We put the IT in city®

CitySmart Blog

Tuesday, May 1, 2018
Ryan Warrick, Data Center Engineer
Ryan Warrick

After a recent ransomware attack at the City of Atlanta, the city spent almost $2.7 million to recover. Critical data was likely permanently lost, some data took weeks or months to restore, and documentation shows that the city neglected to take recommended actions after an audit.

An article from American City and County quotes Jake Williams, founder of cybersecurity firm Rendition Infosec, who says, "Emergency support and overtime costs phenomenally more than just handling the issues. In other words, upgrades that might have cost $100,000 in normal budgeting might cost $300,000-plus in emergency spending during an incident."

In other words, when an incident happens and you’re not prepared, you could spend up to three times or more of the amount than if you normally budgeted. Think of it in terms of a vehicle repair. Some preventative maintenance may cost you $1,000. But if you neglect that maintenance and the vehicle breaks down, then your city could be faced with a bill of $3,000 or more.

The same logic holds true for your cybersecurity. And one extremely low cost “insurance” investment that can help you recover from a wide variety of incidents—rather than paying a sudden, large amount of money—is data backup and disaster recovery.

In a recent blog post, we outlined four pillars of a data backup and disaster recovery plan.

1. Address time to recovery for smaller incidents through onsite data backup.
2. Plan for worst-case scenarios through offsite data backup.
3. Ensure that you can access your data soon after an incident.
4. Test your disaster recovery plan.

When cities take many weeks or months to recover from an incident, it’s likely they did not have a comprehensive, tested data backup and disaster recovery plan in place. Compared to the cost of a cybersecurity incident, such a plan is very affordable.

Here is how a data backup and disaster recovery plan can serve as additional cybersecurity “insurance.”

1. Recover from ransomware.

Ransomware is a form of malware that, once activated, will encrypt your files. Criminals then want you to pay a ransom to get your data back. A comprehensive disaster recovery plan will include an offsite data backup component. Every day, and possibly throughout the day, the offsite data backup technology will ensure that your data is copied, sent to a data center (or data centers) located geographically distant from your city, and completely separate from your onsite data.

So, let’s say ransomware hits you on a Tuesday. With offsite data backup, you could go back to an uncorrupted copy of your data at the last point it was copied offsite before the ransomware hit. You may lose some data, but that’s a much better situation than losing days, weeks or months of data—or permanently losing data.

2. Reduce liability and remain compliant.

Cities are custodians of sensitive and confidential data related to citizens, businesses, and government operations that includes information about taxes, public safety, payment transactions, and personnel. Laws, regulations, policies, and procedures exist that require you protect this information.

Today, data backup and disaster recovery plans and solutions are considered a best practice for all organizations, including cities. Any city neglecting to properly back up records and data, or failing to recover data after an incident, should expect significantly higher costs when reactively attempting to recover data versus the costs of proactively performing data backup and disaster recovery.

3. Recover from a disaster.

Obviously, cities can’t control the weather or a natural event. However, cities can plan how they will respond to a disaster. Remember, the continuity of your city’s operations is critically important for citizens. After a disaster, they will look to you for information, help, and services. A good data backup and disaster recovery plan allows you to access data after a disaster and serve citizens. Even if city hall is destroyed, you can set up at an emergency location and begin to restore or immediately access systems, records, and data.

4. Protect body camera video.

When you have body camera video, you must meet your state’s records retention policies. Transparently retrieving body camera video helps you in a crisis after a sensitive incident. But if you can’t retrieve specific body camera video that your state’s records retention policies say you must produce, then various forms of backlash may result.

A data backup and disaster recovery plan must account for the nuances of body camera video—especially storage volume and length of retention. Body cameras produce large amounts of data. Explaining that you ran out of storage is not a solution to the problem of body camera video retention or an excuse if you’re unable to produce a specific video.

5. Follow records retention laws.

You are required to follow your state’s records retention laws. Part of those requirements may include policies about data backup and disaster recovery. Even if explicit laws don’t exist requiring a data backup and disaster recovery plan, the laws implicitly state that you need to produce records, if requested, that fall under a specific retention period.

For example, the Georgia Municipal Association’s City Clerk Handbook states, “All local governments are required by state law to have an adopted records management plan which includes the designation of a records manager to coordinate and perform the responsibilities of the plan, an approved records retention schedule, and provisions for the maintenance and security of the records.” Arguably, maintenance and security include a data backup and disaster recovery plan to help protect and secure records from loss—no different than protecting paper records from fire, flooding, tornadoes, loss, or theft.

A data backup and disaster recovery plan provides you additional “insurance” that covers many critical scenarios. If you don’t have such a plan in place, then the costs of a likely incident in today’s cyber world can grow suddenly very expensive. Investing in a way to back up your data, manage the data, and regularly test your solution to ensure that it can be recovered after a disaster or incident will give you peace of mind financially, legally, and, yes, ethically.

Do you have uncertainty about the cost and liability you would face after a significant incident? Reach out to us today to discuss your data backup and disaster recovery plan.