IT Risk Radar: No Defense Holds Forever: Why Recovery Readiness Is the New Standard for Municipal Cybersecurity

When ransomware hits, can your municipality actually recover?
In Episode 3 of IT Risk Radar, Strategies That Work for Municipal Governments,” host Dan Bourdeau from MMRMA sits down with Jessica Dore of Rehmann Technology Solutions and Waleed Haddad of Naya Group, to tackle recovery readiness head-on.

Discover why incident response plans fail when they’re too high-level, why recovery can’t rest on a single IT staffer, and how air-gapped, immutable backups and the 3–2-1 method protect your data. The conversation also covers the difference between testing a full restore and a file restore, the legal weight of declaring a breach, the role of breach counsel and MSSPs, tabletop exercises, and the cyber insurance requirements you need to meet.
Practical, no-nonsense guidance for public sector leaders ready to strengthen their cybersecurity recovery strategy. Listen now.

No Defense Holds Forever: Why Recovery Readiness Is the New Standard for Municipal Cybersecurity

Here’s the uncomfortable truth most municipal leaders avoid: You can do everything right and still get hit. You can deploy multifactor authentication, train your staff, segment your network, and monitor every endpoint, and a determined threat actor may still find a way in. No defense holds forever.

That reality should reshape how public sector organizations think about cybersecurity. Prevention matters. But prevention is only half the equation. The other half, the half that determines whether your agency stays operational or grinds to a halt for weeks, is recovery readiness.

And the stakes have never been higher. According to the Sophos State of Ransomware 2025 report, state and local governments reported the highest median ransom paid of any sector at $2.5 million. Whether or not your agency ever faces a number that large, the underlying risk is real. Ransomware happens. And the cost of a cyber incident reaches far beyond any ransom payment. There’s lost productivity, interrupted services to residents, and lasting damage to public trust. Those costs are steep, even when they aren’t measured in dollars.

So the question isn’t whether your agency can prevent every attack. It’s whether your agency can recover when one gets through.

The Plan on the Shelf Won’t Save You

Most municipal organizations have an incident response plan. Far fewer have one that would actually work in a crisis.

The gap shows up in predictable ways. Plans are written at too high a level, capturing the broad strokes but missing the operational detail needed to respond when systems are down and the clock is ticking. Worse, many plans get created once and then left to gather dust. Two years later, the contact information is outdated, the systems inventory no longer matches reality, and the vendors listed for emergency support may not even be under contract anymore. When you finally reach for the plan, the resources it points to are gone.

There’s a third problem, and it may be the most dangerous: too many plans rest entirely on a single technical team member. The IT director becomes the single point of failure. That’s not a plan. That’s a liability.

A genuinely tested incident response plan looks different. It’s a living document, not shelf-ware. Here’s what separates the two:

• Annual simulated testing. Conduct a simulated incident response test at least once a year, using real-world scenarios and live technical exercises.
• Cross-functional participation. Involve representatives from departments across the organization, not just IT. Recovery is an organizational effort, not a technical chore.
• Current runbooks. Maintain detailed runbooks and actually use them during testing to confirm your processes and documentation hold up under pressure.
• Regular updates. Account for technology drift. Systems get added, others get retired, and shadow technology finds its way in. Your plan has to keep pace.

Recovery Is Everyone’s Job, Not Just IT’s

The single biggest misconception in municipal cybersecurity is that an incident is an IT problem. It isn’t.

When organizations test their plans by splitting the technical team from the executive and administrative leadership, the distance between the two groups is often striking. Ask leadership how long the organization can sustain operations while systems are down, or how daily losses accumulate, or at what point they’d consider paying a ransom, and too often the answer is silence. Many assume the IT team, the security operations center, or the cyber insurance carrier will simply figure it out. That assumption is wrong.

A functional response requires a clear chain of command that extends well beyond the server room:

• Legal must be engaged early to navigate disclosure obligations and liability.
• Communications needs a designated owner who controls the public narrative.
• Leadership must understand the operational and financial thresholds that drive critical decisions.
• Insurance coordination requires knowing who engages the carrier and when.

This is also where the language matters more than most leaders realize. There’s real legal weight in the word “breach.” The moment your organization declares a breach, a clock starts, from a regulatory standpoint and an insurance reporting standpoint alike. Understanding who has the authority to make that declaration is critical.

It’s tempting, especially for leaders conditioned to get ahead of a story, to communicate quickly and control the message. Resist that urge until you understand what actually happened. If you announce that no resident data was compromised, and forensics later reveals that it was, your credibility takes a hit twice. Restraint, guided by counsel, protects both your residents and your reputation.

