North Dakota Insurance Reserve Fund - Blog

By NDIRF CIO Vance Krebs

Your political subdivision’s Disaster and Recovery Plan outlines your strategy for preventing and recovering from a disaster, should one occur. As it relates to your information technology (IT) department, a disaster is an event that limits or completely disrupts your political subdivision’s ability to access its data and continue operations. Examples of disasters include severe weather events such as floods or tornadoes that cause temporary or permanent damage to technology equipment, and cyber attacks such as data breaches, which compromise (views, copies, shares, etc.) sensitive organizational data, and ransomware, which encrypts or seizes organizational data until a ransom is paid.

PREVENTING A DISASTER

While you may not be able to prevent severe weather, there are a few ways you can prepare for it:

Keep your political subdivision’s hardware (servers, network equipment, etc.) in a hardened, temperature-controlled environment. Hardened environments are built to withstand severe weather events and provide redundant network and power connections to ensure uninterrupted operations. 

Leverage geographical diversity for data backup. This solution requires your political subdivision to perform backups locally and in one or more distant locations (ex. across the state). Geographical diversity helps to ensure if a disaster strikes in one location and takes equipment offline, you can access equipment in a different location to maintain operations.

Back up data to the cloud. Cloud environments are accessible via the internet, allowing you to back up your data to a remote cloud server as long as you have an internet connection. Based on your political subdivision’s needs, you can choose from a public, hybrid, and private cloud environment.

EMPLOYEE EDUCATION

Preventing a cyber attack disaster starts by educating your political subdivision’s employees who are your first line of defense. Depending on your political subdivision’s size and cybersecurity needs, employee education can be delivered in many forms:

Communication to employees regarding recent spam and/or phishing attempts made within your office. Each time a communication is sent, it gives your political subdivision the opportunity to educate your employees about the importance of good cybersecurity hygiene and remind them to remain vigilant while they are checking their emails, opening attachments, clicking on links, and visiting unfamiliar websites.

Routine communication about the current cybersecurity climate, an overview of different cyber attacks (phishing, spam, malware, ransomware, etc.), and tips to help keep their personal and professional information safe. For example, NDIRF employees are regularly reminded to take a few seconds to verify emails before responding to or engaging with them (opening attachments, clicking on links, etc.). The things they look for are a sender’s correct email address, consistency in language and grammar used, and by simply asking themselves if they expected to receive the email.

In-house or third-party employee training. There are many resources available across the state as well as online that enable your political subdivision to help your employees improve their cyber hygiene. These training resources can be integrated into your existing training programs or serve as your program in their entirety. 

Many political subdivisions have a safety committee or group in which cybersecurity is one of its areas of focus in addition to physical and emotional workplace safety. This is a great solution to incorporate cyber safety into your political subdivision’s culture. 

WHAT ABOUT RECOVERY? 

Recovery is what happens after a disaster occurs. The fastest way to recover is having a clear roadmap with where to start. Cue your backed up data.

Backed up data can be recovered, allowing you to reconfigure systems, access files, and restore your political subdivision’s network to full operation.

As I mentioned previously, data can be backed up to local and geographically diverse servers or in the cloud. Further options include external hard drives and cards, tapes, disks, etc. Regardless of which backup solution you use, the most important thing is your political subdivision is regularly backing up its data.

Regularly backing up your data can be as frequent as 1-2 times per day, or more, once per week, or once per month. My recommendation is that you choose to back up your data as frequently as possible because you’re likely making daily changes to applications or documents that contain important information, including payroll, benefits, contracts, policies and procedures, and other critical data.

In addition to having your data backed up, it’s important your political subdivision has an IT disaster recovery plan, which is a multi-step plan to minimize further disaster, determine the extent of the disaster, communicate the extent of the disaster, and safely return to pre-disaster operations. The last critical piece of the IT disaster recovery plan to is update it after a disaster occurs, citing your learnings and making adjustments to prevent future disasters.

I encourage you to take the plan update piece one step further by monitoring the cyber landscape and watching for cyber attack trends to ensure your plan accounts for the latest threats and resolution to threats.

If you have any questions about the information shared in this article, please reach out to me at (701) 224-1988 or Vance.Krebs@ndirf.com.