The Failures of “Backup as Insurance”
Research on state and local ransomware incidents found that 99% of attacks involved attempts to compromise backup systems, underscoring why nonimmutable backups are no longer sufficient. Modern ransomware intentionally targets backups, corrupts recovery points and exploits slow restoration to increase the likelihood of payment.
Backups that are accessible from production systems and unmonitored or untested at scale create false confidence and fail when attacks occur.
Identity systems have also become a primary entry point for ransomware attacks, making directory services, such as Microsoft Entra ID, Active Directory and Okta, high-value targets. When compromised, agencies lose the ability to authenticate users, manage access or trust their environment, making identity restoration a priority for regaining control.
Identity resilience should now be as critical as data resilience. Agencies need hardened, rapidly recoverable identity systems with last known-good configurations that can be restored in hours. Moreover, secure immutable backups, tested recovery runbooks and clean, isolated restoration can limit blast radius and restore essential services.
READ MORE: Government agencies can prepare for natural disasters.
Resilience as a Strategic Priority
However, operational resilience should not rely on only one technical feature, such as immutable backups. Instead, resilience should be treated as a strategic priority for leaders, one that covers knowing what data is at risk, deciding what to restore first and coordinating recovery across teams and systems.
Sensitive data discovery strategies should be deployed to solve this challenge. Without this foundation, figuring out the scope of a breach takes longer, costs increase, notifications are delayed and the risks to rules compliance and public trust grow. As privacy rules become stricter, being able to quickly map and classify data is a necessity.
Orchestration is equally important. After an attack, agencies should recover services that matter most to citizens first, such as emergency response, utilities and health or social services. Having clear priorities in place helps avoid last‑minute, reactive decisions, shortens downtime and leads to predictable and manageable recovery.
LEARN MORE: Cities can sustainability power AI systems.
Building Reversible Resilience
Limited budgets, aging infrastructure and uneven cybersecurity maturity make it harder to detect, contain and roll back harmful agentic AI actions on sensitive data and critical systems. State and local governments are adopting agentic AI to automate workflows and improve services, but they should build reversible resilience to manage the risk of agentic systems going rogue.
Leaders should also treat cyber resilience as central to AI adoption by embedding human-in-the-loop approvals, least-privilege access, continuous monitoring and rollback capabilities.
Restore Identity, Restore Government
Ransomware and other attacks are predictable, exposing the limits of treating backup as insurance. Governments should move away from using isolated tools or short‑term fixes and instead build connected, service‑oriented resilience strategies that support their missions. Resilience should involve IT, security, legal and communications teams working together.
By combining immutable backups with data insight and clear recovery priorities, agencies can recover faster from attacks and reduce their impact on public safety, services and trust.
