Frequently Asked Questions

Municipalities often have a mix of public services, sensitive resident data, and limited IT resources. Attackers know a town cannot stay offline long, so they pressure leadership to pay quickly during ransomware events. CISA

The most common threats include:

• Ransomware that shuts down operations
• Email phishing and fraudulent invoices
• Stolen passwords and account takeovers
• Unpatched computers and outdated systems
• Weak remote access controls
• Backups that fail during recovery

A practical baseline includes:

• Multi-factor authentication (MFA)
• Managed endpoint protection and patching
• A properly managed firewall
• Regular, tested backups
• Security awareness training for staff
• A written incident response plan

CISA's cybersecurity performance goals reflect these types of controls as high impact for reducing risk. CISA

New York's SHIELD Act expects organizations that hold private information to maintain reasonable administrative, technical, and physical safeguards. That includes risk identification, staff training, vendor oversight, and testing controls. New York State Attorney General

Yes. MFA is one of the most effective tools to prevent email compromise and financial fraud. It should be enabled for:

• Email accounts
• Remote access
• Payroll and banking tools
• Any admin-level accounts

CISA

Most municipalities rely too heavily on spam filtering and antivirus alone. The most damaging incidents start with:

• A staff member clicking a link
• A password being reused or stolen
• A mailbox being accessed without MFA

The fix is layered protection plus training.

At least once per year, and ideally reinforced throughout the year with short refreshers and phishing tests. New York State provides cybersecurity awareness training resources designed for non-technical municipal staff. OITS

Backups reduce risk, but only if they are:

• Protected from deletion or encryption
• Kept offline or immutable where possible
• Tested for full restoration

Many towns discover too late that backups exist but cannot restore operations quickly.

Recovery time depends on:

• How quickly the attack was detected
• Whether backups were protected and tested
• How many systems were affected

A well-prepared municipality often restores critical services faster because it has a plan and verified recovery steps.

Municipalities should treat ransom payment as a last resort decision made with legal counsel, law enforcement guidance, and cyber insurance direction. Paying does not guarantee full restoration, and it can increase the chance of repeat targeting.

Start with the controls that reduce the most risk fast:

• MFA on email and remote access
• Patch management
• Backup testing
• Firewall review and monitoring
• Removal of shared accounts
• Staff training

Municipal vendors often access email, finance, billing, court, or public safety systems. Your vendor agreements should require:

• MFA
• Strong password practices
• Limited access and audit trails
• Timely incident notification
• Secure handling of resident data

This supports SHIELD Act expectations for service provider oversight. New York State Attorney General

MS-ISAC supports state and local governments with threat alerts, advisories, shared intelligence, and incident response resources. Many municipalities join to strengthen situational awareness and improve readiness. CISA

New York has established requirements and expectations around incident reporting and training for municipalities. If an incident occurs, you should be prepared to report within required timeframes and maintain documentation that shows you took reasonable steps to reduce risk. NYTowns

Most municipalities should maintain:

• An asset list (what systems and devices exist)
• Security policies (acceptable use, passwords, backups, vendor access)
• Backup and recovery documentation
• Cybersecurity training records
• A basic incident response plan
• A quarterly review summary of risks and priorities

New York State provides local government security guides and awareness resources to support these efforts. OITS

A cybersecurity risk assessment identifies where your municipality is most exposed and what to fix first. It reviews items like:

• Email security and account access
• Backups and recovery readiness
• Endpoint protection and patching
• Firewall and remote access
• Vendor access and third-party risk
• Policies, training, and incident response readiness

A risk assessment helps leadership prioritize spending, document oversight, and reduce the chance of ransomware or financial fraud. It also helps you show you are taking reasonable steps to protect resident data.

Most municipalities should complete a risk assessment:

• At least annually, and
• Any time there is a major change, such as a new system, a new vendor, a ransomware incident, or a significant staffing change.

As for compliance, New York expects municipalities to maintain reasonable safeguards when handling private information. A documented risk assessment supports that expectation because it shows leadership:

• Identified risks
• Set priorities
• Took action to reduce exposure

Even when not explicitly required in a single law or regulation for every municipality, risk assessments often become required in practice through:

• Cyber insurance underwriting requirements
• Grant applications and cybersecurity funding programs
• Audit expectations and board oversight standards

Bottom line: A yearly risk assessment is the best practice and a practical way to demonstrate oversight and readiness.