SOLVED: How to Approach Business Continuity in Government
A destructive ransomware attack on the City of Baltimore is the latest in a series of targeted attacks at government offices recently. From Atlanta to Albany, these attacks have crippled public services—sometimes for weeks at a time—underscoring the dire need for maintaining business continuity in government.
But it’s not just ransomware that government agencies need to worry about. Like any other organization, government bodies are vulnerable to a wide range of disasters that can disrupt operations, leading to costly recoveries (ultimately footed by taxpayers).
In this post, we uncover some of those risks and identify the key pillars to a successful government business continuity strategy.
A public disaster
Government entities are unique from businesses in that they are elected by the public, paid for by the public and their core responsibility is serving the public. So when operational disruptions occur, they have the potential to affect large populations of people, not just a single company.
But in terms of what causes those disruptions, it’s not much different than the threats that businesses face:
· Natural disasters
· Data loss
· Internet / network interruptions
· Workforce stoppage
· Terrorist attacks
As a result of these events, governments can face revenue losses, productivity losses, damaged hardware, damaged facilities and sky-high recovery costs. Additionally, when public services are disrupted, citizens quickly lose faith in their local governments and start demanding answers.
Worse yet, when people can’t pay their local tax bills or obtain the government services they depend on, actual lives can be negatively impacted.
20+ government ransomware attacks this year
Let’s return for a minute to the growing threat of ransomware, which locks your files and demands a ransom to restore them.
As of mid-May, there were 22 known ransomware attacks on government offices in 2019. If the attacks continue at this rate, they’ll outpace the rate in 2018, and that wasn’t a great year either. Attacks against local and state governments rose 39% last year, according to a report by the cybersecurity firm Recorded Future.
The attacks this year haven’t been pretty:
· Jackson County, Georgia, paid a $400,000 ransom to restore their computer systems after a ransomware attack.
· In Albany, New York, ransomware took down the city’s email systems and impacted the computers inside police patrol cars.
· Orange County, North Carolina, was sidelined by ransomware for the third time in six years.
Local and state governments are not necessarily required to report ransomware attacks – and many are increasingly choosing not to. This means that the rate of attacks could actually be much higher.
Outlining a plan for business continuity in government
While governmental organizations and for-profit businesses differ in goals and functions, a business continuity plan (BCP) is essential for both types organizations.
A BCP is a comprehensive plan for responding to disasters and preventing them. For state and local governments, this means having a plan for addressing any type of disruption to government services, operations or employee productivity.
We’ll dig into the most important components below, but here is a basic outline of what your business continuity plan should consist of:
· Plan objectives
· Contact information
· Risk assessment
· Disaster impact analysis
· Preventative planning
· Incident response
· Recovery procedures
· Contingency planning
· Testing and plan review schedule
Together, these components represent an organization’s approach to managing business continuity with disaster preparedness, prevention, response and recovery (this is sometimes referred to as the 4 stages of a disaster management cycle).
A crucial tip for government agencies …
Even at the local level, government organizations can be very large. A small city government can consist of dozens of departments, employing thousands of workers at multiple buildings.
It’s imperative that your continuity planning takes each of those departments into consideration. And since the goals and functions of each department are unique, you’ll likely need to create customized business continuity plans for each department.
Consider, for example, the impact of a disruption to police services vs. the parks department. Some departments will naturally have a much higher recovery priority than others, and each will have its own unique recovery procedures and contingencies.
Your master BCP should provide a high-level guide for this prioritization, identifying the most critical departments and services. Then, each department should be broken out into its own business continuity plan with department-specific objectives, risks and recovery steps.
Use the “Objectives” section at the beginning of the BCP(s) to make it clear which departments the planning applies to and what the document’s primary purpose is.
Creating an effective government BCP is impossible without a risk assessment. This assessment is the foundation that all your planning is built upon. Without it, you won’t have any insight into the disasters that are most likely to disrupt government operations.
A risk assessment identifies the specific disruptions that threaten the organization. Nearly all organizations face risks like data loss and natural disaster. But some government organizations will have a higher risk of certain scenarios: for example, flooding in coastal areas, or terrorism in high-profile metropolitan areas.
Measuring the impact
Which computer systems would be affected by a large-scale ransomware attack? How long would systems be offline? Which departments would be disrupted? How would it affect public services? And at what cost?
These are the questions that an impact analysis aims to answer.
An impact analysis defines the impact of a disaster on government operations. It outlines the specific outcomes from the disruption, as well as the estimated costs. With this information, you can prioritize your continuity planning to focus on your most critical operations (or vulnerabilities).
Before disaster strikes
Preventative planning is essential for keeping disasters at bay.
Within IT, this could include the deployment of antimalware solutions, network firewalls, data backup systems, and backup power generators, just to name a few.
Other preventative measures can include smoke and fire detection systems, structural integrity assessments, evacuation plans, active shooter drills, cybersecurity training for employees, regulatory compliance training and entry security systems.
In the immediate aftermath of a disaster
A severe storm has just knocked out power to city hall, as well as Internet. Email is down, and several public services are unavailable.
What do you do?
These crucial first steps following a disaster are referred to as Incident Response. They are the first procedures for assessing impact, stabilizing the situation and setting the recovery in motion. Within government, this stage should be carried out by designated recovery teams who know exactly what to do in an emergency situation, as dictated by the BCP.
Using the example above, this stage would include steps for contacting utility companies and the ISP, as well as activating any available backup systems for power, Internet and so on.
If the disaster has posed a danger to employees or the public, this stage should also prioritize immediate efforts for safety and medical response.
When the City of Baltimore experienced a ransomware attack, nearly every department lost access to email. Within the next 24 hours, however, IT teams restored email for the most critical personnel, while the larger recovery continued for more than a month.
That is the difference between Incidence Response and a full recovery.
Depending on the nature of the disaster, a full recovery may take several days, weeks or even months. The immediate response helps to restore the most essential operations while other recovery efforts are underway.
Examples of disaster recovery in a government setting:
· Return to 100% operational status
· Full availability of public services
· Re-staffing and/or return of workforce
· Full data recovery from backup
· Restored power, Internet or network connection
· Building repair or permanent relocation of department
Even the restoration of a single lost file can be deemed a full recovery. The core objective of recovery is restoring everything back to normal.
Who needs to be updated? And how?
Maintaining communication is critical in a disaster.
For businesses, this means ensuring that recovery teams can stay connected and communicate status to stakeholders, as well as sending timely updates to affected personnel. The same goes for government organizations, except with the additional need to update the public and media.
A government BCP must include protocols for handling this communication: who contacts whom, which methods should be used, when to use emergency backup communications systems and so on.
Making the plan even better
A business continuity plan needs to be reevaluated and updated on an ongoing basis. This will ensure that all the information is up to date and that existing deployments are still adequate.
Determine a schedule for reviewing the plan and identify the individuals who will do it. Certain aspects of your recovery systems should also be tested on a regular basis to ensure they are still effective. Examples can include mock disaster drills, data backup recovery tests and cybersecurity penetration tests, just to name a few.
Any vulnerabilities that are identified during these reviews should be incorporated into the BCP along with recommendations for resolving them.
Critical data protection for local, state and federal government
Learn more about implementing a business continuity solution that can protect your government organization against data loss, ransomware and other threats. Request a free demo of today’s advanced BC/DR technology from Datto, or contact our business continuity experts at Invenio IT: call (646) 395-1170 or email success@invenioIT.com.