Reading Time: 4 minutes


Protecting Your Electronic “Building” Leads to Compliance

Joe Howland
Joe Howland, Chief Information Security Officer

Before we start talking technology, let’s instead consider the security of your municipal buildings. Many years ago, it’s likely that your security would consist of a few physical keys and locks, some window locks, and maybe a security guard if you were lucky. In a mostly paper-based world, that level of security worked. 

Today, that level of security is often not reassuring enough. Instead, we see security systems, keyless entry (such as key fobs), and security guards as a requirement, not an option. As society changed and theft grew more sophisticated, physical security changed. 

Just as many organizations have adapted their physical security over time, a similar shift has recently occurred with the security of electronic information. Unfortunately, many cities currently secure their information with the mindset of a pre-internet world while cyberattackers have a field day. No wonder so many cities are falling prey to ransomware and failing to protect sensitive, confidential information. 

In this blog post, we want to help you assess your compliance by using the metaphor of our physical security example above. Each compliance element below relates to the following physical elements: 

  • A security system 
  • Keyless security entry 
  • A security guard 
  • People who enter and exit your building 

Security System = Cybersecurity Best Practices 

Without cybersecurity best practices implemented at your municipality, you are fending off sophisticated “burglars” with the equivalent of an old-fashioned lock and key. To say that hackers can easily kick down your door is an understatement. Examples of items needed for your “cyber security system” include: 

  • Modernized, upgraded, and patched hardware and software 
  • Protected wi-fi access points 
  • Endpoint detection and response (EDR)
  • A secure, reputably-hosted website 
  • Secure email 
  • Secure online payments 
  • Security processes and procedures

In addition, it’s important to regularly train employees about cybersecurity hygiene and best practices, as people are often the weakest link in a cyberattack. Our article, “How to Create Effective Cybersecurity Training for Cities,” goes into more detail about what you need to train employees. You can also review more detailed frameworks from NIST and CISA.

Security Guard = Proactive, Ongoing Monitoring of Your IT Systems 

As you know, security systems are a deterrent but not perfect because they lack a human element. That’s why many businesses and building owners hire security guards. They not only act as a further deterrent but also add a person to the security mix who can respond proactively to an incident. Plus, a good security guard not only watches the front door but also patrols the property occasionally.

Similarly, towns and cities need proactive, ongoing monitoring and maintenance of IT systems. These IT engineers are like your “security guards” as they: 

  • Monitor hardware, software, and systems for issues, including anticipating crashes and failures long before they happen. 
  • Proactively maintain, patch, and upgrade hardware and software. 
  • Ensure antivirus and antispam software stays up to date.
  • Use tools such as managed detection and response (MDR) and endpoint detection and response (EDR) to ensure that attackers do not go undetected inside your systems for a long period of time, steal information, and cause damage.
  • Proactively address and fix issues affecting your security and stability. 
  • Proactively handle technical issues with hardware and software vendors. 

Keyless Entry = Logical and Physical Access Policies 

Just like people must have an authorized way to enter your city buildings, people must be authorized to electronically access your data and information. Many cities have the electronic equivalent of a simple lock and key that is easy for unauthorized employees, vendors, and hackers to overcome. Strengthening logical access is like strengthening the way people can “enter” your IT systems. Policies include: 

  • Setting a strong password policy and providing multi-factor authentication (MFA) at all access points to your network.
  • Monitoring and controlling user accounts (such as new users, changes to existing users, and deleting users) 
  • Requiring timeouts (automatically locking computers to help prevent unauthorized access) 
  • Logging and tracking user activity, which provides you an audit trail 

Because you also need to protect physical equipment, it’s good to have policies addressing who can access rooms along with deterrents such as security cameras. 

Entry and Exit = Changes to Your Technology 

Perhaps you’ve got your information security in good shape. But what happens when you get a new computer, server, or software? What happens when someone buys a new wireless router from a retail store and sets it up? What happens if an employee downloads software from an untrustworthy source? 

Like the Trojan Horse sneaking something bad into your environment, these kinds of threats may emerge because you are not careful about what’s added to your IT inventory or how your IT inventory changes over time. Some concerns include the installation, configuration, and setup of: 

  • A new computer or server. If an employee buys a new computer at a retail store and sets it up themselves, then how do they ensure it is secure and properly configured? 
  • New software or a new application. Sometimes, software vendors are not thinking about your best interests such as how your software integrates with your systems or if it’s properly secured. Also, employees downloading and using unauthorized software add huge security risks to your city. 
  • A new wireless router. Hackers have been known to breach a city’s system through an unsecured wi-fi access point that was improperly configured and set up with no password or a default password. 

“Magic” = Data Backup and Disaster Recovery 

If we continue our real-world analogy, you cannot make exact clones of everything in your building and get them back if someone steals them. But in the “magic” of cyberspace, you can! A data backup and disaster recovery solution needs to become part of your policy and compliance strategy. To help protect your data, you need: 

  • A plan: How will you get your technology up and running after a disaster? What information will get restored, and in what order? 
  • Onsite data backup: For small disasters such as server failure, an onsite data backup solution will help you quickly recover. 
  • Offsite data backup: For large disasters such as a tornado, fire, or ransomware, an offsite data backup solution where you store your data in a far-off geographic location will ensure you can recover even after a worst-case scenario. 
  • Testing and monitoring: Compliance doesn’t mean simply investing in an expensive data backup solution and checking that task off your to-do list. Any data backup and disaster recovery solution requires ongoing monitoring for issues and periodic testing to ensure that you will actually be able to restore your data after an incident or disaster. 


By following the best practices above, you will decrease risk, improve your internal policies, and more easily comply with the law. If you need help improving your policy and compliance strategy, reach out to us through the form below.

More from VC3