Content provided by: CSDA Endorsed Affiliate VC3
If you’re a small special district, you likely face big challenges. Tight budgets. Few staff. Old technology. It can sometimes feel like technology hinders rather than enhances your operations, and you might worry about the possibility of a devastating cyberattack.
Luckily, focusing on just a few critical items—possible even with limited budgets—can take you from worried and vulnerable to safe and secure. In this article, we present 10 important (and budget-friendly) steps that you can take to improve your IT systems and cybersecurity readiness.
1. Implement multi-factor authentication (MFA) for administrative access, remote access, and email.
Too many special districts still use single-factor authentication (username and password) for important logins such as email accounts, administrative access to critical applications, and access from remote devices connecting to the network. User credentials are often stolen and sold on the dark web, cyberattackers trick employees into giving up credentials through phishing attacks, and hackers can use “brute force” attacks where automated programs guess the right password by attempting every combination possible.
MFA uses two or more factors of authentication, which massively lessens the risk of a cyberattacker breaching an account. You’ve likely experienced this before. Your bank might require you to log in with a username and password, followed by a code sent to your phone that you input as a second factor of authentication. Research shows that 99.9% of account compromise attacks are stopped with MFA.
Action items: Implement and enforce MFA on administrative access to critical systems, remote access, and email. Many applications have MFA features built-in, meaning you just need to apply them. Free or low-cost solutions also exist such as Microsoft Authenticator or Duo.
2. Update outdated hardware and software.
Many special districts use hardware and software far beyond the vendor’s end of life support date—commonly seen with aging servers and workstations, or with outdated operating systems such as Windows 7 (and, on October 14, 2025, Windows 10). Once hardware or software becomes end of life, the vendor no longer provides patches and updates that fix security vulnerabilities, bugs, and poor performance.
Hackers know these security vulnerabilities exist, and that many organizations fail to upgrade their hardware and software. They go looking for vulnerable organizations to target—such as you. By keeping outdated hardware and software, you’re encouraging a data breach or ransomware attack to happen.
Action items: While it will likely require a capital investment, it’s imperative you upgrade any end-of-life hardware and software as soon as possible. If you haven’t upgraded in a long time, consider upgrading in phases based on priority. Transition from on-premises hardware to cloud-based solutions whenever you can, as cloud solutions are constantly patched and upgraded without you needing to do anything.
3. Create an IT roadmap.
Rather than making ad-hoc investments, special districts need a strategic plan for IT infrastructure and services that aligns with organizational goals. A documented IT roadmap outlines the planned adoption of new technologies and upgrades to existing systems (such as end of life hardware and software mentioned above). It includes a budget, priorities, current known risks, remediation plans, and timelines for implementation.
Action item: Create an IT roadmap by assessing your current IT infrastructure, defining your organizational goals, identifying gaps and risks, prioritizing IT initiatives, and establishing a timeline and budget.
4. Train employees about cybersecurity.
We’d like to think that tools, technology, and IT employees are solely responsible for cybersecurity. Actually, everyone is responsible, and one person could end up as the weak link that allows a cyberattacker to succeed. As cyberattackers continually evolve their tactics, you cannot assume that special district employees understand the latest phishing scams or password best practices.
Action items: Implement ongoing security awareness training (such as online videos) and test employees with phishing simulations to identify those who need extra coaching.
5. Make sure you have comprehensive data backup and disaster recovery.
It’s astounding how many special districts either have no data backup and disaster recovery solution in place, or rely on consumer-grade or default backups (such as the backups that come with Microsoft 365 or Google Workspace). If you lack comprehensive data backups, then you could experience permanent data loss from a cyberattack, natural disaster, hardware failure, or human error.
Action items: Ensure your data backup and disaster recovery solution includes the following:
- Onsite data backup (for quick recovery after a lesser event such as a server failure).
