State and local governments can be easy targets for cybercriminals. They handle sensitive data, run critical infrastructure, and often rely on outdated or underfunded cybersecurity measures.
Cyber threats come in many forms, from ransomware to state-sponsored hacking. A single breach can throw essential services into chaos, disrupting emergency response, utilities, transportation, and financial systems.
The risks are well known, yet many agencies still don’t have the right protections in place. Weak passwords, inconsistent authentication, and poor privileged access controls leave government networks wide open to attacks.
At this point, strengthening cybersecurity isn’t just a good idea—it’s a necessity.
Why MFA & Privileged Access Need Immediate Attention
Multi-Factor Authentication (MFA) and Privileged Access controls are among the best defenses against cyberattacks, yet many state and local governments still struggle to implement them. Despite federal recommendations and clear proof that MFA blocks unauthorized access—even to high-level accounts—many agencies still rely only on weak passwords.
Privileged Accounts: A Hacker’s Jackpot
Privileged accounts are like the master keys to government systems, giving IT admins, department heads, and key personnel high-level access to critical infrastructure. If these accounts aren’t proactively managed, agencies are leaving the door wide open for ransomware, data breaches, and insider threats.
And hackers know it. If they can break into just one privileged account, they can take full control of an entire network, shutting down security controls, and stealing sensitive data.
MFA: A Simple Step That Stops Attacks
Multi-Factor Authentication (MFA) is one of the easiest and most effective ways to keep hackers out. By requiring an extra layer of verification—like a temporary code sent to a phone or email—MFA stops unauthorized access, even if a password is stolen.
Cybercriminals love weak or reused passwords, but MFA makes their job much harder. Enforcing it, especially for privileged accounts, is a simple yet powerful way to prevent unauthorized users from taking control of government systems.
Simple changes yield significant results: Enabling MFA and disabling legacy authentication reduce tenant compromises by 80%, according to Microsoft.
How Security Breaches Happen
Hackers have many methods when targeting state and local governments. They don’t need to break down the front door, they just need one weak spot. Here’s how they get in:
Ransomware Attacks: Locking Critical Systems
- Phishing Emails: A well-crafted email with a malicious link or attachment is all it takes to install ransomware, locking agencies out of their own files.
- Unpatched Systems: Outdated software is a goldmine for hackers, who exploit known vulnerabilities to spread ransomware.
- Third-Party Vendors: Cybercriminals often target government contractors, using their compromised systems as a gateway to infect agencies.
Phishing & Social Engineering: Tricking Employees
- Fake Government Emails: Hackers impersonate officials or IT staff, convincing employees to hand over login credentials.
- Website Spoofing: They set up fake government portals that look real, tricking workers into entering sensitive information.
- Compromised Email Accounts: Once hackers take over a government email, they can authorize fraudulent transactions or data transfers.
Data Breaches: Stealing Sensitive Information
- Weak Passwords & Poor Authentication: Simple, reused, or stolen passwords make it easy for attackers to break in.
- SQL Injection on Public Websites: Hackers use malicious code to pull sensitive records, like voter or tax data, straight from government databases.
- Insider Threats: Whether intentional or accidental, employees can expose confidential information, putting data at risk.
DDoS Attacks: Shutting Down Services
- Botnet Flooding: Hackers use armies of infected devices to overwhelm government websites, taking down services like permit applications and emergency alerts.
- Targeting Critical Infrastructure: Attacks can knock out essential systems like traffic control, utility billing, and emergency response networks, causing widespread disruption.
The Proof is in the Numbers
Look at the following statistics that highlight the need to take robust security measures that include the widespread use of MFA and stringent management of privileged access:
- Nearly half (49%) of ransomware attacks on state and local governments originated from compromised credentials.
- 98% of ransomware attacks on governmental agencies in 2024 (up from 76% the previous year) resulted in hackers encrypting data, making it unreadable and unusable without a decryption key, which the attackers hold.
- The average cost to recover from a ransomware incident for state and local governments more than doubled, reaching $2.83 million in 2024, compared to $1.21 million in 2023.
Real-World Government Breaches: Lessons Learned
Atlanta Ransomware Attack (2018)
The city of Atlanta was hit with SamSam ransomware, disrupting court systems, police records, and bill payments.
- How? Weak security, including missing MFA for admin accounts, allowed attackers to install ransomware that encrypted city data.
- Impact: Crippled city services with recovery efforts costing over $17 million—far exceeding the initial ransom demand.
Baltimore Cyberattack (2019)
The city of Baltimore was hit with ransomware (RobbinHood malware) that shut down email, payment systems, and 911 services for weeks.
- How? Hackers exploited privileged access to deploy the ransomware. Post-incident reports found MFA was not widely used for key government systems, allowing unauthorized access.
- Impact: City services were frozen for over a month, with a recovery cost of $18 million.
Oldsmar, Florida Water Plant Hack (2021)
A hacker remotely accessed the city’s water treatment plant and tried to increase lye (sodium hydroxide) levels in the water supply to dangerous levels.
- How? Attackers exploited weak remote access security and poor password protection.
- Impact: An alert operator noticed the attack in real time and reversed the changes, preventing a potential public health disaster.
Illinois Voter Database Hack (2016)
A state-sponsored hacking group (believed to be Russian) gained access to Illinois’ voter registration database, stealing personal details of 500,000 voters.
- How? Attackers used SQL injection on a poorly secured state election website.
- Impact: Led to increased cybersecurity measures for U.S. elections, but exposed vulnerabilities in state election systems.
Louisiana Statewide Cyberattack (2019)
Louisiana’s state government was hit with ransomware, forcing the shutdown of multiple agencies, including the DMV, police, and health departments.
- How? Attackers used a phishing campaign to install malware and encrypt state systems.
- Impact: The state had to declare a cybersecurity emergency, and recovery took weeks.
How to Protect Your Agency from Identity-Based Attacks
State and local governments can no longer afford to take a passive approach to identity security. With ransomware attacks on the rise and privileged credentials being a primary target, securing access controls is mission critical.
A CyberIdentity Risk Audit gives government agencies a clear roadmap to closing identity security gaps. Here’s how:
- Identifies Vulnerabilities: Pinpoints weaknesses in user authentication, privileged access, and outdated security policies. Without a clear view of these security gaps, agencies risk leaving back doors open for attackers.
- Evaluates MFA & Access Controls: Assesses the effectiveness of MFA and privileged account security to prevent unauthorized access, ensuring protection where it matters most.
- Detects Compliance Gaps: Ensures adherence to federal and state cybersecurity regulations, reducing legal and financial risks. Failure to meet compliance standards doesn’t just mean fines—it can also result in disqualification from federal funding and increased liability in the event of a breach.
- Provides Actionable Recommendations: Delivers a step-by-step plan to strengthen identity security and protect critical government systems. Instead of vague suggestions, an audit provides a prioritized roadmap, helping you allocate limited resources to the most urgent security risks first.
Take Action Now
Government agencies handle vast amounts of sensitive data, making them prime targets for cyber threats. At JourneyTeam, our security specialists have deep expertise in designing robust security frameworks that protect citizen information, financial systems, and critical infrastructure.
Our Cyber Identity Risk Audit for the public sector is designed to provide advanced visibility into your environment. Don’t wait for an attack to reveal your vulnerabilities—take action today and schedule your Cyber Identity Risk Audit with JourneyTeam. Our audit is designed to provide clear visibility and prioritized steps that you can take to secure your systems today and well into the future.
