2019 was a tough year for the overall cybersecurity of state and local governments and municipal institutions. If you follow security news, there were times when not a week would go by without word of how the latest municipal cyberattacks impeded or even halted day-to-day operations.

This stream of recent hacking incidents targeting government and municipal institutions is developing into a tide — libraries, courthouses, schools, hospitals and government service agencies are all susceptible to attacks. In some cases, the consequences were arguably minimal. In others, they were much more severe. Generally speaking, the severity depends on which types of data each institution holds.

Often, the best initial strategy for preventing cyberattacks is to review what happened to others and derive lessons from those accounts. How do these attacks apply to other organizations or municipalities, and what can security professionals in these places do differently to avoid such attacks?

What Kinds of Public Sector Institutions Are Being Attacked?

To see what lessons we can learn from municipal cyberattacks, I’m highlighting several recent hacking incidents here followed by a few general strategies that organizations can put in place today to improve cybersecurity.

Hospitals and Healthcare Facilities

In April 2017, the Erie County Medical Center in New York was hit with a ransomware attack. Despite hackers’ demands for $30,000, the ultimate cost to the hospital came closer to $10 million because the intrusion crippled 6,000 computers, which forced the hospital to revert to paper and old-school methods. Subsequently, the hospital estimated that they would need to upgrade their technology, bolster security awareness and harden their systems, accruing additional expenses of about $250,000 to $400,000 a month.

Late last year in Minnesota, hospital operator Alomere Health suffered a data breach that affected 49,351 individuals. In this attack, the bad actor gained access to two employee email accounts around Halloween. The potential for personal data theft was significant: Names, addresses, dates of birth, medical record numbers, health insurance information, and diagnosis and treatment details were all compromised. Some patients’ Social Security numbers and driver’s license numbers were even exposed.


Like any small municipal, educational or governmental institution, schools manage a lot of personal data and are vulnerable to attack as they typically lack robust security resources.

Between January and the start of the 2019 school year, over 500 U.S. schools were victimized by ransomware in 54 different school districts and colleges. One case in Neosho, Missouri, had hackers demanding a local school fork over $1.6 million to decrypt its systems. Another attack forced the Houston County School District to postpone the first day of classes for over 6,000 students by more than 10 days.

Cities and Municipalities

Perhaps the biggest attack in terms of publicity occurred in the summer of 2019 when the city of Baltimore went into a state of disarray as it dealt with aggressive ransomware affecting its systems. While essential services like the police, fire department and ambulances weren’t affected, airports, hospitals, utility services, ATMs and factories producing vaccines were struck. Costs resulting from the attack are estimated at over $18 million.

The city of New Orleans was also hit by another well-publicized cyberattack in December 2019. As a result of the attack, routine government functions couldn’t be handled electronically and approximately one in five city computers was compromised to the point of being unrecoverable. As of January 2020, the city had spent more than $7 million on repairs and city email systems were still not fully restored.

Reduce Risk With Security Awareness and Hygiene

In many municipal cyberattacks, a common factor is someone clicking on something they shouldn’t — in other words, phishing or social engineering attacks. Instinctively and automatically, our minds are drawn to security awareness as the solution. If employees are more aware of phishing attacks, the municipality, school or government office for which they work should be better off, right?

When I spoke with security expert Bruce Schneier at the end of 2019, he told me that security awareness only applies to your worst employee. Even if you convince 99 out of 100 people not to click on that ransomware-laden link, the one person who didn’t get the memo may represent the greatest vulnerability in your security armor.

I get his point. I don’t think any organization will ever achieve 100 percent success with their awareness program. But isn’t cybersecurity all about risk? Aren’t we in a much better position to thwart an attack if 70 percent of our employees won’t click on that link compared to 40 percent? After I personally implemented security awareness programs at the government level — even before the days of ransomware — I recognized that full cybersecurity compliance was unattainable, but I would have slept better at night knowing that the program we created could increase our awareness by even 30 or 40 percent.

Many of these institutions have been forced to make an investment, but other state and local government institutions have a chance to invest in cybersecurity today, before they are attacked. They may not have the same resources as private enterprises, but municipal organizations should do all they can to reprioritize the budget so cybersecurity prevention moves toward the top of the list.

Regardless of budget, all institutions must also realize that security strategy is only as strong as your security hygiene, and the basics often don’t cost much. Data backups, implementing NIST’s Cybersecurity Framework and red team-blue team exercises, applied together, can work wonders for organizations willing to put forth a solid effort.

More from Data Protection

Beyond Requirements: Tapping the Business Potential of Data Governance and Security

3 min read - Doom and gloom. Fear, uncertainty and doubt. The "stick" versus the "carrot". What do these concepts have in common? They have often provided the primary motivation for organizations’ data governance and security strategies. For the enterprise, this mindset has perpetuated the idea that data governance, data security and data privacy are reactive cost centers existing due to externally imposed requirements or mandates. Yet, what if data governance and security practices could upend the prevailing paradigm and demonstrate direct business value?…

3 min read

Heads Up CEO! Cyber Risk Influences Company Credit Ratings

4 min read - More than ever, cybersecurity strategy is a core part of business strategy. For example, a company’s cyber risk can directly impact its credit rating. Credit rating agencies continuously strive to gain a better understanding of the risks that companies face. Today, those agencies increasingly incorporate cybersecurity into their credit assessments. This allows agencies to evaluate a company’s capacity to repay borrowed funds by factoring in the risk of cyberattacks. Getting Hacked Impacts Credit Scoring As per the Wall Street Journal…

4 min read

IBM Security Guardium Ranked as a Leader in the Data Security Platforms Market

3 min read - KuppingerCole named IBM Security Guardium as an overall leader in their Leadership Compass on Data Security Platforms. IBM was ranked as a leader in all three major categories: Product, Innovation, and Market. With this in mind, let’s examine how KuppingerCole measures today’s solutions and why it’s important for you to have a data security platform that you trust. The Transformation of the Data Security Industry As digital transformation continues to expand, the impact it has had on enterprises is very apparent when…

3 min read

SaaS vs. On-Prem Data Security: Which is Right for You?

2 min read - As businesses increasingly rely on digital data storage and communication, the need for effective data security solutions has become apparent. These solutions can help prevent unauthorized access to sensitive data, detect and respond to security threats and ensure compliance with relevant regulations and standards. However, not all data security solutions are created equal. Are you choosing the right solution for your organization? That answer depends on various factors, such as your industry, size and specific security needs. SaaS vs. On-Premises…

2 min read