It’s a normal morning until it isn’t. Suddenly staff can’t log in. Systems are inaccessible. The phone starts ringing off the hook.
But the calls are not from IT. They’re from operations: intake can’t move applications forward, the check run was supposed to happen today, residents can’t make payments, maintenance doesn’t know what jobs were scheduled, and inspectors don’t know which units were on the docket.
In moments like this, the most important question isn’t what failed. It’s whether leadership can explain what happens next, and how long recovery will realistically take.
For many Public Housing Authorities, that question is tied to long-standing hosting decisions made years ago, often when expectations around cybersecurity, disaster recovery, and remote access were very different. When systems go down, those decisions surface immediately, not as technical details, but as operational consequences leadership is expected to explain.
“What if we are the next headline?”
For many Public Housing Authorities, cybersecurity and disaster recovery are discussed as technical concerns. They’re abstract things IT teams manage quietly in the background. But when systems go down, the impact is immediate, visible across the agency, and can last for weeks.
And leadership is asked to explain what happened, how long recovery will take, and whether the risk could have been reduced.
These questions aren’t hypothetical. Across state and local government organizations, ransomware and system outages have become a regular operational reality. The expectation has shifted: leaders are no longer asked if they have a plan, but how well it works under pressure.
By the numbers: why this risk is no longer abstract
- 34% of state and local government organizations reported being hit by ransomware in 2024, according to a recent study of public‑sector entities.
- In a review of 1,133 confirmed ransomware attacks on government entities between 2018 and 2024, average downtime was 27.8 days. Nearly a full month.
- Recovery is not quick or inexpensive. The typical ransom demanded in state and local government ransomware incidents was $2.3 million in 2024, a figure that doesn’t even quantify operational and reputational costs.
One of the simplest ways to reduce risk is to focus on access. Most incidents begin with compromised credentials, not sophisticated tactics.
This is why access control and recovery planning matter. Elite Hosting supports security measures like multi‑factor authentication (MFA) to reduce unauthorized access, and provides a managed environment designed to support recovery when primary systems are unavailable. The leadership question isn’t whether risk can be eliminated. It’s whether you can explain your controls and your recovery plan, in plain language, when it matters most.
“What if a disaster takes us offline?”
In practice, natural disasters create a different kind of outage risk: physical access to buildings may be disrupted at the same time that systems and data are needed most, especially when recovery depends on on‑prem infrastructure. Housing work has a clock on it. Residents still need answers. Deadlines don’t move. Staff are left juggling paper processes, in-person transactions, and incomplete information while leadership is asked a difficult question before there’s a clear answer: how long will this last?
This is where disaster recovery stops being a document and becomes an operational capability. Elite Hosting includes a geo‑located mirrored environment using Azure Site Recovery, designed to support system availability and recovery when primary infrastructure is unavailable. And of course, backups are automatic. It’s impossible to eliminate disruption entirely, but leadership can shorten the window where agencies are forced into manual, high‑stress workarounds.
“What if our IT reality can’t support the expectations?”
Addressing outages and recovery planning often starts as a risk conversation. But for many PHAs, it quickly becomes an operational one. The same infrastructure choices that determine how agencies recover from disruption also shape day‑to‑day workload, staffing strain, and long‑term sustainability.
That’s why many agencies begin exploring hosting not only to improve resilience, but to reduce the ongoing burden of maintaining on‑prem environments. Even with a strong team, on-prem environments require continuous work: backups, updates, patching, maintenance, troubleshooting, and planning for worst-case scenarios.
Elite Hosting is designed to take on the infrastructure work Emphasys can manage, including security, backups, updates, and disaster recovery. Managed services can also include deployments, test environments, after-hours updates, and password resets.
Every hour that your IT staff spends on server maintenance is an hour not spent on strategic, higher-value work at your PHA.
“What changes for staff?”
When leaders hear “hosting,” a common concern is how much will change for the people who rely on Elite every day. Will workflows be disrupted? Will staff need to relearn the system? Will access become more complicated?
In practice, hosting is designed to minimize change for end users while reducing the behind‑the‑scenes burden placed on internal teams. Staff continue to use Elite the same way they do today. What shifts is who owns the infrastructure work required to keep the system secure, available, and recoverable.
For IT and technical staff, this often means fewer after‑hours emergencies tied to server maintenance, patching, backups, and recovery planning. Instead of being responsible for monitoring hardware health, storage capacity, and disaster recovery readiness, teams can focus on higher‑value work: supporting users, improving processes, and planning for future needs.
For operational staff, hosting reduces the risk of prolonged downtime that forces manual workarounds, delayed processing, and resident frustration. When systems are more resilient and recovery expectations are clearly defined, staff spend less time responding to outages and more time delivering services.
Importantly, hosting does not require agencies to re‑architect how work gets done. The goal is continuity, not disruption. By moving infrastructure responsibilities to a managed environment, agencies can create more predictable operations for staff, even as external pressures, staffing constraints, and risk expectations continue to grow.
A short readiness checklist:
- Are you confident your agency’s data is protected from malware and hackers?
- Do you have a disaster recovery plan you can explain, including how fast you can resume operations?
- Who owns backups, updates, and after-hours maintenance today, and is that sustainable?
- Are you being asked to show stronger cybersecurity posture and disaster recovery readiness by leadership, auditors, or stakeholders?
Next steps
To talk through Hosting options for your on-prem Elite environment, schedule a consult and we will cover security posture, disaster recovery expectations, and what Emphasys manages versus what stays with your team.
Sources:
https://www.sophos.com/en-us/blog/the-state-of-ransomware-in-state-and-local-government-2024
https://www.comparitech.com/news/worldwide-government-ransomware-attacks/