A growing target
County government offices — property appraisers, tax collectors, clerks of court, health departments — are increasingly targeted by ransomware operators and other threat actors. The reasons are straightforward: they hold sensitive constituent data, they often run legacy systems, IT budgets are constrained, and paying a ransom is sometimes framed as the fastest way to restore public services.
According to Emsisoft's State of Ransomware report, government entities at all levels — federal, state, and local — are consistently among the top ransomware targets. Local government, including counties, faces particular risk because the security resources do not match the value of the data being held.
What makes county government offices attractive targets
Legacy infrastructure
Many county offices run software that is years or decades old. CAMA systems, court management platforms, tax collection software, and records management systems are often built on aging infrastructure that has not been updated to address modern security requirements. Attackers specifically scan for and exploit known vulnerabilities in these systems.
Limited IT resources
Most counties do not have dedicated security staff. A single IT generalist — or a vendor contracted for basic support — is responsible for everything from printer problems to server maintenance to network security. Security monitoring, patch management, and incident response often fall through the gaps.
High-value data
Property records, tax data, business license information, vital records, and court documents all have value. Some of this data includes personally identifiable information for every resident in the county. A breach triggers mandatory notification requirements and potential regulatory scrutiny.
Connected to state systems
County offices often connect to state government systems for data exchange. A compromised county office can become a lateral movement path into state infrastructure — making county-level security a concern not just locally but at the state level as well.
What regulators and insurers are looking for
State-level requirements for county government cybersecurity vary, but the trend is consistent: states are increasingly establishing minimum security standards for local government entities, and compliance is tied to eligibility for state funds and insurance programs.
Florida, for example, has enacted cybersecurity requirements for local government under Florida Statute 282.3186, which requires local governments to implement cybersecurity standards and complete annual security assessments.
On the insurance side, government cyber insurance programs — including those offered through state risk management pools — have tightened underwriting significantly. Common requirements now include:
- Multi-factor authentication on email and remote access
- Regular employee security training
- Documented incident response plans
- Offline or air-gapped backups
- External vulnerability scanning
- Patch management processes
The highest-impact controls for county offices
Multi-factor authentication
This is the single highest-impact control for most county offices. MFA on email prevents credential phishing from resulting in account takeover. MFA on remote access prevents brute-force attacks on RDP and VPN. Given that phishing and exposed remote access account for the majority of ransomware incidents, MFA alone dramatically reduces risk.
Patch management
Legacy software is harder to patch — vendor support may be limited, and updates may require testing to ensure they do not break dependent systems. But for internet-facing services, current patches are non-negotiable. Unpatched vulnerabilities in public-facing web applications, email servers, and network devices are active exploitation targets.
Email authentication
SPF, DKIM, and DMARC prevent attackers from spoofing your county's domain — sending emails that appear to come from official government addresses. Business email compromise attacks using spoofed government domains have targeted vendors, contractors, and constituents. Proper email authentication configuration stops this.
Backup strategy
Ransomware that encrypts backups is a specific attack variant that operators use to maximize leverage. Backups stored on the same network as production systems, or accessible via the same credentials, are vulnerable to the same attack. Offline or cloud-isolated backups that ransomware cannot reach are the difference between restoring in hours and being forced to consider a ransom payment.
Vendor security
CAMA vendors, document management providers, and other software companies that connect to county systems or handle county data represent supply chain risk. A security incident at a vendor can expose county data or provide a path into county systems. Asking vendors about their security practices — what certifications they hold, how they handle incidents, what access controls they use — is increasingly standard practice and a reasonable due diligence requirement.
Practical starting point
The goal is not a perfect security program built overnight. It is a defensible improvement trajectory — demonstrating that the county takes security seriously, has assessed its posture, and is working systematically to address findings.
A current external vulnerability scan is the right starting point. It shows what an attacker would see, identifies the highest-priority issues, and creates a baseline against which improvement can be measured.
Run a free external security assessment at kasperashield.com to see where your organization stands.
