A recent article in CSO Online
talked about some confusion between disaster recovery and security recovery. The article’s opening sentences state that “Many enterprises blend their disaster recovery and security recovery plans into a single, neat, easy-to-sip package. But does this approach make sense?” Analyzing the differences between the two, the article goes on to outline why it’s important to separate them out.
If we take a step back, this topic represents a bigger confusion about the holistic nature of IT. Information technology sometimes seems like it’s just about computers, software, networks, bits, and bytes. Best practices, policies, people, and other non-technical aspects of IT are often forgotten and too commonly unconsidered, which creates great risk for cities.
Limiting your IT scope will increase risk and liability for your city. Therefore, consider IT like a tripod—and stand firmly upon these three legs to address any real risks you may be overlooking.
What’s the easiest way to know if your IT is successful? Proactivity. A reactive IT environment is usually fraught with chaos. There is always a hot fire, issues are always very bad issues, and security risks are wide open. Shifting to a more proactive mindset literally transforms the way cities operate and work.
Proactive IT involves:
2. EMPLOYEE TRAINING
- Policy: If you need a quick reference, we’ve talked a lot about security policies in past blog posts. Policies should cover vendor contracts and management, network security, wireless security, physical access security, logical access security, disaster recovery, and application controls (such as data input, processing, and output).
- Processes: IT runs more like a machine when you have documented processes. Processes also reduce errors, decrease security risks, and allow for faster learning curves when new people must administer and use your systems.
- Technology and Tools: IT professionals should use monitoring software that continually assesses the health of your systems and proactively detects issues that need resolving.
No matter how sophisticated your IT systems and how experienced the professionals who oversee them, your employees must use technology properly and protect themselves from constant security attacks. Ongoing training is essential, especially as security threats evolve.
Training should include aspects such as:
- Spotting email phishing attacks: Email phishing attacks grow more sophisticated as hackers target specific people within cities to steal money or gain access to confidential, sensitive information. Employees need to know the signs of malicious emails and learn how to be skeptical.
- Avoiding malicious websites: Employees are human. They like to download games, take quizzes, and visit websites that interest them. However, many websites mislead people to get them to download malware, viruses, and ransomware. While browser security can help block some websites, employees need to be trained on what to watch for as they visit webpages on the internet.
- Social engineering by phone: Today, hackers are leveraging all means to steal and destroy your data for their financial gain, including the phone. A hacker that’s good at social engineering may trick you into thinking they are a city employee. From there, they may gain information they need to steal an employee’s identity or take over an employee’s email account. Employees must follow strict procedures when vetting people over the phone or email to know when it’s appropriate to give information away.
3. DATA BACKUP AND RECOVERY
The final leg of the tripod prepares you for the worst. In case of an incident, whether it’s a server failure or a tornado that destroys a building, you need the ability to recover your data. Data backup is also crucial for security incidents such as ransomware where a hacker encrypts your data and demands a ransom from you to get it back. Instead of paying the criminal, you are prepared and able to recover your data.
A good data backup and disaster recovery solution includes:
- Onsite data backup for quick recovery after less impactful events like a server failure.
- Offsite data backup for worst-case scenario recovery after a major incident like a natural disaster or a massive virus outbreak.
- Periodic data backup testing to make sure you will be able to recover your data after a disaster. So many cities do not test their data backups, and those backups may fail when you need your data most.
Use this post to assess if you’ve got the full IT tripod. If you are missing one or more legs, then you might feel a bit wobbly. Make plans to fix those areas as soon as possible. When you do, you will increase your operational capabilities while decreasing security risks and liability.