10 Questions Local Government Leaders Should Ask About Cybersecurity Risk

Secure Cyber

Local government leaders do not need to be cybersecurity experts. But they do need to ask the right questions to understand risk and protect critical services.

These ten questions help translate cybersecurity into operational and leadership decisions.

⸻

1. If ransomware hit us today, how long would our city or county be unable to operate?

This is the single most important question.

Leadership should know:

• How long email would be down?

• How long financial systems would be down?

• How long public safety systems would be impacted?

Good answer example:

• Essential services restored in 24–48 hours

• Full operations restored in 7 days

If IT cannot answer this, recovery planning is not mature.

⸻

2. What are the top five cybersecurity risks facing our organization right now?

Executives should receive a clear list of risks, not technical jargon.

Example:

Top risks may include:

• Ransomware

• Legacy systems

• Vendor access to internal systems

• Email compromise of finance staff

• Internet-facing vulnerabilities

Each risk should include:

• Likelihood

• Impact

• Mitigation plan

⸻

3. Are there any known critical vulnerabilities in our systems today?

Executives should ask:

“Do we currently have any known security holes that attackers could exploit?”

Follow-up questions:

• How many?

• How long have they been open?

• Why have they not been fixed?

This replaces meaningless metrics like “92% patch compliance.”

⸻

4. How quickly can we detect a cyberattack?

Many organizations focus on prevention, but detection speed matters just as much.

Ask:

• How quickly would we know if someone broke into our network?

• Is anyone monitoring our systems 24/7?

If detection takes days or weeks, attackers may already be inside.

⸻

5. Are our backups tested and protected from ransomware?

Executives should ask:

• Are backups offline or protected from attackers?

• How often are they tested?

• When was the last full recovery test?

Many governments discover backup problems during an incident, which is too late. Many IT leaders rely on the "green checkmark" to validate that backups are being completed. Many, test backups by doing a test restore of a single file instead of testing recovery of full systems and servers.

⸻

6. What systems would cause the biggest disruption if they went offline?

Executives should know the most critical services.

Examples:

• 911 systems

• Utility billing

• Payroll

• Police records

• Water treatment systems

Cybersecurity strategy should prioritize protecting these services first.

⸻

7. Are all employees protected with multi-factor authentication?

Ask specifically about high-risk users: (though everyone should be protected by MFA)

• Finance staff

• IT administrators

• Remote access users

• Email accounts

Credential theft is one of the most common attack paths.

⸻

8. Have we tested our response to a cyber incident?

Ask whether the organization has conducted:

• Tabletop exercises

• Incident response drills

• Ransomware recovery simulations

Most governments have plans but have never tested them.

⸻

9. Are third-party vendors creating cybersecurity risks for us?

Cities and counties rely heavily on vendors.

Ask:

• Which vendors have access to our systems?

• Do they follow cybersecurity standards?

• Could a vendor breach affect our operations?

Many public sector breaches originate through third-party access.

⸻

10. What cybersecurity risks are we accepting today?

This is the governance question.

Every organization accepts some risk. Leadership should understand:

• Which risks exist?

• Why they are being accepted?

• What it would cost to reduce them?

Cybersecurity becomes a leadership decision, not just an IT issue.