How can I safeguard my county's data?

Lessons learned from counties recovering from cyberattacks

By Shiloh Perry, Communications Specialist

  • Share this:

“You’ve been hacked” — three words any organization might be surprised to hear, especially small Texas counties like Jackson and Shelby. Whatever emotion comes to mind upon hearing those words, one fact is apparent — cyberattacks are severe. They have the same impact as any other disaster. They can destroy a county’s business operations completely and compromise the private data of thousands of Texas taxpayers.

The risk hackers pose to Texas counties and taxpayers prompted the state Legislature to enact a law that requires counties of all sizes to protect themselves by taking a state-certified cybersecurity course like the one provided free to members by the Texas Association of Counties. The deadline for taking the course is June 14.

Jackson and Shelby county officials can attest to how important cybersecurity education is in thwarting bad actors coming after confidential data stored in county servers. Employees in both counties practice security methods the course teaches to protect themselves against future cyberattacks. 

“TAC’s cybersecurity course is very valuable. What I would tell other counties is don’t wait until the due date to complete the course,” Jackson County Judge Jill Sklar said. “There are practices in the training that you need to know right now, like deleting emails that are unrecognizable. It is imperative to educate your employees.” 

Jackson and Shelby county officials speak from hard-fought experience when they urge their counterparts in other counties — especially those who haven’t yet been the target of a cyberattack — not to put off their required training. They also praise state lawmakers for making cybersecurity a legislative priority during the last session.

“I commend the Texas Legislature for prioritizing cybersecurity because of the current rise in cyberattacks. “I would have never thought my office in Shelby County would be hacked, but we were,” Shelby County District Clerk Lori Oliver said. “I also commend TAC for all of the work it’s done to obtain the DIR certification for the training course. The TAC cybersecurity awareness program that was offered last year was very valuable, and I believe now offering the certified course for free will help all counties, especially those that don’t have that many resources to allocate towards cybersecurity protection.” 

Recovering from a cyber disaster

Unidentified hackers hit Jackson and Shelby counties last year. Officials in Jackson County describe the cyberattack as they might a major hurricane.

“We didn’t know the extent of damage to our data, but we knew it was bad, and we had to do something to salvage and recover everything we could,” Jackson County Judge Sklar said. “We treated it the same as the hurricane and declared a cybersecurity disaster for our county through the Office of the Governor.” 

Hackers hit the digital files of Jackson County’s 911 dispatch operation and Shelby County’s digital backup system in the District Clerk’s Office. Both counties worked hard to rebuild their technology infrastructure and are persistent in their efforts to overcome any related challenges that still remain. 

“Last year was one of the hardest years for me in my 15 years of being Shelby County District Clerk because of the cyberattack,” Shelby County District Clerk Lori Oliver said. “Employee morale suffered because it was quite stressful. But we got through it, and we’re continuing to get through because work has to and will be done for the citizens we serve.”

County employees navigated the situation by coming together as a team, learning as much as they could about their county’s technology infrastructure, and implementing robust cybersecurity measures. They learned that they needed multiple security measures to better protect against future attacks and said constant observance of these practices is required. 

“To fully embrace today’s digital age, cybersecurity is a must,” Oliver said. “You never know when your data will be confiscated, and that could be detrimental to your work responsibilities.”

Here’s the cybersecurity best practices they advise their counterparts in other counties to implement — if they haven’t already. 

Prioritize technology infrastructure 

County business operations rely heavily on their information technology infrastructure — its collection of computers and other hardware, networks, software, data centers and related equipment. The security of county information technology is vital, and, therefore, it should be a top budgetary priority for elected county leaders, said county officials who have been the victims of recent cyberattacks. 

“Data is valuable; your network is valuable,” Jackson County Sheriff A. J. Louderback said. “This is a key component of county government. Without the network, computers and data, your employees cannot work. It may be unpopular during a budget workshop, but there has to be ongoing yearly investment in technology and cybersecurity. My advice is to influence decision makers to prioritize this more.” 

Cybersecurity support has become an important part of vendor policies and the bid process, Jackson County officials said. Cybersecurity needs to be included in all IT contracts, especially those associated with catastrophic or critical events. The IT vendor under contract with the Jackson County Sheriff’s Office was able to help the office become operational again shortly after the attack. The vendor set up an internal network for offense reports, the computer-aided dispatch center and booking to help the Sheriff’s Office to resume operations, Louderback said. 
In the aftermath of the cyberattack, Jackson County fully revamped its technology infrastructure. This also included significant investments in new operating procedures for employee file sharing and software downloads. 

“We worked several nights and weekends to be ready for specifically set trials during the cyberattack, and Jackson County invested a lot of time and money making our system more secure,” Jackson County District Attorney Pam Guenther said. “Now that we have a more secure system, we are better prepared if this [cyberattack] happens again.” 

Back up county data

Jackson County officials recommend a cybersecurity best practice known as “air gaps.” Air gapping secures a business’ computer network by physically isolating the backup data from the network. In addition to having air gap security measures in their technology infrastructure, Jackson County employees practice simple information backups. 

“Backing up data doesn’t just mean using big technology systems,” Sheriff Louderback said. “Let’s also use other data storage technology, such as thumb drives, to save information in multiple locations.” 

But a system of multiple data backups are essential to surviving cyberattacks, county officials said. Counties must consistently back up their data in a variety of ways to remain operational and protect taxpayers’ private information. The Shelby County District Clerk’s Office was able to remain open and continue working after its attack because of their use of off-site backup servers. 

“Our contactor went in and did a random backup of our server at 7 p.m. and at 1 a.m. the next morning the ransomware attack occurred. Thankfully, we were able to save our records from the day prior so that we could continue our work responsibilities, even though some of our data is lost for the time being.” District Clerk Oliver said. “Everyone needs an off-site backup. With all of our records online these days, the online backup conducted by our IT contractor saved our lives.”