by Dustin Tucker, Manager, Strategic Advisors, VC3
Municipalities often face a unique technology challenge when staff or elected officials leave. Let’s call it “account credential chaos.” What does that mean?
As an example, think of an employee with a lot of responsibility. They not only have their email account but also access to various social media accounts, event websites and cloud-based applications and programs containing information critical to your daily operations and public communications.
Then, that employee abruptly leaves. You log into Facebook or a website for a big annual event or your permitting platform. And … you’re locked out because you don’t have the username and password. In a worst-case scenario, a terminated employee with access to the account may not give it back to you, make an unauthorized post on social media or access sensitive emails.
How can your municipality prevent these issues? With proactive password and account credential management.
Why does turnover create credential risks?
Going back to our example above, municipalities often face two major problems when staff leave.
- Critical accounts become inaccessible because credentials weren’t properly documented or transferred.
- Former employees or elected officials may still have active credentials.
These issues typically happen because
- you might not store credentials in a central, secure location.
- no formal offboarding process exists to revoke access from employees who leave or change roles.
- password changes are delayed, inconsistent or nonexistent.
Without a structured approach to credential management, you risk losing control over your digital presence, sensitive data and critical applications. Some practical steps that municipalities can take to improve their credential management include these:
- Centralize credential storage: Use a secure password management tool to store all of your account credentials in one encrypted location. Any authorized staff can access accounts without insecurely sharing passwords, and credentials are updated in real time.
- Implement role-based access: Assign individual logins where possible and use role-based permissions — meaning people only get access to the systems and information they need to do their job — so access can be easily be changed when someone leaves.
- Enforce MFA and strong password policies: Enable multi-factor authentication, or MFA, for critical accounts such as email and financial systems. Also, require complex passwords and periodic password changes.
- Refine your offboarding process: When an employee or elected official departs, make sure you immediately revoke their access to all systems, update any shared account passwords, and document these changes in your credential management system.
- Regularly audit your accounts: Periodically — such as quarterly — remove any unused or outdated accounts and confirm that only authorized personnel have access to your systems and applications. Better yet, have your IT resource automatically deactivate any unused accounts.
- Continuously monitor for unusual account behavior: Have your IT staff or vendor monitor for unusual account behavior such as people using unauthorized credentials. They should be able to automatically block access after an incident is flagged.
- Detect cybercriminals using stolen “authorized” credentials: Cybercriminals often obtain legitimate credentials, but log in from a suspicious device or unusual location. An identity management tool can block these types of logins by flagging suspicious contextual signs that indicate something is wrong.
Credential management may seem like a tedious task, but it’s a cornerstone of municipal cybersecurity. By centralizing passwords, enforcing strong policies and formalizing your offboarding process, you can avoid the headaches and risks of account lockouts and unauthorized access.
VC3 is the Municipal Association of South Carolina’s technology partner.