Without the proper backup precautions, a ransomware cyber attack could leave a government entity or business completely powerless.
Last year, as part of its budget bill, the state legislature included several requirements for governments to safeguard residents’ information from a cyber attack. However, protection from cyber attacks is becoming more and more expensive and complicated, especially for small businesses or governments.
The county information technology (IT) team held a meeting Thursday to offer some assistance to other governmental entities in becoming compliant with the state requirements. About 13 officials from townships and villages around the county attended.
“We were getting a lot of questions, and I was talking with Vond Hall, the county administrator, and just said, ‘Hey, instead of continuing to get phone calls and emails, why don’t we just put everybody in a room and talk about it,” said Jeremy Suffel of the county’s IT team.
House Bill 96 was the budget bill passed by the state legislature for 2026-27 but also contained provisions on cyber security for governments as well as requiring schools to create use policies for students and staff regarding artificial intelligence.
“It gives us a legal obligation to protect the data of the citizens,” Suffel said. “It’s mandated that there are things we have to do.”
It requires each governmental entity to have a cyber security policy in place, which Suffel advised should be somewhat vague because the entity will be required to adhere to them. However, he said the policy should include classifying documents, such as what is confidential, what can be redacted and what is public.
“That allows you to separate and organize your documents, your files, in a way that you can protect them better,” Suffel said.
Entities also need to identify their vulnerabilities and work to fix them. Suffel told those at the meeting some things the county uses for added protection, including special security keys inserted into laptops that identify the user and eliminate the need for lengthy passwords and having a backup that is not connected to the main system.
Governments also need to report anytime they have an incident, as well as conduct cybersecurity training, including tabletop exercises.
“We’re going to start hosting tabletop exercises,” Suffel said. That way local governments can send a representative to the exercise and get credit for being part of one.
He said one held last year led to constructive conversations on potential issues of layers of government and commerce, and also to the creation of an IT users group meeting on a regular basis.
Governments also need an incident response plan, which details how they will respond to a cyber attack.
“And it’s going to depend on what the level of incident is,” Suffel said. He added, however, any incident needs to be reported to the state.
If a ransomware attack happens, a government is not allowed to make a payment toward it without first passing a resolution. He added state officials are advising governments to draft a resolution template ahead of time to allow for quicker reaction.
Attacks can happen anywhere
Today’s ransomware users are able to get into a computer, observe it for long periods of time, assess critical information and usually will wait until they have gained access to the backup before releasing the ransomware attack.
“Honestly, if you have ransomware, it means they probably have your backups and you have no choice but to pay a ransom,” Suffel said. “That’s the reality of the situation. But understand, you are funding terrorism, so that’s where the FBI is going to be like, ‘Don’t pay that ransom.’”
He highlighted a ransomware attack recently that made national headlines involving a large medical technology company. The attack was linked to an Iranian group and led to global disruptions, including wiping more than 80,000 devices worldwide.
However, attacks can happen anywhere.
“I can tell you, in the last eight months, there have been three entities here in Bryan with ransomware,” Suffel said. “Two businesses shut down for two weeks minimum, and another business nearly closed their doors because of ransomware.”
Among the best countermeasures to take is having a backup of all data that can then be used to restore systems in the event of a cyberattack. However, not just any backup plan will do.
“You have to have a backup in two places, and one of those backups must be offline,” Suffel said. “It’s not good enough to just have a backup in two different locations. You need to have a backup they can’t get to, there needs to be an air gap.”
Little help from the state
While the state legislature made cyber protection a priority for governments, it and the state auditor’s office, which is in charge of making sure governments comply, have offered little help in the way of funding or offering help.
Suffel said in 2019, the Ohio Secretary of State’s Office passed increased security directives for the state’s elections infrastructure.
“So the state of Ohio has one of the most secure elections infrastructure in the entire country,” Suffel said.
He added, however, the secretary of state’s office spelled out exactly what needed done and how to do it. It also provided funding to local boards of elections to help meet the requirements.
“That is my complaint about the auditor’s office, is they didn’t tell us how to be compliant,” Suffel said. “They just said, ‘You need to be compliant.’”
There has also been no funding to assist in the process.
Cyber protection is expensive
Suffel provided examples of what governments should be looking at, including spam protection at about $7 per user per month.
“Spam protection is one of the most important phases, it’s getting a lot of that fraud out of your mailbox, especially as AI gets better,” Suffel said.
He also suggested using Office 365 ($100-$250 per year for license depending on the plan, plus a $72 annual fee per user) or Microsoft 354 ($88-$365 per license). He also said each government official should have their own, government email address rather than using their own. That can cost $45 per user per year through Office 365.
Some township officials in attendance pointed out they receive free computers from the state for government business, but they have been told to simply use password protection. Suffel said they may need to then purchase their own equipment.
“This stuff is expensive,” Suffel said. “My budget this year is $1 million. I have four employees, the rest is all cyber security. I mean, 95% of my job now is cyber security. That’s just the world we live in.”
He also said his department is in charge of overseeing 19 separate locations and 550 public employees.
But he added it’s important governments realize the seriousness of a possible ransomware attack or data theft.
“We must starting taking a conscious effort and protect the taxpayer data, because the disruption and continuity of government, but also the man hours it would take to recover from such a situation, it’s really negligent on our part not to.
“We are the stewards of that data,” he added.
