When IT specialists from the Texas Department of Information Resources helped county and municipal governments recover from a mass ransomware attack over the summer, they noticed a pattern. It wasn’t necessarily the jurisdictions that had spent the most who had the easiest time restoring their systems; it was the ones who had planned most carefully.
“A good disaster recovery plan, and good backups, makes the difference between losing months of work and being able to get back up and running within a few days,” says Texas CISO Nancy Rainosek. Some local governments resorted to manually re-entering information to reconstruct lost databases.
But with other kinds of data, like video from police surveillance or body cameras, “there’s no way to get the data back at all,” Rainosek says. “It’s lost forever.”
Good backup procedures guard against that nightmare scenario by storing copies of vital data separately from the network. “You need to ensure that you have backups, that the backups are tested and that the backups are offline and, if possible, offsite” to guard against physical disasters as well as cyberattacks, Rainosek says.
And it’s not simply a matter of buying the right stuff. “There are plenty of low- or no-cost things that local governments can do to mitigate the threat from ransomware and other cyberattacks,” she says.
Agencies Can Take Many Low-Cost Steps to Boost Recovery
Proper training is important for the backup process itself as well, says Alan Shark, executive director of the Public Technology Institute, which supports state and local government IT departments through research and training. “There’s a process and a discipline required,” he says.
Shark recounts how, in one local government department he worked with, it turned out that the staffer responsible for backing up had misconfigured the program. “They were making backup tapes every week and putting them in a safe, but they were only backing up the C drive, not the whole network,” he says.
That’s why testing is just as important as planning and training, says Rainosek. Her list of low- or no-cost best practices for mitigating ransomware and other attacks also includes the following:
- Use good patch management and keep all software updated.
- Use anti-virus software and also update that.
- Have an IT purchasing plan that includes money to replace or update it to avoid building up a large technical debt.
- Segment the network so that malware infections cannot spread across the whole organization.
- Close unnecessary ports to reduce the number of ways hackers can get into a network.
- Block inbound traffic from Tor exit nodes so hackers can’t attack while hiding on the darknet.
Rainosek is adamant that, when it comes to mitigation, one size does not fit all. “Every organization is going to be different,” she says. “There’s no one way to do backup because there’s no one way to store data.”
Private Sector Providers Can Back Up Government Assets
Both Shark and Rainosek emphasize that having an outside IT provider is a great way for many small local governments to outsource the backup challenge, as long as they do proper due diligence.
“You have to ensure your contract provides clarity about who is responsible” for backing up the data and other tasks, Rainosek says.
“In theory, an IT service provider ought to do a better job” than an in-house IT department in a small organization, Shark says, but it is important to identify where data is located and who is responsible for backing it up.
“It’s not just helping regular users to figure out when an email is authentic or not” or teaching employees not to download attachments, Vanover says. “Training is important for IT administrators too.” Managers should ask questions like, “Should I be using my administrator’s account to access the internet?”
The complexity of modern IT networks makes backup a challenge, Vanover says. “To do backup properly, you need to know what you need to back up.”
“It’s not just the data center. You have users’ mobile devices, cloud services, Software as a Service. A complete inventory of what you have on the network is a very important first step,” he adds.
Although there is no silver bullet, Vanover does have a simple piece of guidance that he calls “the 3-2-1 rule.”
“Have at least three copies of the backup on two different media and make sure one of them is offline and preferably offsite,” Vanover says.