Cybersecurity Incidents: It's Not "If," It's "When"

For state and local governments, cybersecurity threats are no longer hypothetical—they’re inevitable. The reality is that cyberattacks are happening more frequently, and no city, county, or agency is immune. Whether it’s ransomware locking up critical systems or phishing scams targeting employees, the risks are growing, and the stakes couldn’t be higher. In the past year we have seen public safety and 911 centers having their data and systems being hit by ransom ware and data from local agencies lost entirely.

The public sector is especially vulnerable for a few reasons. Many agencies rely on outdated technology that’s easier for hackers to exploit. Budgets are tight, leaving IT teams stretched thin and unable to keep up with modern and evolving threats. Many local governments don’t have the luxury of a full-time active Chief Information Security Officer (CISO), let alone a team of cybersecurity professionals ready to go at a moment’s notice. And with the single biggest cyber threat to any organization being something as prevalent as human error -  a single click on a malicious link can open the door to a devastating attack - what once may have been considered a luxury should now be viewed as a necessity.

The consequences of these incidents are serious. Essential services like 911 dispatch or water treatment or critical utilities can be disrupted, sensitive citizen data can be exposed, and public trust takes a hit when governments fail to protect their systems. We’ve seen this play out in cities across the country, where ransomware attacks have paralyzed operations for weeks or even months.

So, what can be done? While it’s impossible to stop every attack, preparation makes all the difference. Governments need to prioritize cybersecurity as an ongoing effort—not just a one-time project. This means creating strong incident response plans, training employees to recognize threats, and keeping systems updated. Federal resources and partnerships with other agencies can also help lighten the load. Many of the planning activities associated with cybersecurity can be done in annual sprints. These discrete planning projects don’t require agencies to hire full-time staff or bring on a full-time expert. Most of the time, the support can be provided by a fractional CISO or a temporary team of experts that comes in, assesses the agency’s most pressing planning needs, and creates a framework for when - not if - an attack happens. Think of it like the police showing up before you dial 911; we know it’s more than likely going to happen one day and we’re not sure when or why, but wouldn’t it be great if you had a plan from the experts in place when it did?

By being proactive and prepared, state and local leaders can minimize the damage and keep their communities safer. Cybersecurity isn’t just an IT issue anymore—it’s a core responsibility of good governance.