The information contained in this article is not intended as legal advice and may no longer be accurate due to changes in the law. Consult NHMA's legal services or your municipal attorney.
New Hampshire's towns and cities are the critical entities in the Granite State managing key functions ranging from water treatment and emergency response to administrative processes like property records, tax collection, and access to vital records data. In today's digital world, this vital infrastructure is increasingly reliant on technology, making it a prime, and often vulnerable, target for cyber criminals. But are your municipal budget and emergency planning efforts aligned with this criticality? Or, perhaps, like many municipalities, are you lumping together your IT budgets and IT staffing plans for both IT and cybersecurity, expecting the experts and budgets of one domain to be responsible for both? With the ever-growing frequency of major critical infrastructure outages tied to cybersecurity, now is the time for municipal leaders to recognize that cybersecurity is not a luxury or a temporary fix or even an avoidable cost; it is core to public safety and a financial necessity that demands its own, dedicated budget line item. You may not see it, but cyber criminals and threat actors are, indeed, probing the defenses at all levels of our State and local government entities, threatening the foundational institutions we rely on. Cybersecurity is
not just about data privacy and financial losses. It is one of our largest emerging public safety issues.
The Critical Distinction: IT is Not Cybersecurity
A common and dangerous misconception in local government is that the existing IT budgets and contracts with outside IT vendors inherently covers cybersecurity. This is often untrue, and it bares not only a view of contracts, but also revisiting how we think about our allocation of resources and responsibility in general.
- IT (Information Technology) focuses on enabling operations. Its primary goal is to keep systems running, ensure workers have the tools they need (computers, networks, software), and manage infrastructure. IT is about functionality and convenience.
- Cybersecurity focuses on enabling secure operations. Its primary goal is to protect those systems, data, and users from malicious and accidental threats. Cybersecurity is about risk mitigation and resilience.
Dedicated funding ensures that necessary, specialized security measures—like advanced threat detection, staff training, and compliance audits—are implemented and maintained, not delayed or cut to pay for a new server.
The Staggering Cost of Inaction
The potential financial fallout from a successful cyberattack far outweighs the cost of preventative measures. For New Hampshire municipalities, an attack is no longer a matter of "if," but "when." The last published result was that the total value lost in 2023 to cyber crime in New Hampshire was $27.2 million.
- Recovery Costs Dwarf Prevention: Research consistently shows that the cost to recover from a ransomware attack, including remediation, expert consultants, and legal fees, can reach into the millions of dollars.
- Disruption of Critical Services: A breach can take down systems that manage water quality, emergency services, schools, and tax collection. The disruption to public life is an immeasurable cost, eroding citizen trust and compromising public safety.
- Loss of Federal and Citizen Data: Local governments and law enforcement officials maintain sensitive resident data, including property records, social security numbers, criminal records, and voter information. Failing to safeguard this information exposes the municipality to significant legal and compliance penalties, as well as lawsuits stemming from identity theft and privacy breaches.
Leveraging State and Federal Resources
New Hampshire has taken a unique and proactive approach to supporting municipalities against these looming public safety threats. In conjunction with the New Hampshire Department of Information Technology, numerous grant-funded programs exist to help offset funding challenges and make it easier for overburdened municipal leaders to implement well-established cybersecurity best practices. Municipal leaders can and should leverage these programs in the short-term, while also preparing to sustain these efforts long term. They cover a wide range of protections from cybersecurity best practices assessments to turnkey technical upgrades to role-specific cybersecurity training sessions.
- NH's "In a Box" Programs: The State offers turnkey programs like the .GOV “In a Box" and Community Water Cybersecurity “In a Box" initiatives through The Overwatch Foundation (www.overwatch.org), a turnkey approach to delivering grant-based services in cybersecurity, critical systems modernization, network and physical defense, training, and workforce development for the benefit of New Hampshire’s local government entities.
- Municipal Workforce Training: As a part of the Municipal Cyber Defense Program (“MCDP,” www.theatomgroup.com/mcdp) sponsored by the State of New Hampshire, The ATOM Group offers free, live trainings for NH workers and educators, Incident Response Planning, and specialized training for financial teams, leadership teams, public boards, and emergency responders.
While grant-funded programs can provide an initial boost or cover a specific project, they are rarely sufficient for long-term, continuous defense. Cybersecurity is an ongoing process, not a one-time purchase or something that can be relegated to a third-party or individual technical leader. A dedicated budget line item ensures the municipality can fund the necessary personnel, recurring software subscriptions, and continuous staff training needed to maintain the "security posture" established by these programs.
The Call to Action: Making Cybersecurity a Core Public Safety Priority
Municipal leaders must view a dedicated cybersecurity budget as an insurance policy and part of their core emergency response planning—approaches that aim to prevent catastrophic losses and ensure the continuity of government operations.
By establishing a separate, transparent budget for cybersecurity, New Hampshire municipalities send a clear message: We are prioritizing the protection of our citizens' data and critical infrastructure. This critical shift in financial strategy is the best way to move beyond patchwork solutions and build the long-term resilience needed to protect the Granite State in the digital age.