Phishing, Budgets, and Broken Systems: Turning Cyber Risk into Resilience

A cyber incident doesn’t just take down servers- it can stall 911 calls, delay paychecks, and erode public trust in a single day. In local government, the real vulnerability is rarely just technology; it is a culture that treats cybersecurity as someone else’s job. When leaders, managers, and frontline staff all see cyber risk as part of their daily responsibilities, every budget meeting, onboarding, and routine email becomes a chance to strengthen defenses instead of weaken them. This article explores how to embed cybersecurity into organizational culture so it becomes a shared habit, not a one-time project—before the next phishing email tests your readiness.

Building a resilient cybersecurity posture requires integration into the daily culture of local government operations. This begins with leadership setting the tone and making cybersecurity a visible and regular topic of discussion. Executive-level support signals to all departments that protecting digital infrastructure is not a siloed function, but a shared operational value. When leaders prioritize cybersecurity during strategic planning, budget discussions, and performance reviews, they reinforce its relevance to every employee's role.

A practical step is to incorporate cybersecurity into onboarding processes and routine staff training. Employees should understand not only the technical threats, but also how their behaviors - from password management to phishing awareness - influence organizational risk. For example, phishing remains the most common attack vector against local governments, often due to human error rather than technical vulnerabilities¹. By emphasizing simple, repeatable actions such as verifying email senders or reporting suspicious links, staff become proactive in reducing exposure. Encouraging a culture where employees feel safe reporting mistakes or near-misses also increases early detection and response effectiveness.

Operationalizing Threat Awareness and Incident Preparedness

Cybersecurity must be translated into operational readiness. This means developing realistic incident response plans that align with the scale and complexity of local government services. Effective response planning includes cross-departmental coordination, predefined communication protocols, and regular tabletop exercises to test workflows. According to a 2020 report from the Multi-State Information Sharing and Analysis Center (MS-ISAC), many local governments face extended service disruptions during cyber incidents due to inadequate preparedness and lack of tested response strategies².

In practice, this involves identifying critical systems - such as emergency dispatch, public utilities, and payroll - and ensuring those systems have redundant backups and clear operational continuity plans. Local governments should maintain an up-to-date inventory of digital assets, prioritize patch management, and ensure vendor contracts include cybersecurity expectations. During an incident, having designated staff roles, including spokespeople and technical leads, helps streamline decision-making. The ability to isolate affected systems quickly can limit damage and speed recovery. These are not theoretical exercises; they are essential for protecting essential services and public trust.

Balancing Accessibility with Security Controls

A common challenge in local government cybersecurity is balancing the need for secure systems with the necessity of accessible public services. Overly restrictive controls can frustrate staff and hinder productivity, while lax controls expose systems to unnecessary risk. The key is to implement layered security that adapts to various risk levels, known as the principle of defense in depth. This includes using multi-factor authentication, role-based access, and network segmentation to minimize the impact of potential intrusions³.

Adaptive policies allow for differentiated access based on job function and risk profile. For example, finance and HR systems handling sensitive personal data should have stricter access controls and monitoring than public-facing web content platforms. This approach respects the operational diversity within a local government while maintaining a consistent security baseline. Engaging department managers in the design of these controls helps ensure they are practical, accepted, and consistently applied. Usability should not be sacrificed for security; rather, both should be designed together to support seamless service delivery.

Leveraging Partnerships and Shared Resources

Many local governments lack the resources to maintain large in-house cybersecurity teams. Regional collaboration, state-level support, and federal programs can help bridge these gaps. For instance, the Cybersecurity and Infrastructure Security Agency (CISA) offers free tools, assessments, and technical guidance tailored to local government needs⁴. Participating in information sharing networks, such as MS-ISAC, enhances collective situational awareness and provides early warnings about emerging threats.

Local governments should also consider shared service models, where cybersecurity expertise is pooled across jurisdictions or coordinated through intergovernmental agreements. This approach has been used by regional councils of government and state-led cybersecurity task forces to provide smaller communities with access to 24/7 monitoring, incident response, and policy development. These partnerships can be formalized through memoranda of understanding and aligned with state cybersecurity strategies. By leveraging external support strategically, local governments can elevate their cybersecurity posture without overstretching internal capacities.

Continuous Improvement through Metrics and Feedback

Cybersecurity is not a one-time project, but a continuous process that evolves with threats, technology, and policy changes. Establishing metrics allows local governments to track progress, identify gaps, and justify investments. Metrics should include both technical indicators - such as vulnerability scan results and incident response times - and human factors, like phishing simulation success rates and training participation levels⁵.

Regular reviews of cybersecurity practices, informed by audits and user feedback, help refine strategies over time. For example, if staff consistently struggle with a security feature, usability testing may reveal design flaws that can be corrected without compromising security. Feedback loops also support the development of future training content, policy updates, and procurement criteria. By treating cybersecurity as a living system, local governments can adapt to changing conditions while reinforcing a culture of accountability and continuous learning.

Bibliography

1. Center for Internet Security. "MS-ISAC Security Primer - Phishing." Accessed April 15, 2024. https://www.cisecurity.org/white-papers/ms-isac-security-primer-phishing/.

2. Center for Internet Security. "Ransomware Response Guide for State, Local, Tribal, and Territorial Governments." 2020. https://www.cisecurity.org/white-papers/ransomware-guide/.

3. National Institute of Standards and Technology. "Cybersecurity Framework Version 1.1." April 2018. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.

4. Cybersecurity and Infrastructure Security Agency. "Cyber Hygiene Services." Accessed April 15, 2024. https://www.cisa.gov/cyber-hygiene-services.

5. U.S. Government Accountability Office. "Cybersecurity: Federal Agencies Need to Take Urgent Action to Manage Supply Chain Risks." GAO-21-171. December 2020. https://www.gao.gov/products/gao-21-171.