Invenio-IT

Avoiding Disaster and Protecting the Public with Business Continuity in Government

Picture of Dale Shulmistra

Dale Shulmistra

Data Protection Specialist @ Invenio IT

Published

government-building

In June 2023, an attack by a Russian ransomware gang hit multiple targets, including several federal agencies and state and local government offices. The Department of Energy, the Louisiana Office of Motor Vehicles, and the Department of Transportation in Oregon were just a few of the victims of the attack. From police departments in small towns to sprawling federal agencies, these attacks have crippled public services—sometimes for weeks at a time—underscoring the dire need to maintain business continuity in government.

It’s not just ransomware that government agencies need to worry about. Like any other organization, government bodies are vulnerable to a wide range of disasters that can disrupt operations and cause data loss, leading to costly recoveries that are ultimately paid for by taxpayers.

Whether you’re a government employee or a concerned citizen, it’s important to understand how and why governments plan for continuity. Keep reading to uncover some of the most prevalent risks and identify the key pillars of a successful government business continuity strategy.

The Potential for Public Disaster

Government entities are unique from businesses in that their members are often elected and paid by the public. Likewise, while businesses are focused on earning money by providing products or services to customers, the government’s core responsibility is serving the people by ensuring their safety, privacy, and freedom. As such, a disruption to continuity, which could happen without warning at any time, is potentially disastrous for not only the organization but also for the public at large.

Causes

Although there’s a lot that sets businesses and government offices apart, they’re very much the same when it comes to the types of threats they face. They include:

  • Fires
  • Flooding
  • Natural disasters, such as tornados or hurricanes
  • Data loss
  • Malware
  • Internet and network interruptions
  • Workforce stoppages
  • Terrorist attacks

Most organizations are vulnerable to a number of possible threats, so it’s crucial for government leaders to consider every possible event that could occur.

Consequences

As a result of their core differences from businesses, the stakes are often higher when governments experience emergencies and downtime. There are a variety of possible negative outcomes, such as:

  • Revenue losses
  • Productivity losses
  • Damaged hardware
  • Damaged facilities
  • Sky-high recovery costs

The effects of an interruption to government continuity also extend to citizens and residents who might suddenly be unable to pay their bills, contact emergency personnel, or access critical government aid programs. When these public services are disrupted, citizens quickly lose faith in their local governments and start demanding answers. Worse yet, their livelihoods, homes, and safety can be negatively affected.

The Role of Ransomware

The government faces threats on multiple fronts, but ransomware is perhaps the most frightening of all. With constantly evolving variants and potential exposure of highly sensitive data, ransomware can spell disaster for government offices and the people they serve and represent.

Current Rates of Ransomware Attacks

Ransomware gangs have tightened their grip on government offices over the past several years, perfecting their methods to achieve the greatest impact. In other words, while the problem isn’t new, it’s getting worse. For example, the recent attack on the Department of Energy and other government entities was a follow-up to the 2021 SolarWinds intrusion, during which hackers gained access to email accounts for multiple members of the Department of Homeland Security.

There was a dip in the number of ransomware attacks in early 2022, offering some hope that the threat might abate. On the contrary, it seems that rather than backing down, prominent ransomware gangs were simply taking the opportunity to ramp up stronger, more targeted attacks. These statistics are clear indicators of where things are headed:

  • Dominant ransomware gangs: Some criminal groups creating and deploying ransomware have become more powerful and dangerous than others. According to a report from the Cybersecurity and Infrastructure Security Agency (CISA), 16% of reported ransomware attacks against government offices in 2022 were variants of LockBit.
  • Increasing attack frequency: Ransomware attacks on government offices are now back on the rise. A report from CloudSEK states that the number of cyber attacks targeting government offices increased by 95% in the second half of 2022 compared to the prior year.
  • More offices under fire: Recent statistics from Sophos offer further evidence that the threat of ransomware against government agencies is growing. In 2022, nearly 70% of local and state government organizations experienced a ransomware attack, up from 58% in 2021 and 34% in 2020.

Keep in mind that local and state governments are not necessarily required to report ransomware attacks. Many are increasingly choosing not to because of the potential backlash and negative publicity. This means that the rate of attacks could be much higher than reports suggest.

