Governments Aren't Meeting Data Resilience Requirements: How Citizens’ Private Data Can Be Protected


State and local governments are on the front lines in the war against cybercrime. Sophos’ The State of Ransomware in State and Local Government 2022 certainly hits home: 58 percent of local government organizations were hit by ransomware in 2021—a 70 percent increase over one year.

Even worse, the sector itself had one of the highest rates of data being encrypted by an attack. And more than half of respondents said they perceive an increase in the volume, complexity, and impacts of attacks.

The 2022 Verizon Data Breach Investigations Report Public Sector Snapshot says there were 2,792 incidents affecting government agencies and others in the sector in 2021, with 537 confirming that data was disclosed. Meanwhile, a recent Security Week article notes that there were 105 known ransomware incidents involving local governments in 2022, with at least 267 also resulting in a data breach.

Clearly, many public sector entities aren’t meeting their data resilience requirements. So, what exactly is resilience, and how does it apply to your organization’s data?

Resilience: Adapt or Else

A recent McKinsey article, “What is Resilience?” says resilience refers to the ability of an organization or system to adapt to changing circumstances and maintain its core functions. While resilience covers all aspects of government, from physical security to waste management, data is the lifeblood that enables your agencies to deliver most services to your citizens. Without access to your data, everything can come to a screeching halt.

For state and local governments, data resilience means you have the protections that ensure you can recover your critical data if a cyberattack, natural disaster, or outage hits you. Often, that isn’t the case due to tight budgets where other pressing needs take priority. The IBM Cost of a Data Breach Report found that the average total cost of a data breach in the U.S. was $4.35 million in 2022.  If you’re an IT pro responsible for your organization’s data protection, these numbers should help make your case that more civic investment in data resilience is required.

Start With Education

According to the Verizon 2022 Data Breach Investigations Report, 82% of breaches involved the human element, including social attacks, errors, and misuse. That should motivate you to raise awareness of your people's data resilience and protection role.

The Cybersecurity and Infrastructure Security Agency (CISA) offers cybersecurity training and exercises for federal employees, critical infrastructure operators, cybersecurity professionals, and the general public that get you started in the right direction. And ISACA, an international professional association focused on IT governance, also offers training and events for IT professionals and other stakeholders that can help you strengthen your data protection efforts.

Undergo a Cyber Resilience Review

Another high-value resource offered by CISA is the Cyber Resilience Review (CRR) program. The CRR is a no-cost, voluntary, non-technical assessment that evaluates your organization’s operational resilience and cybersecurity practices. The assessment covers incident response, disaster recovery, and business continuity and identifies and prioritizes areas for improvement in your cybersecurity posture.

Leverage Government Resources

CISA also offers a communications and cyber resiliency toolkit to help you better withstand potential disruptions. Another government agency that provides resources for state and local governments is the National Institute of Standards and Technology (NIST), which offers a Cybersecurity Framework, a set of guidelines for addressing vulnerabilities and reducing cyber risks. And, because resilience goes beyond your data, the Federal Emergency Management Agency (FEMA) offers resources you can use that range from incident response plans to exercises that help you stay prepared for any disaster.

Invest in Data Protection Technologies

Regardless of the size of your state or local government entity, you need a data protection solution that ensures your data is safeguarded and can always be recovered.

The 3-2-1-1 backup strategy is the first step. The strategy is simple: Keep three copies of your data—one primary and two backups—with two copies stored locally on two formats (network-attached storage [NAS], tape, or local drive) and one copy stored offsite in the cloud or secure storage.

The last “1” stands for immutable storage. Immutable backups are saved in a write-once-read-many-times format that can’t be altered or deleted. Even if a ransomware attack gets past your defenses, you can be confident that your data is recoverable. It’s a must-have feature.

Choose Wisely

Arcserve offers solutions designed to meet the data protection needs of state and local government entities, both large and small. Making the right choices to ensure you comply with regulations—let alone avoid the painful results of a data breach or ransomware attack—requires the expertise Arcserve technology partners deliver. Find a partner here. And be sure to check out our on-demand data protection demos.

You May Also Like