Cybersecurity in the Public Sector: Practical & Low-Cost Steps to Protect Yourself

When it comes to cybersecurity, most local governments are doing something—but far too many are still playing defense with outdated playbooks.

That was crystal clear during our recent webinar: Cybersecurity Best Practices: 9 Practical Steps to Reduce Your Risk, led by cybersecurity expert Dave Hatter and hosted by SSI’s Mike Brenner. We went over best practices,  surveyed public sector leaders in attendance, and walked through the security foundations every organization needs.

We discovered the gap between awareness and action is still dangerously wide.

Why Public Agencies Are Prime Targets

Cyber threats aren’t just targeting Fortune 500s and federal agencies anymore—they’re coming for cities, counties, utility providers, and libraries. Even tiny ones. Why? Because you hold sensitive data, process payments, or run critical infrastructure.

Public sector organizations are in a perfect storm of risk:

• Aging IT infrastructure, often difficult to patch or segment

• Decentralized teams with varied access needs (field workers, part-time users)

• Highly valuable data (SSNs, ACH info, tax IDs, utility account records)

• Limited staffing and budgets for cybersecurity

According to the FBI’s IC3 Report, over one-third of state and local government organizations were targeted by ransomware in the last year. Nearly 50% of successful breaches came from compromised credentials. And more than half took a month or longer to recover.

“In Fort Wright, we deal with spoofed emails constantly. Just yesterday, someone tried to change a public works employee’s payroll account by impersonating them.”
—Dave Hatter, IntrustIT

Most of these attacks succeed not because of complex exploits—but because of poor password practices, missing MFA, unpatched software, and a lack of user awareness.

And the scale and sophistication of these threats are outpacing the defenses that most public agencies have in place. That's why we wanted to discuss it.

In April 2025, we decided to hold a cybersecurity webinar and partnered with Dave Hatter. He's a cybersecurity consultant with IntrustIT, former software engineer, and current mayor of Fort Wright, KY. Dave brought both technical expertise and real-world governance experience to the table, drawing a straight line between security best practices and public trust.

The session also included poll responses from dozens of local government leaders across the Midwest, and what we heard confirms what many already suspect: the public sector is aware of the risks—but often under-equipped to manage them.

Poll Results from the Webinar

We polled participants during the webinar to get a better understanding of where local agencies are at. Here’s what we learned:

Patch Management

• Only 14% patch weekly

• 60% patch monthly or less

• 61% weren’t sure how often patches happen

Multi-Factor Authentication (MFA)

• About 25% don’t use MFA

• Several respondents weren’t sure if their ERP software supports it

Cybersecurity Training

• 45% train quarterly or more

• 24% train once per year

• 24% train less than once per year

• 7% receive no training at all

Backup Testing

• 56% didn’t know when their last full backup test occurred

• Only 15% tested in the last month

These numbers are not signs of negligence. They’re symptoms of overwhelmed teams juggling too much without centralized guidance or clear security benchmarks. That's where we step in to help.

The 9 Practical Cybersecurity Steps for Public Agencies

Dave Hatter walked attendees through 9 core strategies based on the NIST Cybersecurity Framework, CIS Controls, and his 25+ years of experience.

Step 1: Know What You Have (Asset Inventory)

You can’t secure what you don’t know you have. That includes:

• Devices (workstations, phones, servers)

• Software (licensed and shadow IT)

• Users and access rights

• Sensitive data (payroll, utility billing, SSNs)

This inventory needs to be updated regularly and automated if possible. Legacy assets should be flagged for replacement—not just because they’re old, but because many can’t be patched or secured properly.

Step 2: Keep It Updated (Patch Management)

Patching is non-negotiable. The FBI and CISA release regular bulletins on actively exploited vulnerabilities. Attackers don’t wait. Neither should you.

Automated patching tools exist—even for smaller governments. Set monthly (or weekly) patch cycles. Prioritize critical CVEs. And make sure this applies to remote devices as well.

Step 3: Use MFA Everywhere

Microsoft, Google, and the FBI all agree: MFA blocks over 99% of credential-based attacks.

• Start with cloud applications (Office 365, email)

• Extend to ERP systems, remote access tools, and VPNs

• Use authenticator apps or hardware keys over SMS when possible

SSI’s VIP ERP software includes built-in MFA capabilities. If you haven’t enabled it, you’re leaving the front door wide open.

Step 4: Strengthen Endpoint Protection

The term "antivirus" is outdated. You need advanced tools that:

• Use behavior-based detection (like CrowdStrike or SentinelOne)

• Flag anomalies (e.g., someone encrypting an entire C: drive at 3AM)

• Protect remote and field workers’ devices

Step 5: Build a Human Firewall

Training matters. 85% of breaches involve human error (Verizon 2021 Data Breach Investigations Report). Use phishing simulations, short video training, and frequent touchpoints.