Where Ransomware Presents a Threat

If you’re wondering if ransomware poses a risk to your local, state, or national government, the answer is yes.

Unlike natural disasters, which are more likely to affect governments in particular regions or geographic areas, ransomware isn’t restricted to any one part of the country. It’s a threat that every government office, regardless of size or location, should be prepared to address.

The United States has already faced dozens of attacks in 2023, and they haven’t been pretty. City and town governments are particularly vulnerable because they often have fewer resources to dedicate to protection and recovery. Consider these recent examples:

  • A wide range of services in the city of Dallas, including the court system, public safety departments, and libraries, were affected by a ransomware attack in June, and city leaders have been reluctant to reveal whether employee and citizen information was compromised.
  • In May, services ground to a halt in Lowell, Massachusetts, as the government went completely offline to wipe and restore all the city’s computers following a ransomware attack.
  • When city officials in Oakland, California, refused to pay the ransom following a February attack, hackers began releasing sensitive information, including residents’ and employees’ social security numbers, and efforts to resolve the attack were still in progress months later.

These ransomware incidents are just a few of many in the United States, and they’re a mere sliver of the massive number of attacks occurring worldwide. One of the most prominent examples occurred last year, when the Conti ransomware gang held the government of Costa Rica hostage, prompting the president to declare a state of emergency. In March 2023, the Biden administration announced that it would provide $25 million in aid to help Costa Rica strengthen its cybersecurity and prevent future attacks.

Outlining a Plan for Business Continuity in Government

While governmental organizations and for-profit businesses differ in goals and functions, a business continuity plan(BCP) is essential for both types of organizations.

A BCP is a comprehensive plan for responding to and preventing disasters. For state and local governments, this means having a plan to address any type of disruption to government services, operations, or employee productivity.

We’ll dig into the most important components below, but here’s a basic outline of what your BCP should contain:

  • Plan objectives
  • Contact information
  • Risk assessment
  • Disaster impact analysis
  • Preventative planning
  • Incident response
  • Recovery procedures
  • Contingency planning
  • Communication
  • Recommendations
  • Testing and plan review schedule

Together, these components represent an organization’s approach to managing business continuity with disaster preparedness, prevention, response, and recovery, sometimes referred to as the four stages of the disaster management cycle.

The Key Steps to Continuity

As you build your BCP, you’re likely to encounter unexpected challenges, questions, and concerns. Breaking the process down into a few essential steps will help simplify the process.

Customize Your Continuity Plan

Even at the local level, government organizations can be very large. A small city government can consist of dozens of departments, employing thousands of workers in multiple buildings.

It’s imperative that your continuity planning takes each of those departments into consideration. Because the goals and functions of each department are unique, you’ll likely need to create customized business continuity plans for each department.

Consider, for example, the impact of a disruption to police services compared to the effects on a parks department. Some areas of government, such as a police department, will naturally have a much higher recovery priority than others, and each will have its own unique recovery procedures and contingencies.

Your master BCP should provide a high-level guide for this prioritization, identifying the most critical departments and services. Then, each department should be broken out into its own business continuity plan with department-specific objectives, risks, and recovery steps.

Create an objectives section at the beginning of each BCP to identify its primary purpose and clarify which departments it covers.

Identify Risks

A risk assessment is the foundation that all your planning is built upon. Without it, you won’t have any insight into the disasters that are most likely to disrupt government operations.

The assessment identifies the specific disruptions that threaten your organization. Nearly all government offices face risks like data loss and natural disasters. However, some will have a higher risk of certain scenarios. For example, coastal areas are much more susceptible to flooding, while terrorism is more likely in high-profile metropolitan areas.

Measuring the Impact

An impact analysis is designed to answer a set of questions related to the potential outcomes of a disaster. They include:

  • Which computer systems would be affected by a large-scale ransomware attack?
  • How long would systems be offline?
  • Which departments would be disrupted?
  • How would it affect public services?
  • What would be the cost, including lost revenue and recovery, of the attack?

An impact analysis defines the impact of a disaster on government operations. It outlines the specific effects of the disruption, as well as the estimated costs. With this information, you can prioritize your continuity planning to focus on your most critical operations or vulnerabilities.