- Offsite data backup such as automated cloud backups (for recovery after a catastrophic event such as a natural disaster or ransomware). Make sure these backups are immutable—meaning they are completely separated from your network and unable to be contaminated by ransomware, sabotage, or accidental deletion.
- Ongoing monitoring for issues.
- Testing to ensure your backups work as expected.
6. Proactively monitor your systems 24/7/365.
With sophisticated hackers targeting even the smallest organizations, it’s not enough to neglect 24/7 monitoring. Having an IT person (or two) also won’t work, and someone on call as part of a larger IT team is not even enough.
24/7 monitoring means actual humans must be ready to act upon an alert at any time—especially if your special district oversees critical infrastructure or protects the safety of the public. Software that monitors workstations, servers, and your network combines with engineers that oversee alerts, act upon urgent issues, and recommend proactive fixes long before a problem becomes disruptive.
Action item: If you rely on a single overwhelmed IT employee, use a reactive IT support vendor, or lack IT staff, then we recommend using a managed service provider that proactively monitors, maintains, and supports your IT systems. For a fraction of the cost of hiring an IT employee, you receive a full team of engineers available 24/7 to help you resolve issues and proactively maintain your IT environment.
7. Proactively patch devices and software.
An easy vulnerability for cyberattackers to exploit is unpatched software. Applications constantly require patching to fix bugs and security vulnerabilities as well as enhance the software’s efficiency. Software vulnerabilities are widely shared, so cyberattackers have access to this information and use automated methods to test organizations for vulnerabilities. Once they find a vulnerability, they can exploit it.
The result? A data breach, stolen information, or a successful ransomware attack.
Action item: Regularly patch and update all devices and software. You need to follow a patch management process that allows you to receive and deploy updates—especially critical updates that patch serious security vulnerabilities.
8. Implement Endpoint Detection and Response (EDR).
If you’re still using traditional antivirus, it’s not enough. Antivirus is like a guard that only checks IDs and filters out bad people who are on a Bad Person List. However, what if a bad person is not on the list yet? What if the bad person uses a fake ID? What if a good person starts acting like a bad person once they’re inside?
Antivirus is unable to prevent intrusions that aren’t on its list of known viruses and identify suspicious behavior not associated with a specific virus. EDR has become the new baseline tool to protect you from common threats. It includes everything antivirus does but also uses machine learning (a form of AI) to spot anomalous or malicious behavior. That way, even if a virus is still “unknown” or a cyberattacker begins exploiting your system through “legitimate” entry (such as using stolen credentials), EDR will detect this issue and either remedy or shut down a device so that malware doesn’t spread throughout your network.
Action item: Deploy EDR and replace your traditional antivirus. EDR is extremely cost-effective and powerful: high impact, minimal investment.
9. Implement security policies.
Without formal IT and cybersecurity policies, your employees may use unsecured personal devices, improperly access systems, or ignore security best practices. Policies help you enforce cybersecurity procedures, processes, and behaviors that mitigate risk and hold employees accountable.
Action items: Create or refine the following policies.
- Acceptable Use Policy: Define the appropriate and inappropriate use of special district-owned IT assets such as computers, email, and internet access.
- Access Control Policy: Implement role-based access controls to ensure employees can only access systems and information necessary for their job functions.
- Password Management Policy: Set guidelines for strong password creation, require periodic password updates, and prohibit password reuse or sharing to enhance security and protect sensitive data.
10. Create (or refine) your incident response plan.
An absence of a well-defined incident response plan can result in chaotic and inefficient responses to cyber threats. Special districts with well-defined incident response plans are more likely to detect and respond to data breaches, security incidents, and data compromises faster.
Action item: Create (or refine) your incident response plan to guide your special district’s actions in the event of a security incident or data breach. Your plan should include procedures for reporting incidents, conducting investigations, and notifying affected parties as required. Review the plan to ensure it is robust and includes clear procedures for detecting, responding to, and recovering from cyber incidents.