This article is posted with permission from VC3's blog and shares non-technical, municipal-relevant insights about critical technology issues, focusing on how technology reduces costs, helps better serve citizens, and lessens cybersecurity risks. VC3 is solely responsible for the article’s content.
Like peanut butter and chocolate, municipalities and ransomware continue to go together. In just the last year or so, high-profile ransomware attacks took place at the City of Oakland, California; City of Quincy, Illinois; Somerset County, New Jersey; Suffolk County, New York; and City of Wheat Ridge, Colorado. And that’s just the tip of the iceberg. Many municipal ransomware attacks go unreported.
How big of a problem is ransomware for municipalities? It’s big. And remember, it just takes one staff member to click on the wrong email to unleash a lot of destruction. 
1. 58% of state and local governments experienced a ransomware attack in 2021.
Municipalities remain a popular ransomware target. Many cities and towns still think, “We’re below the radar screens of sophisticated cyberattackers.” Or, “Cyberattackers mostly go after businesses.” Instead, research shows that municipalities remain a key target for attackers.
2. Of state and local governments hit by ransomware, only 20% were able to stop the attack from succeeding.
According to a Sophos report, “This figure is considerably lower than the global average of 31%, suggesting that state and local government organizations are poorly equipped to identify and stop attacks before damage is done.” This means, on average, a cyberattacker has an 80% chance of succeeding in deploying ransomware at your municipality. Are you part of the 80%? Or the 20%?
3. Ransomware attacks on state and local governments last an average of 7.3 days.
On average, the duration of an attack can last for a week. During that time, and depending on your cybersecurity measures, your operations are largely on pause as you work with IT professionals to restore your data from a prior backup, rebuild your systems, and eliminate the immediate threat.
4. 21% of state and local governments take 1-6 months to recover from a ransomware attack.
If you are ill-equipped to handle a ransomware attack, whether from lack of data backup or not following cybersecurity best practices, then it’s likely your operations could be affected for many months. It’s also very costly to deal with the aftermath of a ransomware attack.
5. 94% of ransomware victims investigated did not use MFA.
Multi-factor authentication (MFA) is the process of adding another layer of protection to your security in addition to a username and password. For example, MFA may require you to first enter your username and password as normal. Then, you will get a code to your phone and input that code into a field that appears after you log in.
Simply implementing multi-factor authentication is enough to stop most ransomware attacks. It’s cheap and easy to implement, but many municipalities do not use it—leaving their servers, databases, and applications unprotected.
6. Of those hit by ransomware, 72% had data encrypted.
While some municipalities successfully fend off ransomware attacks, remaining unscathed, those hit usually have their data encrypted. At that point, the ideal next step is to rely on a data backup and disaster recovery solution to restore data. If a municipality lacks such a solution, they risk permanent data loss.
7. 69% of ransomware attacks on local governments succeed from social engineering.
Many social engineering tactics are not technical at all. Cybercriminals trick you with phishing emails, phone calls, and free software. In fact, 90% of cybersecurity attacks begin in an email. This is a big reason why security awareness training increases in importance each year.
8. Only 38% of state and local government employees are trained about ways to prevent ransomware.
If your staff is not trained, then you increase the chance of just one employee making a critical mistake that leads to a successful ransomware attack. Exposing your employees to phishing simulations, education about common scam emails, and updates on evolving social engineering tricks can help lower your risk.
9. The average ransomware ransom rose to $925,162 during the first five months of 2022.
Although municipalities are dissuaded from paying ransoms for many reasons, some still do. And the ransoms are getting more expensive. Even if you decide this is an option for you, it will gut your budget and likely not be covered by your cyber insurance provider.
10. Only 65% of organizations that pay a ransom get all their data back.
Even if you do pay the very expensive ransom, you will most likely not get all your data back. Trusting criminals is never a good idea.
Sources: