A World Economic Forum survey found that 73% of global leaders say cybercrime hit them, their company, or someone they know in the past year—and Ohio State Auditor Keith Faber says local governments are getting hit, too.

Faber told reporters he believes Ohio loses more money to cyber fraud than to employee theft, noting that his office keeps seeing ransomware and vendor payment redirect scams. Over the past three years, his office logged more than 150 cyber incidents impacting counties, municipalities, townships, school districts, villages, and other public entities. While some were stopped before money moved, confirmed losses ranged from a few thousand dollars up to $1.9 million.

Faber has warned local governments twice about business email compromise schemes—targeted spear-phishing attacks where scammers impersonate a known vendor and request updated payment details via email or phone. His blunt advice is to never accept redirect requests electronically or over the phone, but instead require in-person verification (yes, it’s a hassle—but it can shut down most of the fraud).

And because this is a statewide risk issue, Ohio governments are legally required per Ohio House Bill 96 to report cybersecurity incidents to the Ohio Homeland Security’s Ohio Cyber Integration Center (OCIC) within one week and to the auditor’s office within a month.

And that's just in one state.

In 2015, Kentucky established rigorous protocols for how public agencies and their contractors handle, protect, and report breaches of personal data via the Kentucky Personal Information Security and Breach Investigation Act (House Bill 5). In 2023, Illinois passed the Information Security Improvement Act (20 ILCS 1375) mandating local governments to train on phishing, data breaches, and identity theft. Municipalities with populations over 35,000 also must designate a cybersecurity point of contact. And Florida, in 2022, passed the Local Government Cybersecurity Act (HB 7055), which mandates strict security standards, requires employee training within 30 days of hiring, and as of May 2023, prohibits the use of public funds for ransomware payments.

Legislation like this, along with the growing threat of security incidents,  is why a lot of local governments, utilities, libraries, and other public organizations are protecting themselves proactively through secure cloud servers. 

The Cloud Migration Wave

We can list 10 public agencies within our own network that have recently migrated to the Cloud in the last few months:

• Northern Ohio Rural Water, OH

• Village of Delta, OH

• City of Sturgis, KY

• Grandview Heights Public Library, OH

• Persia Utility District, TN

• Warren Trumbull Public Library, OH

• City of Amherst, OH

• Adams County, OH

• City of Nevada, MO

• Western Rockcastle Water Association, KY

There are many other organizations that have also realized that a cloud server is a much safer place to keep government data.  

The Compliance Question

Many legacy systems don't actually meet current security compliance requirements. And there are a lot of them:

• CJIS (Criminal Justice Information Services)

• HIPAA (Health Insurance Portability and Accountability Act)

• PCI DSS (Payment Card Industry Data Security Standard)

• IRS Publication 1075 for FTI

• FISMA (Federal Information Security Modernization Act)

• FedRAMP and GovRAMP

• NIST Cybersecurity Framework (CSF)
  

• SOC (Service Organization Control)

• CIS Critical Security Controls

And the National Association of State Chief Information Officers (NASCIO) has been pretty vocal about cloud adoption for state and local governments, too. There's a reason for that.

They publish standards and frameworks because they're watching the same daunting security patterns play out across the country. Their cloud security standards focus on a few key areas that matter:

• Identity and access management – Knowing who's accessing what (and when) is fundamental to security.

• Data protection and encryption – Both at rest and in transit.

• Continuous monitoring and incident response – Catching threats before they escalate.

• Disaster recovery and business continuity – Making sure you can actually recover when something goes wrong.

NASCIO recognizes that most state and local governments don't have unlimited resources to reinvent security frameworks from scratch. So they create a roadmap: a set of proven practices that work across different jurisdictions, different budget sizes, and different staffing levels.

Remember those public agencies we mentioned before? The ones who switched to the cloud? They realized their responsibility to citizens.

Northern Ohio Rural Water runs critical infrastructure. The City of Amherst manages multiple departments (accounting, payroll, AP automation, and utility billing.) Adams County serves an entire population's needs.

These are organizations that can't really afford downtime, data loss, or a multi-million-dollar fix. Or their names in bad headlines...

Let's Talk Legacy

We wrote a blog post a year ago about the hidden cost of keeping a legacy system. In it, we discussed how keeping an on-premises legacy system could actually cost you more money than adopting a cloud. These were some of the more pertinent statistics (find references at the end of this article):

• 59% of CISOs report that outdated infrastructure is their biggest challenge in addressing emerging threats

• 49% of successful attacks came through compromised credentials

• 24% exploited vulnerabilities in outdated systems

• 72% of ransom demands to state and local governments are for $1M or more (with 37% exceeding $5M!)

• The median ransom payment in 2024 was $2.2 million.

• Recovery costs averaged another $2.83 million.

The fact is that local and federal governments face attack rates of a 34%. That means that 3-4 out of every 10 public agencies get attacked. Those odds are not in your favor.

The Question You Should Ask Now

You may be thinking, "This all sounds good. But it would mean an incredible amount of work."

And that's fair. Migration anxiety is real. You're worried about disruption. Training. Hidden costs. The learning curve.

But here's what you should be asking: "What's the cost of staying where we are?"

• The staff time spent on manual patches and security workarounds.

• The exposure to threats that your current architecture can't defend against.

• The citizen outrage and loss of trust if a breach occurs.

• The actual dollar amount and time needed to recover.

The public organizations we mentioned had to think of these same concerns. And they all landed in the same place: VIP Cloud.

The scariest choice right now isn't moving to the cloud. It's betting that your server can hold out for another five years without a catastrophic failure.

And look, we're not going to pretend this decision is easy. It requires buy-in from your team, careful planning, and a realistic timeline.

That's what we're here for. Let's have a conversation about what the answer looks like for you. Schedule a call with our team, and we'll talk about your specific situation. No pressure. Just clarity on what a move to VIP Cloud would actually involve for your community.

Additional References:

2024 Deloitte-NASCIO Cybersecurity Study

Panorama Consulting Group 2023 ERP Report

Panorama Consulting Group 2024 ERP Report

Software Path 2022 ERP Software Project Report

Sophos' The State of Ransomware in State and Local Government 2024

Fortune Business Insights