Technology has become inseparable from government operations, powering everything from citizen services to critical infrastructure, but creating a vast attack surface that cybercriminals are exploiting at alarming rates. It’s no wonder cybersecurity tops the state chief information officers’ priority lists for 2025, reprising its leading position from last year.
And the stakes couldn’t be higher. A single breach can bring local government operations to a grinding halt—crippling essential services, compromising sensitive citizen data, draining public funds, and triggering costly recovery efforts. Cyberattacks don’t just disrupt operations; they also erode the trust between governments and the communities they serve.
Yet the reality is sobering: many local governments are woefully unprepared. The Nationwide Cybersecurity Review paints a stark picture, showing that only 22 out of 48 states meet recommended minimum security standards, with local governments faring no better. Every gap in these states’ cybersecurity is an open gateway for potential attacks, leaving critical systems and sensitive citizen data exposed.
The National Cybersecurity Review Exposes Critical Weaknesses
The Nationwide Cybersecurity Review (NCSR) highlights glaring vulnerabilities in our public institutions. A voluntary self-assessment tool sponsored by the Department of Homeland Security and the Multi-State Information Sharing and Analysis Center, NCSR is designed to help state, local, tribal, and territorial governments evaluate their ability to prevent and respond to cyberattacks. Participants are scored on a scale of 1 to 7, reflecting their overall cybersecurity maturity and enabling organizations to benchmark themselves against their peers. Such critical insights into strengths and weaknesses can be invaluable for determining the next steps for ramping up cybersecurity and securing executive buy-in for necessary investments.
The results reveal a troubling reality: many government organizations are falling dangerously short. In 2024, 48 states participated in the NCSR. While 22 states achieved scores of 5 or higher—indicating they have documented policies aligned with formal security frameworks—others remain far behind. A score below 5 reflects a lack of formal cybersecurity policies, leaving critical infrastructure and essential services exposed to attacks.
Despite the alarming gaps, the NCSR uncovered encouraging signs of progress in key areas of cybersecurity. For example, many government organizations have implemented identity management and access control systems, effectively restricting access to sensitive facilities and data and reducing opportunities for unauthorized breaches. Additionally, incident response capabilities show promise, with some agencies prepared to contain and mitigate cyberattacks quickly, minimizing potential damage.
Some participants also have continuous monitoring systems in place, enabling them to detect threats in real time and respond proactively. These strengths demonstrate that with the right tools and strategies, governments can make meaningful strides in protecting their critical infrastructure.
However, for every area of progress, there are far too many critical vulnerabilities that expose government services to significant risks. For instance, a lack of advanced threat detection tools leaves many organizations unable to identify or defend against increasingly sophisticated cyber threats. Compounding this issue is the absence of formal risk assessment strategies, leaving agencies blind to their most critical vulnerabilities and unable to prioritize their defenses effectively.
When cyber incidents occur, they often go unanalyzed, robbing organizations of the opportunity to learn from attacks and strengthen their systems. To make matters worse, outdated disaster recovery plans mean many governments are unprepared to recover quickly from a major attack, prolonging the impact and disruption. Together, these gaps form a ticking time bomb, threatening the stability of critical infrastructure.
According to NCSR, local governments—including cities, counties, schools, and public utilities—are also severely unprepared, with many organizations relying on informal or ad hoc security processes. Their average score of just over 4 indicates weak cybersecurity maturity, with 60% of the 3,122 participating entities failing to hit the recommended score of 5 and above. In many cases, experts say, relying on outdated and unsupported systems also leaves organizations vulnerable.
An Escalating Cybersecurity Threat
Cyberattacks are becoming increasingly sophisticated, with hackers deploying more advanced ransomware and phishing schemes to infiltrate networks. These attacks can start with something as simple as hacking a website or sending employees emails that impersonate their bosses, tricking them into clicking malware-laden links. Once inside, ransomware attackers take control of entire network systems, holding them hostage and facing administrators with a harrowing choice: pay substantial sums to unknown criminals or risk operational shutdowns and the catastrophic exposure of confidential data.
The devastating consequences go far beyond financial losses. Confidential documents stolen and published by ransomware gangs have included student mental health files, sexual assault investigation reports, and even records of suicide attempts, according to the Associated Press. These criminals exploit the most sensitive data to pressure their victims into paying. Whether targeting schools, hospitals, or local governments, scammers will leverage anything they can find to maximize their payouts.
The growing frequency of cyberattacks offers numerous examples of just how serious the threat has become. In Rhode Island, a ransomware attack forced the state to take critical health and human services systems offline, disrupting enrollment and eligibility verification. Residents had to revert to paper applications, while hackers stole sensitive personal information, including Social Security numbers and bank details, affecting 500,000 people and leaving them vulnerable to monetary and identity theft.
The impact of cyberattacks is being felt across the country. In Marin County, California, hackers stole funds earmarked for rehabilitating public housing. In New Jersey, attacks on town halls, hospitals, and schools have caused widespread disruptions. For example, a cyberattack on Freehold Township School District forced the cancellation of classes. Meanwhile a denial-of-service attack in Pennsylvania disrupted online services for the state’s court system.
