State and local governments are on the front lines of the cyber war. These entities are prime targets for ransomware, business email compromise, distributed denial of service attacks and data breaches.
Ransomware is one of the greatest threats these agencies face. Although reported ransomware incidents dropped from 69 percent in 2023 to 34 percent in 2024, mean recovery costs more than doubled from $1.21 million to $2.83 million over the same period. Ransomware attacks almost always succeed in encrypting data. Three-quarters of state and local governments are able to recover from backups, but a third still pay the ransom.
Hackers target state and local governments because they often have outdated systems and small, overworked security teams. However, weak security isn’t the only issue. State and local governments have a vast attack surface that includes operational technology, interagency connectivity and high rates of remote work. Attacks disrupt essential services and expose sensitive data, making entities more inclined to pay ransoms.
Funding Challenges Hinder Security Efforts
These challenges are exacerbated by a lack of funding. Few state and local governments have the budget to hire a team of skilled cybersecurity professionals and invest in the latest security tools. Needed system upgrades are often delayed due to the cost.
As we noted in a previous post, the federal government has stopped funding the Multi-State Information Sharing and Analysis Center (MS-ISAC), which provides threat intelligence and a range of security services to state and local governments. Thousands of entities are simply unable to pay the MS-ISAC membership fee.
The State and Local Cybersecurity Grant Program (SLCGP) also expired on Oct. 1, 2025, although the program was extended through Jan. 30, 2026, as part of the latest government funding bill. On Nov. 18, 2025, the House unanimously passed the Protecting Information by Local Leaders for Agency Resilience (PILLAR) Act, which extends the grant program for seven years with several changes.
Prioritizing Critical Systems and Data
Even if the PILLAR Act or its Senate counterpart becomes law, it likely won’t provide the level of funding state and local governments need. The SLCGP didn’t provide enough resources, and the PILLAR Act would require grant recipients to pay for a higher percentage of the costs.
State and local governments must prioritize their cybersecurity efforts to make the most of limited budgets. This starts with a comprehensive risk assessment. Agencies should identify their most critical systems and data, then focus their investments where risks are highest and impacts greatest.
Some of the most effective strategies have little to no cost. Entities should build a security culture by making security an everyday activity with leadership buy-in and communication. Employees should receive regular security awareness training to help them spot phishing and insider threats. Agencies should collaborate with other state and local governments and use frameworks for consistent security controls.
The Value of Managed Security Services
Strategic investments should focus on upgrading legacy systems that lack essential security controls. Agencies should implement strong access controls and multifactor authentication and apply the principle of least privilege access. Data should be encrypted in transit and at rest. Third-party partnerships should be evaluated for their adherence to security best practices.
Partnering with experts can help state and local governments stretch their security dollars. Through our managed security services provider, Cerium provides 24×7 monitoring and access to experts, eliminating the need to build an in-house security operations center. Advanced security tools can be bundled into the managed services fee. Cerium can also perform a risk assessment and help determine how to spend budget dollars and any grant money that becomes available.
State and local governments are frequently targeted with cyberattacks but lack the resources and expertise to combat them effectively. By prioritizing their security investments and partnering with Cerium, agencies can better protect sensitive data and vital public services.
