or similar security checkpoint.
Second only to physical access, wireless access is another common security hole. Cities are at risk when they leave wireless access open and unencrypted, or if they use weak or well-known default administrative passwords for securing wireless devices. Hackers can easily hop onto your network through these access points and begin sniffing around your most sensitive information right from the parking lot. You need to keep your wireless access password protected with a strong password, encrypted, and limited to authorized users.
Obviously, employees sometimes need access to a city application through a secure remote connection to a server. But it needs to be logged and tracked. Too many cities don’t track and monitor who logs on and when they log on. This creates security problems. If you don’t know the identity of someone logging in, or even that they’re logging in at all, then how do you know that it’s an authorized user? By tracking remote access, you make sure that only authorized users are accessing your servers and applications.
Access and authorization vulnerabilities that cities face are not just addressed by technology. They begin to get addressed by setting policy. Cities need to set the right policies and work with their technology staff and vendors to implement training, processes, and technology to meet these policies. If your current technology systems cannot handle these demands, you may need to modernize your technology in order to accommodate current security requirements and best practices for government data.