Fort Wright, KY uses KnowBe4 to deliver regular training and random phishing tests. Since implementing it in 2016, their click rate has dropped to near zero.

“Even with all the tools, the best defense is a culture of security. One of our clerks once called me to confirm a spoofed email. That call saved us tens of thousands.” —Dave Hatter, IntrustIT

Step 6: Embrace Zero Trust

The old model—trust everything inside the firewall—is dead. Zero Trust means:

• Verifying user identity at every step

• Granting access only as needed

• Monitoring every request and transaction

Microsoft 365 and many ERP systems now support Zero Trust configurations. If you’re still operating on all-or-nothing admin roles, you’re at risk.

Step 7: Encrypt Everything

Encryption shouldn’t be a luxury:

• Enable BitLocker on all Windows laptops and workstations

• Use encrypted email (Office 365 supports it)

• Encrypt cloud backups and file transfers

Step 8: Back It Up (And Test It!)

Follow the 3-2-1 Rule:

• 3 copies of your data

• 2 types of media

• 1 stored off-site or in the cloud

Testing is critical. Too many agencies assume their backups work—until they don’t. Run full restore drills at least twice a year.

Step 9: Plan for the Worst

Have a written, role-specific incident response plan. Include:

• What qualifies as an incident

• Who gets called first (insurance, bank, legal, vendor)

• Recovery Time Objectives (RTOs)

• Communication plans for internal and public stakeholders

Then run tabletop exercises to test it. A 2-hour scenario once a year can make or break your response in a real emergency.

Why Your ERP Software is a Critical Piece of the Puzzle

Your ERP software is the operational brain of your agency. That makes it a high-value target. If your ERP:

• Lacks role-based access controls

• Doesn’t offer MFA

• Stores unencrypted sensitive data

• Hasn’t been patched or updated regularly

Then it’s a liability.

SSI’s VIP software suite was designed to mitigate these risks:

• Built-In MFA

• Secure user role design

• Encrypted connections and sensitive data storage

• Compatibility with Zero Trust architectures

Public sector organizations need more than functionality—they need resilience. ERP security is essential.

Real Questions from Local Leaders

As you probably guessed, there were questions during the webinar. You likely have some of the same questions.

“What’s the best way to detect a bad email without opening it?”
Hover over links. Inspect the sender’s actual address. Look for odd grammar or urgency. When in doubt, verify out of band (phone call, separate message). And train your users to slow down.

“Do you have a template for a cybersecurity policy?”
Start with CISA’s policy guides or templates from SANS. Then tailor it to your agency’s size, risk tolerance, and staffing. Don’t adopt boilerplate language you can’t enforce.

“Is password management software worth it?”
Yes. SSI and the City of Fort Wright both use 1Password. It works across platforms and eliminates password reuse. Pair it with MFA for maximum protection.

“How do I train part-time or field workers?”
Short, mobile-friendly, scenario-based training is key. Use real examples from your own organization. Platforms like KnowBe4, Infosec IQ, and even CISA’s training portal offer free or low-cost options.

Do you have guidance on creating a cyber policy or recovery plan?
Yes. Start with NIST’s Cybersecurity Framework or the CIS Controls. These give structure to your policy and help you prioritize. Include key roles, recovery time objectives, and steps to follow during an incident. If you need a starter template, IntrustIT or SSI can help.

Free Tools to Help You Start Today

• Microsoft Secure Score – Score your Microsoft 365 environment and get improvement suggestion

• SecurityScorecard – Assess your public-facing security posture for free

• CISA Alerts + MS-ISAC Advisories – Stay informed about the latest threats and patches

• FBI IC3 – Report fraud, learn from real incident data

Final Thought: Security Is a Public Service

We’re not just securing computers. We’re securing society.

In local government, the stakes aren’t just financial. They’re civic. When systems fail, services stop. And when data is compromised, trust erodes.

You don’t need a seven-figure cybersecurity budget. You need a strong foundation, consistent practices, and the right tools (most of which are free or already included in your software).

Start with your ERP. Then build around it. You want to do better. You just need the right support.

Take the First (or Next) Step

Cybersecurity isn’t just IT’s job anymore. Every user, every password, every remote connection is part of your attack surface. That’s why your strategy must include everyone—from admins to auditors to field staff with tablets.

Even with limited resources, you can enforce MFA, back up your critical data, train your team to spot threats, patch high-risk vulnerabilities fast.

Whether you're a city, county, or utility provider, there are 3 things you can do today:

1. Audit your ERP system for security gaps—access, updates, MFA, and encryption.

2. Start small but smart—even a single training session or policy update helps.

3. Get our free Cybersecurity Cheat Sheet – it’s a simple, powerful reference.

And you don’t have to do it alone. Connect with us to start a conversation about how to reduce your cybersecurity risk across finance, HR, utilities, and more.

Let’s make cybersecurity less scary—and a whole lot more manageable.

Or get more information about how Intrust IT can benefit you.