It was announced in March 2024 that VC3 has been added to CSDA’s endorsed affiliate value-added membership benefits. VC3’s local government-focused cybersecurity and technology services are consistent with the CSDA's mission to promote good governance and improve core local services for all types of independent special districts in the state of California. For more information on member-exclusive benefits, contact membership@csda.net or david.surfas@vc3.com.
This article is adapted from VC3 General Manager Corey Kaufman’s presentation at the 2023 CSDA Board Secretary/Clerk conference. The article first appeared in California Special Districts magazine’s March/April 2024 issue.
The presentation detailed the risk of cyberattacks, ransomware, or system failures that can make data inaccessible and cripple an agency’s ability to function. The presentation walked through how to assess an existing backup system, the pitfalls of some backup options that agencies may currently use, and a checklist of data backup essentials to ensure your agency is not an easy target.
Identify Critical vs Non-critical Data
Take the time to identify all critical records, documents, databases, payroll, accounting, financial databases, public safety data, court data, utility billing, 911, and any other mission critical systems. Secondly, understand where the critical data is housed. Is it on local servers in the office, on individual computers, on thumb drives or external drives, or accessed over the internet? These are all critical questions to answer. Lastly, identify who has access to the data.
Assess Your Backup Methods
There are many options for backing up data, and understanding the vulnerabilities associated with
various methods will help you select the right one for your situation.
Synchronization: An example of synchronization would be relying on systems like OneDrive or Google Drive. Synchronization allows files to be saved to the cloud in seconds, users can retrieve files if the local hard drive is damaged, versioning can (and should) be enabled, and a suitable retention period should be selected. Challenges arise that make solely using this method inadvisable, including the potential to have data encrypted (such as during a ransomware attack) and then synchronized to the cloud (thus overwriting good data), making restoration all but impossible.
Frequency: How often is your data backed up? The frequency will affect how much critical data can be recovered after an incident.
Recovery Speed: How long can your district operate without access to critical data? Bear in mind that restoration time is not the same as backup time. Create a list of priority services and determine a recovery time objective for the critical data that keeps your operations running.
Recovery Point Objective: The recovery point objective (RPO) describes loss tolerance and how much data an agency can afford to lose. If an incident occurs, what’s the most recent data backup needed so that an agency can pick up as if nothing happened? Yesterday? A week or two ago? Three months ago?
Local Data Is Critical: If you have data backup servers onsite that replicate data from your primary servers, they should take over quickly if a server fails. Onsite backup servers should back up throughout the day without manual effort. Additionally, local backup servers don’t require internet access to retrieve data.
Offsite Data – Far But Not Hard to Reach: In the event of a natural disaster, ransomware, or other incident that destroys local data, it is important to have a secondary option stored far enough away that it would be unlikely to encounter the same failure. You should be able to access your data within hours after a disaster.
Other Backup and Data Considerations
Incident Response Planning: It’s important to develop a written response plan detailing how to respond to a cyberattack. Then, practice the plan regularly like a fire drill. The plan should include who responds, how to respond, and a timeline of response along with a prioritized hierarchy to address the most critical data first.
Run the Drill: Run through tabletop scenarios with the response team, document the results, and identify areas of concern to address. Recognize that each failure in the response drill is an opportunity to improve the plan.
For more information on data backup strategies, or to schedule a “checkup” of your district’s current process, contact Corey Kaufman at Corey.Kaufman@vc3.com.