We have a brand new updated website! Click here to check it out!

🎥 Hays IT Director: ‘Cybersecurity keeps me up at night’

Posted on

By BECKY KISER
Hays Post

The city of Hays has a $2 million line of cyber liability in its commercial insurance policy with MPR (Midwest Public Risk), a group of public pooling entities across Missouri and Kansas.

Cybersecurity insurance is being sought by an increasing number of U.S. cities, according to a survey by the Wall Street Journal.

Hays has two main data centers located at city hall and at the police department, with 48 network routers and approximately 248 PCs and servers in 11 locations.

The IT Department, which recently relocated from the downtown city hall to a larger space in the Hays Welcome Center, 2700 Vine, provides Geographic Information Services, telecommunications services and support for citywide software applications. The five-person IT staff also maintains the city’s website, www.haysusa.com, and online utility bill payments. One technician is dedicated to the police department and security; another technician takes care of everything else in the city. The GIS Specialist is a shared position with Ellis County.

Chad Ruder, Director of Information Technology, who has worked for the city 19 years, recently reviewed the city’s computer network connectivity with the Hays city commission.

He told commissioners the city currently has fiber optics in place between city hall and the police department, between city hall and the water treatment plant and public works, and to the visitors center.

“We’ll soon have fiber optics to the wastewater treatment plant and the parks department. All that we have left for fiber optics is the recycling center, which currently bounces off the Sternberg water tower and the airport,” Ruder reported.

He is especially proud of the network’s “uptime” and credits that to redundancy consisting of backup domain controllers at the police department and city hall, high availability gateway firewalls in the city hall data center, and extra network equipment in the city’s inventory. “We don’t have every piece, but in order to get a building running, we’re prepared.”

The city’s financial and street infrastructure softwares are hosted in the local data center. “That’s the kind of thing you want to hold on tight, locked in that room. You want to know what’s going on.”

Email and web services, along with online bill payments, are hosted by an outside server.

“When we meet with our peers, from local to international, 90 percent of our talk is now about cyber security,” Ruder said. “That’s not an exaggeration. It’s frustrating, and it’s so important.

“There are two peer entities of mine in the state of Kansas, one of which had a payroll server taken down and the other one lost everything for two weeks.  It was terrible.”

In order to protect itself, the city is always looking at user awareness, which Ruder considers “our first line of defense. Always.”

“We have layered security, but I’ll be honest with you, there’s only one piece of about four layers that looks at what’s going on. The other ones can be bypassed if a user does something they shouldn’t. If they click on something they shouldn’t, they can bypass a lot of what we do and you can’t have business continuity without that.”

Each city of Hays employee is trained the day they start work with a new computer users orientation. As issues arise, Ruder sends employee emails showing real world examples.

“Above all that, we do things on the back end that people don’t know about, thousands and thousands of things that we block every day,” he said.

Ruder is a little concerned there may be too many mandatory video trainings but concluded “it’s not enough. I don’t want to get to where I’m tricking my own users (into clicking on something they shouldn’t) and I don’t want to overwhelm them where they think I’m crying wolf. I think I’m in a good position here, but we can always improve.”

“Just making employees aware (computer hacking) is happening close to us, should scare everybody to death,” said Commissioner Sandy Jacobs. “It scares me.”

“It just takes one, though. That’s the problem,” interjected Mayor James Meier.

Commissioners and City Attorney John Bird mentioned hacker attacks on websites for the cities of Wichita and Great Bend.

Security software that can search and look for unwanted “bad things” on a computer is not foolproof, reminded Ruder.

“Somebody can change one piece of code and then that will slip through until the definitions catch it later in the day. It’s rough.”

The Hays IT Department also goes through audits and scans, both financially and through the police department.

The IT employees bounce ideas off their peer groups on how to stay ahead of would-be hackers. Local peer groups include Ellis County, HaysMed, USD 489 and the business community.  There are also quarterly meetings of the Kansas chapter of Government Management of Information Science and the national organization. Ruder is vice-president of KS-GMIS and expects to become president next month.

Hays participates in a listserv which distributes relevant messages to subscribers on an electronic mailing list.

The city has a detailed cyber response plan from the insurance company “if we’re breached and have to start dealing with what’s been let out. I hope that never happens,” Ruder said. City Attorney Bird also looks at the legalities of the cyber response plan.

“The Department of Homeland Security has the best thing I’ve ever dealt with when it comes to free government programs, ” Ruder told the commission. “It started when Sept. 11th (terror attack) hit.”

DHS partners with the MS-ISAC (Multi-State Information Sharing & Analysis Center), the “go-to resource for cyber threat prevention, protection, response, and recovery for U.S. state, local, tribal, and territorial (SLTT) government entities”, according to its website. The MS-ISAC is recognized as the national ISAC for SLTTs to coordinate cyber readiness and response.

“They monitor our computer traffic daily. They monitor the internet for anything that has to do with @haysusa.com. Somebody will get an email that looks like it’s from the city manager, Toby Dougherty. Hackers target the ‘whales.’ It’s called spear phishing.”

“Kim Rupp (Finance Director) gets (fake) emails from me sometimes,” Dougherty confirmed, “that say please send me that invoice or wire me those funds.”

That spear phishing is monitored by MS-ISAC. “I can forward that on to this group and they spread that out,” explained Ruder. “The FBI gets involved.”

Image-based backups are performed in the IT Department and can be used by the city in an emergency operation or disaster recovery.

“I love my job and I have an amazing staff. Cyber security keeps me up at night. Scary,” Ruder concluded.

Ruder also noted the city’s website, designed in 2002, is undergoing a major redesign and will be content management driven. He hopes to be able to show the commission some proposed improvements by the end of the year.

Copyright Eagle Radio | FCC Public Files | EEO Public File