Your Backups Are the First Target, So Treat Them That Way

Modern threat actors don’t smash and grab. They get in, lie low, and watch. They study your environment, map your systems, and dismantle your identity management so you can’t log into your own tools. Then they go after your backups. They know that destroying your ability to recover is what forces your hand.

This is why your backup strategy deserves scrutiny. The gold standard is the 3–2-1 method:

1. A local backup for fast, routine recovery.
2. An online backup for redundancy.
3. An air-gapped, immutable backup that is off-site, disconnected from the network, and untouchable.

That third copy is the saving grace. Given the sophistication of today’s attacks, an immutable backup, stored off-site, unconnected to your network, and accessible only to a limited few through entirely separate credentials, may be the only thing standing between your agency and a total loss. Those credentials should share nothing with your primary environment: not the same username conventions, not the same passwords, not the same naming scheme. Think of it not as a separate key, but as a separate key ring.

Identity management deserves the same rigor. If attackers can lock you out of your own house, recovery becomes exponentially harder. As organizations consolidate around single sign-on for convenience, backups should remain a deliberate exception, protected by the minimum number of separate credentials needed to back up and restore.

Testing a Backup Means Testing a Full Restore

Here’s a hard question every leader should ask their team: Is restoring a single file or folder a valid backup test?

The answer is no.

Restoring one file proves almost nothing about your ability to recover from a real incident. A valid backup test simulates the actual scenario you fear most: your environment is hit, you’re completely down, and you need to fully restore. That means testing complete restore capabilities, including complex systems and SQL databases that run your critical ERP applications. These systems carry nuances that a single-file restore will never surface.

Full restore testing also reveals whether your recovery time objectives are realistic. You may want a critical system back online in four hours, but wanting it doesn’t make it possible. Do you have the bandwidth? The storage capacity? Remember that your production storage is likely compromised in an attack. Do you have enough clean storage elsewhere to recover to? You won’t know until you test.

The same discipline applies to your air-gapped backups. Test them in a sandbox environment, isolated from your production network, on a schedule that matches your organization’s risk tolerance. At minimum, test immutable backups semi-annually. They warrant the same attention as your local and off-site copies.

Practice Before the Pressure: The Tabletop Exercise

A plan you’ve never practiced is just a theory. The best way to pressure-test it is a tabletop exercise, ideally one facilitated by a third party.

An outside facilitator brings scenarios with real-world wrinkles, the kind drawn from helping other organizations through actual incidents. It’s as close to a dress rehearsal as you can get without disrupting operations. And it gives your team something invaluable: the experience of making decisions under pressure before the pressure is real.

Can you fail a tabletop exercise? Not really. There’s no failing, only lessons learned. The real failure is never testing at all, then discovering during a live incident that nobody knows who’s in charge while everyone scrambles. Incidents are emotional, high-stress, pressure-cooker situations. The teams that perform best are the ones that have practiced staying calm and clear-headed because they’ve been there before, even if only in a simulation.

Recovery Readiness and Insurability Are the Same Muscle

There’s a powerful overlap between the controls that get you back online and the controls that get you covered. Insurance takes some of the financial sting out of an incident, but the tools and plans we’ve discussed are what physically restore your operations. The two work together.

And cyber insurance carriers have raised the bar. The questionnaire alone is no longer enough. Carriers now demand proof of tested controls before they’ll write a policy, including:

• Multifactor authentication, the single most emphasized requirement.
• Endpoint detection and response with active, ongoing monitoring.
• A tested incident response plan, with evidence that you’ve actually exercised it.
• Vendor and third-party oversight.
• Tested and monitored backups.
• Regular assessments, such as penetration testing and IT control audits.

Carriers are also verifying answers independently. Many now scan environments externally, sometimes before you even grant permission, mapping your external footprint and returning a report of gaps to close, or face higher premiums. Common findings include expired certificates and unknown open ports and protocols on the external perimeter. The lesson is simple: the controls you claim to have, you must be able to prove.

Three Things to Do in the Next 90 Days

No defense holds forever, but preparation and practice determine how well you recover. If you do nothing else this quarter, start here:

1. Get a plan, or take yours off the shelf. If you don’t have an incident response plan, build one. If you have one collecting dust, update it with current contacts, systems, and vendors, then test it.
2. Stand up immutable backups. People come and go, plans evolve, and nothing is ever 100% secure. But if you can restore your environment no matter what, staying operational becomes achievable. Everything else can be figured out later.
3. Schedule a facilitated tabletop exercise. Bring in an outside perspective and practice your response before you need it.

Recovery readiness isn’t a luxury or a box to check. It’s the difference between a near miss and a crisis, between serving your residents and leaving them stranded. The work you do now, before an incident, is what determines whether your agency bounces back or breaks down.