Close

See How Your Peers Are Moving Forward in the Cloud

New research from CDW can help you build on your success and take the next step.

Click Here to Read the Report
Mar 11 2025
Security

Small Towns Can Build Great Cyber Resilience

Shared resources are key for modest communities, which still experience big risks.
Kim Lambert
by

Kim Lambert is a business resiliency evangelist with over 18 years of experience across cybersecurity and other services.

Forrester researchers warn that “There’s no such thing as ‘too small’ or ‘too off the radar’ for opportunistic cybercriminals.” Indeed, small towns are vulnerable to cyberattacks, as they house critical infrastructure including sensitive data and essential water, energy and utilities systems.

The U.S. is a nation of these mostly smaller communities. Census data confirms that of approximately 19,500 incorporated places, about 75% have fewer than 5,000 people, and nearly 33% have fewer than 500.

While cybersecurity improvements can focus on prevention, cyber resilience requires the ability to anticipate, withstand, adapt to and recover from cyber incidents. According to Michael Mestrovich, CISO for data security company Rubrik, cyber resilience is a combination of cyber posture and cyber recovery. It encompasses incident response and operational continuity.

Even with limited resources and technical expertise, small towns can take steps to help prevent exposure of confidential data, loss of public trust, service disruption and high recovery costs.

Click the banner below for details about achieving and maintaining cyber resilience.

x-cyberattack-static-2024-clickhere-desktop x-cyberattack-static-2024-clickhere-mobile

 

Visualize Your Organizational Data Flow

Data mapping and network diagrams can identify data risk, showing what and how much data is collected and how it is used, stored and shared. A zero-trust approach calls for least privilege access control.

  1. Identify data sources. List every device, application and system that stores or processes data (e.g., Social Security numbers and personnel, tax and voter records).
  2. Classify data types. Categorize data as public, confidential or sensitive.
  3. Analyze data sharing. Map how data moves internally and externally.
  4. Review user access. Assess permissions and access to sensitive data.
  5. Apply controls. Implement privileged access management such as identity and access management and multifactor authentication.

Evaluate Existing Cybersecurity Measures

In addition to reviewing network security (e.g., firewall configurations, intrusion detection/prevention), endpoint security (e.g., anti-virus/malware protection) and data encryption practices, vulnerability and threat assessments can help pinpoint and remediate potential weaknesses.

  1. Discover vulnerabilities. Scan systems periodically for known vulnerabilities.
  2. Employ patch management. Apply patches and software updates in a timely manner.
  3. Consider local threats. Identify insider threats and social engineering tactics specific to the town’s environment.
  4. Evaluate third-party risk. Conduct due diligence on vendors with access to confidential data that may interact with networks and systems (e.g., credit card processing and payroll services).

DIVE DEEPER: Air-tight incident response is crucial to cyber resilience.

Assess Data Lifecycle Management Practices

Data retention and deletion best practices can help reduce the attack surface. Sensitivity and functional need should inform retention periods, taking into consideration legal and operational requirements and historical value.

Automated data management and protection tools can help rapidly back up data and automatically delete it once it reaches the end of its retention period. The most effective tools help ensure fast, reliable restores. Backups themselves should also be protected from malicious data encryption, modification or deletion, otherwise no reliable copy may exist from which to recover.

Consider Cyber Insurance Options

According to Public Technology Institute Executive Director Alan R. Shark, cyber insurers initially based insurance premium prices and coverage on guesswork about an emerging space. However, high payouts over time led some insurers to pull the plug on offering cyber coverage. Others now require more stringent security standards yet provide less coverage, sometimes at unaffordable costs.

While small towns can take steps to get properly insured, alternatives exist to traditional, private-market cyber insurance. Self-insuring through security bonds or other reserves is one option. Another is lower-cost cyber risk pools, consortiums of local governments where members have the added benefit of cybersecurity support.

Click the banner below to sign up for the StateTech newsletter for weekly updates.

st_newsletter_animated_q125_signup_desktop st_newsletter_animated_q125_signup_mobile

 

Use Available Cyber Resources

In a recent report, Buck Bell, who leads CDW's Global Security Strategy Office, said, “I’d advise anyone with an interest in response and recovery to become familiar with NIST’s ransomware risk management framework.” The framework reinforces incident response planning (including internal communication strategies), keeping the public informed in the event of a data breach, and working with field teams from the Joint Ransomware Task Force and the Cybersecurity and Infrastructure Security Agency.

The FBI and CISA partner with other agencies such as the National Security Agency and the Department of Homeland Security (DHS) to publish relevant guides, such as Cybersecurity Best Practices for Smart Cities. They also disseminate actionable steps to quickly identify and respond to the latest cyberthreats.

RELATED: Training and partnerships can strengthen cyber workforces.

Membership in InfraGard is available as part of a public-private partnership between the FBI and the private sector to protect critical U.S. infrastructure. Small-town chapters provide training and briefings on emerging threats as well as networking and information-sharing opportunities.

Resources are also available at the state level. One example is the 2024 Massachusetts Municipal Cybersecurity Summit. According to John Petrozzelli, director of the MassCyberCenter, it’s statewide crowdsourcing of cybersecurity best practices that lays the groundwork for a network of support when a cyber incident occurs.

25%

The percentage of allocated State and Local Cybersecurity Grant Program funds intended for rural communities

Source: cisa.gov, "State and Local Cybersecurity Grant Program," Feb. 3, 2025

Apply for Cybersecurity Grants

In fiscal year 2024, the DHS awarded nearly $280 million in cybersecurity grants to state, local and territorial governments. Counties, cities, towns and villages can apply via their designated state administrative agencies. The State and Local Cybersecurity Grant Program aims to dedicate 80% of funding to local governments.

Many states optimize impact with a shared services approach, providing services such as employee cybersecurity training on phishing, secure password practices and reporting suspicious activity, as well as risk assessments and endpoint detection.

Kyle Little/Getty Images

More On

Related Articles