New York is taking a whole-of-government approach to address an evolving cybersecurity landscape that includes ransomware attacks, data breaches, and use of malware.
In June, Governor Hochul signed legislation that requires government agencies to provide timely incident reporting and conduct annual cybersecurity training for employees. The goal is to ensure that state agencies, counties, municipalities, and city governments get the support they need when it matters most.
But there is no silver bullet in cybersecurity. Software can't be installed at every possible endpoint targeted by an attack (e.g. printers, etc), nor can it prevent all attack scenarios.
So agencies need to take an “assume breach” posture, even if they benefit from strong perimeter security.
The Inevitability of Incursion
New York uses CrowdStrike for endpoint security, threat intelligence, and cyberattack response services. This investment gives the entire state an advantage in preventing and responding to attacks.
But as the state bolsters cybersecurity with new legislation, agencies must also implement cyber resilience backup plans that include cyber recovery capabilities that complement their prevention and response strategies.
Deficits of staffing, training, tools, and cyber threat awareness are all challenging factors that make it difficult for a state agency to fully understand the scale and scope of an attack and its potential blast radius. These shortcomings extend the impact and time to recover or remediate after an attack.
Take ransomware as one example. A Rubrik Zero Labs report states that victims who pay hackers a ransom only get all of their data back 16% of the time. Moreover, access to the victims' data and systems is also sold, and other threat actors enter shortly after. Indeed, Cybereason research reports that 80% of organizations that paid ransoms were targeted again, with 68% of those attacks happening within the same month and demanding higher sums. For example, hackers from the REvil ransomware-as-a-service group approached and extorted victims shortly after receiving payment, threatening to leak exfiltrated data in a double extortion scheme.
An Emphasis on Cyber Resilience
New York State cybersecurity leaders should define the most resilient set of requirements that better enable cyber resilience across the state. Minimizing the effects of ransomware, wiper attacks, rogue admins or software supply chain attacks on critical data and services would save taxpayers hundreds of millions of dollars a year across the state.
For example, Suffolk County, NY spent $25.7 million on recovery costs after a ransomware attack in 2022 disrupted county operations and exposed residents' and employees' personal information. This amount covered remediation efforts, system upgrades, and other related expenses.
According to IBM’s Cost of a Data Breach Report 2025: The AI Oversight Gap when security teams detect a breach, the average cost of recovery is $4.18 million. In contrast, when the attacker discloses a breach—presumably after doing more damage and stealing or compromising data—the average cost rises to $5.08 million.
Too often, cybersecurity companies are brought in to support agencies after a major attack. New York’s statewide investment in CrowdStrike leverages economies of scale and efficiencies to lay the foundation for a robust model for attack prevention and incident response. This is a good and necessary thing.
However, New York also needs to address cyber recovery and post-breach issues, which require the successful rebuilding of systems for taxpayer use. This is the essence of cyber resilience—and it is worth the investment. For example, the cost of implementing Rubrik for cyber recovery and resilience is a small fraction of the price of a breach, which can include financial loss, service disruption, and even loss of life.
A Secure Backup Strategy Enhances Cyber Posture
Survivable backups reduce the need to pay ransoms and protect against other types of issues such as wiper attacks, insider threats, software bugs, human error, and supply chain attacks. These threats are becoming more real, with nation state-backed hacker groups such as Volt Typhoon and Salt Typhoon targeting critical infrastructure across US state and local governments.
Fast recovery is also essential, as it prevents attackers from regaining access to the environment. To enhance survivable backups and ensure quick recovery against a growing array of threats, it's critical to incorporate time to recovery, immutable backup and air-gapped backup strategies.
An immutable backup is a copy of data that cannot be changed, deleted, or encrypted after it is created. This ensures the data stays in its original form and is protected from tampering. Immutable backups protect against malicious or accidental actions by employees or contractors with privileged access, preventing them from altering or deleting critical data.
An air-gapped backup involves physically or logically isolating a copy of data from the production network, creating a "gap" that stops unauthorized access. This isolation is critical in preventing cyber threats from spreading to backups.
The time to recovery is vital in secure backup strategies because it guarantees that data can be quickly restored during a disaster. Agencies should aim to minimize recovery time by using proactive threat analysis, rapid recovery methods, and AI-supported tools. Moreover, reverting to a clean state involves removing all signs of the attack, restoring systems to their pre-attack condition or a securely set-up state, and taking steps to prevent future incidents.
Leadership and Training: The Keys to a “Cybersecurity First Culture”
If senior leadership adopts a proactive and comprehensive approach to cybersecurity training, agencies can empower employees to serve as a strong first line of defense against cyber threats. This can significantly decrease the risk of data breaches and other security incidents.
If training is conducted annually and is required, it becomes mainly a compliance checkbox. Many cybersecurity regulations, like the Health Insurance Portability and Accountability Act (HIPAA), require employee training as part of compliance. Meeting these requirements through training is crucial because it guarantees a basic level of security, covering key areas such as access control and incident response. It can also help foster a stronger overall security culture within the agency.
Effective incident response now requires embedding cyber recovery and immutable backup systems as foundational components of cybersecurity policy. These safeguards ensure that even when breaches occur, data integrity can be restored swiftly, minimizing disruption and loss. In a world where code complexity expands attack surfaces and malicious actors adapt in real time, resilience is a necessity.
As New York State Chief Cyber Officer Colin Ahern said, “The cyber threats that municipalities face have never been more numerous, more sophisticated, or more dangerous, and coordinated whole-of-government information sharing is more important than ever to tackle these threats.”
Secure your government data today. Request a demo now.