Planning Before Disaster Strikes

If you want to keep disasters at bay, preventative planning is essential. Within IT, this could include the deployment of different technologies and tools, such as:

  • Antimalware solutions
  • Network firewalls
  • Data backup systems
  • Backup power generators

Preventative measures for other areas are varied and depend on the structure, location, and size of your organization. Some of the most common items include:

  • Smoke and fire detection systems
  • Structural integrity assessments
  • Evacuation plans
  • Active shooter drills
  • Cybersecurity training for employees
  • Regulatory compliance training
  • Entry security systems

Failing to implement preventative measures increases the risk that your office will experience a disaster and makes it more likely that you’ll struggle through a long, expensive recovery period if and when a crisis occurs.

Knowing What Happens in the Immediate Aftermath of a Disaster

A severe storm has just knocked out power and internet access to city hall. Email is down, and several public services are unavailable.

What do you do?

These crucial first steps following a disaster are referred to as Incident Response. They are the initial procedures for assessing impacts, stabilizing the situation, and setting recovery in motion. Within government entities, this stage should be carried out by designated recovery teams who know exactly what to do in an emergency situation, as dictated by the BCP.

Using the example above, this stage would include steps for contacting utility companies and the ISP, as well as activating any available backup systems for power or other utilities.

If the disaster poses a danger to employees or the public, this stage should also prioritize immediate efforts to ensure safety and provide a timely medical response.

Quickly Achieving Full Recovery

When Dallas experienced a ransomware attack, public services ranging from the city animal shelter to public libraries were affected. Officials and IT teams worked quickly to restore emergency response systems, but it took several weeks to reopen the municipal court. A month after the disruption, only 90% of the city’s network had been restored.

That is the difference between Incidence Response and a full recovery.

Depending on the nature of the disaster, a full recovery may take several days, weeks, or even months. The immediate response helps to restore the most essential operations while other recovery efforts are underway.

Let’s look at some examples of what constitutes full disaster recovery in a government setting:

  • Return to 100% operational status
  • Full availability of public services
  • Re-staffing and return of workforce
  • Full data recovery from backup
  • Restored power, Internet, or network connections
  • Building repairs or permanent relocation of departments

Depending on the scope of a disaster, even the restoration of a single lost file can be deemed a full recovery. The core objective of recovery is restoring everything back to normal, but what normal looks like differs based on the typical operations of your organization.

Maintaining Communication

Maintaining communication is critical in a disaster.

For businesses, this means ensuring that recovery teams can stay connected, communicate status updates to stakeholders, and send notifications to affected personnel. The same goes for government organizations, but there’s also an additional consideration at play: contacting the public and media.

A government BCP must include protocols for handling this communication. At a minimum, it should address these points:

  • Who is responsible for contacting employees, leadership, residents, and the media
  • What methods of communication should be used
  • How frequently updates should be provided
  • When to use emergency backup communications systems

Laying out these details in a BCP ensures that communication will be clear and consistent following a disaster, which, in turn, helps to avoid public panic and loss of trust.

Making the Plan Even Better

Even the most comprehensive and detailed BCP should be reevaluated and updated on an ongoing basis. Over time, contact information changes, new threats arise, and innovative solutions become available. Regularly updating the BCP keeps all the information up to date and confirms that existing deployments are still adequate.

Determine a schedule for reviewing the plan and identify the individuals who will do it. Certain aspects of your recovery systems should also be tested on a regular basis to ensure they are still effective. Useful tests include:

  • Mock disaster drills
  • Data backup recovery tests
  • Cybersecurity penetration tests

Any vulnerabilities that are identified during these reviews should be incorporated into the BCP, along with recommendations for resolving them.

Implementing Critical Data Protection for Local, State, and Federal Governments

Business continuity in government is critical to protecting data and privacy, avoiding extended periods of downtime, and maintaining a positive relationship with the public. A carefully constructed business continuity plan is an essential framework to guide your response if a disaster occurs. You can achieve even greater protection by pairing your plan with a high-quality business continuity solution that shields your government organization against data loss, ransomware, and other threats.

If you’re struggling to develop or adjust your BCP or put it into action, the team at Invenio IT is here to help. Request a free demo of the most advanced data backup technology on the market, or contact our business continuity experts for support.

Get The Ultimate Business Continuity Resource for IT Leaders
invenio-logo

Join 23,000+ readers in the Data Protection Forum