<-- Back

Municipalities and Cybersecurity - Q&A With City of Vestavia Manager Jeff Downes

Q. What is your experience in the changing necessity of cybersecurity?
In the 90s, there wasn’t much, if any, cyber exposure. The world was paper driven and now it’s evolved into a world of paperless documents, collecting data for electronic transactions, wiring money instead of writing checks—all of which create exposure. What’s important to me is figuring out how frequent an opportunity for loss can occur because of these exposures. As the CEO of this operation, any risk or exposure of loss is important to me, and we have to consider the severity of those losses and try to mitigate those situations.

Q. What lead to the push of cybersecurity in Vestavia Hills?
While I was at a city managers conference I heard of two other cities in our region, very similar to Vestavia that had been exposed to ransomware. Shortly after we found out about their troubles, we realized a few of our city’s senior leaders had their emails spoofed in a phishing attempt to request a wiring of money. Thankfully there was a system of checks and balances put in place to keep that kind of exchange from happening.

Q. What kind of data is a city responsible for?
Anything from the information of an individual getting a car tag renewed to a taxpayer paying sales or business license taxes all the way to residents paying for fees associated with the quality of life activities in the city. We are responsible for all of that information, and it’s our job to keep it safe and out of the wrong hands.

Q. Why ThreatAdvice?
We have a small IT department with a large need here, so the ability to contract out for the training aspect was something very important. ThreatAdvice showed an ability to work quickly and professionally to serve our needs. When it comes to starting from scratch in your efforts with managing cybersecurity risk, you can have all the best gadgets/technology and the best training, but you need to lean on the policies and procedures. ThreatAdvice has built in policy and procedure templates that could be used for our organization which bring value in itself.

Q. What was your strategy  for implementing ThreatAdvice?
We sat down with our IT director and started putting a plan together to mitigate any exposures as well as putting insurance policies in place. Working with ThreatAdvice allowed us to do something extremely important which is training. We were able to teach the differences between safe and unsafe cyber practices to our employees. We also tested them to determine the level of the employees’ cyber awareness and identify our areas of weakness.