As we continue to navigate this challenging year and execute our plans for recovery, we all have a lot on our minds, and many more questions than answers, even with the constant flow of information from state and federal authorities.
It’s difficult to unravel new regulations and embrace this current way of doing business when so many things are unknown. The stress of figuring out how your municipality will continue to serve the public effectively, and the true impact on your municipal budget, are admittedly daunting.
As this novel virus has made abundantly clear, the key to keeping municipal operations running smoothly – even with minimal staff and services – is proper IT infrastructure. While it might seem like a no-brainer, moving to fully remote operations was a true test of your systems. It forced many of you to understand the full capabilities of your overall investment and caused a new way of thinking to emerge. You can expect selectboards and councils to start asking you to test your systems regularly, much like public safety departments pre-plan for emergencies. The question is, are you prepared for what’s next?
It is time to evaluate your organization and determine how you can continue to provide services to the people of your city or town, regardless of your operational status. Your evaluation can come in many different forms, but will be determined by the way IT support is handled at your office. As Vermonters, we’re well aware of the inherent challenges faced by small or large municipalities where IT support is solely based on resources. Whether your organization handles its own internal IT support or contracts it out to an external vendor, make sure you are protecting your users and equipment, as well as your investment.
Prepare for what’s next. Regardless of how your IT support is handled, it is important to evaluate your organization’s needs and determine if they are being met on a regular basis. It doesn’t need to be a complicated or lengthy process or require a special committee to be set up. Instead, think of it as a periodic “checkup” during which your sole purpose is to understand what services are being provided and what equipment is covered. Start simply by asking your team questions. What is working and what isn’t? What do you wish you had help with? What IT software/processes take up the bulk of your time?
Determine what is being done now—and what isn’t. Next, review your support contract or start a conversation with the internal person who handles IT to better understand their responsibilities. Determine what is covered by your individual situation and if there is anything else you might want to include (think of an insurance policy), especially if there is a drastic change in your business process. This is the time to determine what you might need in the future, like remote video conferencing software or secure access to documents to support remote operations. At this point, you’ll have likely found a few things that could have been better than they were. Use your findings to prepare for future scenarios. Determine your team’s responsibilities outside of phone/email support, such as behind-the-scenes updates, antivirus coverage, and backup solutions. Think about worst-case scenarios. How will these processes be evaluated? Are backups being tested?
Prioritize communication. As with many aspects of life, communication is paramount, especially when it comes to understanding your IT situation. While contracted IT vendors are businesses, they work in a customer service role and should be in contact with their clients regularly. A healthy communication link between your vendor or internal IT staff will ensure you are both on the same page, even if you do not speak the same technical language. Consider involving your IT staff/vendor in your business strategy so they can provide options and methods that might increase your productivity. Be sure to notify them of staff changes, potential furloughs, or layoffs so they can prepare to secure inactive accounts immediately. Provided with the correct balance of information sharing and collaboration, even an outside IT vendor can become an extension of your team.
Above all, focus on security. As cybersecurity incidents become more public and wide-sweeping, the concern for how they might affect your organization is rising. Unfortunately, security can’t be solved overnight, nor can it be the responsibility of one person. It really does take a village to ensure all aspects of cybersecurity are considered when evaluating your situation. After you have a basic understanding of what your infrastructure can and cannot do, it is time to evaluate the types of information you are storing to determine how it needs to be protected.
Yes, every municipality maintains public records available to almost anyone through the proper channels, but that does not mean this information should be left unprotected. Think of it this way: Do you charge a small fee to fulfill information requests? Do those fees represent even a small revenue line in your operating budget? If so, this data is worth protecting until it is released through your official processes. Municipalities also maintain records that are exempt from information requests, such as personnel records or personally identifiable information that might be collected through tax collection efforts or similar activities. If you store this type of information, you are responsible for its safe keeping. Knowing what information you have and how it is stored is just half the battle. You might think this is a lot of work, and for some it is. Before you think about safeguarding the data, this exercise will have already prepared you for any potential audits. Should a cyber incident occur, knowing what might have been taken and what you must do next are equally important.
Expand your conversation with the IT vendor or staff to determine what safeguards are in place. You will know you are on the right track if they provide an answer that shows how data is protected based on its confidentiality level. It’s a fine line you’ll have to walk – your systems need to be user-friendly and your data needs to be protected. Educating everyone about the reasons why information must be secured will make daily operations easier and more natural, and will help foster understanding between users and IT staff.
Ask for help. Seen as one of the most expensive assets to your municipality, IT services can be a drain on any staff. While being prepared for any threat or issue is critical, there are resources that can assist you through this process should you find it overwhelming or have additional questions. Please contact the Vermont League of Cities and Towns staff for additional guidance.
Professional Services Director
Champlain College | Leahy Center for Digital Forensics & Cybersecurity