The stakes of cyberattacks extend far beyond disrupted classes or stolen credit card numbers. Attacks on critical infrastructure can have massive consequences. For example, a ransomware attack on Change Healthcare, a health-tech company, affected approximately one-third of Americans last summer. Similarly, in November, two New Jersey hospitals were forced to divert emergency room patients to other facilities after a ransomware attack crippled Ardent Health Services’ network for days.
Some of the most alarming threats come from nation-state-backed hackers. China-backed groups have penetrated systems crucial to U.S. life, including water systems and power grids. Experts fear these actors could disrupt or destroy these essential systems, should geopolitical tensions escalate. Criminal organizations, often backed by hostile nations, are well-funded and highly skilled, far outmatching the cybersecurity capabilities of local government organizations. According to Michael Geraghty, New Jersey’s chief information security officer at the state Office of Homeland Security and Preparedness, “they’re very well-resourced, and obviously, a school system is not going to be any match for a nation state or transnational cybercrime organizations”. When foreign nations harbor hackers, there is little that law enforcement can do to curb this global threat.
Funding Gaps and Political Uncertainty Threaten Cybersecurity Efforts
Cybersecurity has once again claimed the top spot as the most pressing priority for state chief information officers (CIOs) in 2025, according to a survey conducted by the National Association of State Chief Information Officers (NASCIO). This marks over a decade of cybersecurity dominating CIO agendas, reflecting its critical role in delivering government services securely and effectively.
IT professionals in the public sector are increasingly concerned about the challenges posed by emerging technologies. For example, they worry about malicious actors leveraging artificial intelligence (AI) to execute highly sophisticated cyberattacks as well as the risks of making critical mistakes when deploying AI to automate government operations. There is also unease about the security implications of vendors integrating advanced technologies into existing systems, potentially introducing new vulnerabilities.
However, despite the growing urgency, keeping local government resources secure is easier said than done. “There are many things organizations can do to protect themselves, including a robust training regimen of their employees to make sure they can identify spam and malware and not click on things,” said Marc Pfeiffer, senior fellow at Rutgers University’s Bloustein Local Government Research Center. However, Pfeiffer emphasized that technical solutions are often expensive to purchase and maintain, leaving smaller agencies at a disadvantage. “No one agency can do everything,” he added.
Many organizations face systemic challenges, from insufficient funding for robust cybersecurity programs to significant staffing shortages in IT roles. According to the National Cybersecurity Review, a lack of skilled cyber professionals ranks among the top five challenges for many respondents, leaving governments vulnerable.
Seventy percent of participants cited insufficient funding as one of their biggest challenges. Some support is available through free cyber tools and services provided by organizations like the Multi-State Information Sharing and Analysis Center and the federal Cybersecurity and Infrastructure Security Agency. Programs like the federal Scholarship for Service also offer some relief by supporting students in cybersecurity education in exchange for government service. However, these efforts are not enough to meet the scale of the problem.
Political volatility also threatens the future of vital cybersecurity programs. The four-year State and Local Cybersecurity Grant Program, set to sunset in 2025, faces an uncertain renewal under the incoming Trump administration. Kristi Noem, President-elect Donald Trump’s nominee for Secretary of Homeland Security, has called the program “wasteful” spending.
The uncertainty extends to federal agencies critical to national cybersecurity. The Cybersecurity and Infrastructure Security Agency (CISA), which issues alerts about cyber threats and supports state and local governments in defending critical infrastructure, could face budget cuts. This potential reduction in funding would jeopardize CISA’s ability to assist public-sector entities in combating increasingly sophisticated cyberattacks, leaving critical systems vulnerable.
Fighting Evolving Cyber Threats with SaaS
While local governments grapple with numerous cybersecurity challenges, selecting Software as a Service (SaaS) vendors with robust security protocols is a practical first step, allowing agencies to offload part of the burden to trusted partners.
Unlike traditional on-premises systems, where outdated software can leave gaping vulnerabilities, SaaS platforms handle updates and security patches automatically, keeping government resources secure. SaaS providers often employ teams of dedicated cybersecurity experts, giving government organizations access to specialized knowledge and tools that would be costly to develop in-house.
Leading SaaS platforms also incorporate built-in advanced threat detection capabilities that analyze activity in real time, spotting unusual behavior and neutralizing threats before they can wreak havoc. For government organizations that often struggle to maintain 24/7 monitoring, SaaS solutions act as round-the-clock sentinels, protecting critical infrastructure and public services from cybercriminals.
With leading SaaS solutions, governments are consistently shielded from emerging threats without relying on overstretched IT teams to manage fixes manually. By staying one step ahead, SaaS solutions free up resources and allow IT professionals to focus on more strategic initiatives rather than playing catch-up with security risks.
Learn how you can protect critical citizen and financial data with a leading-edge SaaS cloud finance ERP. Join the 3,000 agencies that run on Springbrook solutions!