Strengthening Small Towns

Cyberattacks on local government offices have surged in recent years, driven by their access to sensitive data and critical infrastructure. Through its ongoing work with municipalities across the state, the League saw firsthand that many towns lacked the necessary equipment and training to safeguard themselves from cyber threats. Recognizing this gap, the N.C. League of Municipalities began exploring ways to support these communities.

When the American Rescue Plan (ARP) Act passed through Congress, the NC General Assembly allocated a portion of the funds to the League specifically for assisting North Carolina towns with software needs. This opened the door for the League to launch its Municipal Accounting Services department, which would ultimately include a cybersecurity service line that provides towns with cyber assessments, gap analyses, tailored recommendations, quarterly progress check-ins, and personalized consulting—all aimed at helping towns defend against the growing threat of cyberattacks.

“One of the things that I do is I come in and I do a baseline assessment for the municipality to help them understand how well they are doing in terms of basic cybersecurity and then look for any gaps where we can help them improve and be better in terms of cybersecurity posture for the municipality,” Erik Wells, the League's Cybersecurity Advisor, said.

Through the N.C. General Assembly's appropriation, the League offers this service at no cost to interested towns, including ongoing support through the end of 2026. The goal of the program is to provide towns with a service they may not have been able to afford on their own and may not have the expertise for what needs to be done. 

“Cybersecurity is something that everyone has to be invested in, but a lot of municipalities are struggling with just trying to meet the basic needs of their populations,” Wells said. “I am focusing on the 350 municipalities that are typically in underserved markets. They do not have an IT staff, they do not have cybersecurity, and in a lot of cases they may not even have an IT vendor that has a cybersecurity focus.”

The Town of Nashville in Nash County decided to take advantage of this opportunity to assess and bolster their cybersecurity posture. Nashville, like many other small towns, did not have the funding to hire a technology officer with the knowledge and ability to assess the town’s vulnerabilities and provide insight and support into how to better protect the town. Trey Sanderson, Nashville’s HR director, shared that they were interested in both having someone who could come into their town to fill that void, but also to have a long-term partner to help them prepare for the future.

“It was amazing to me that for three years we get the support and … [they do not simply say] ‘just let me do my job,’ but ‘let me show you how you can grow and how to equip you with what you are going to need’,” Sanderson said. “Knowing that you get such a level of support that is long-term, and it does not strain the budget—it was very enticing to me.”

The League's Wells explained that while some towns require upgraded equipment, others may simply need assistance with identifying policies and procedures that will serve the town should a cybersecurity attack happen. He went on to share that even if a town is doing the right things, not having that documentation can be detrimental to the town should it get involved in a legal dispute. In Nashville specifically, the League’s cybersecurity team helped to identify some of those gaps in policies and procedures and gave input on how they could be improved. The team also worked with Nashville to confirm that the third-party cybersecurity firm it was contracted with was providing the services the town needed to be prepared.

“We are blessed that we have a great foundation here, but what we have done now is we are taking Erik [Wells'] feedback. We are doing the right things, but there was no structure around it,” Sanderson said. “Cybersecurity is a very present and real threat. … It is not [a question of] if you are going to get attacked, it is when you are going to get attacked. So even though we have such a good foundation, what can we put in place to make sure that it's tighter and more secure?”

Since 2021, the League has provided cybersecurity services to 92 towns and trained over 1,500 municipal employees in best practices for protecting their systems. When asked about the impact of the program on small towns in North Carolina, Wells shared that due to the defensive nature of cybersecurity preparations, it is challenging to show tangible results, but that ultimately the value cannot be overstated in terms of protecting towns from potentially devastating losses.

“It is difficult to communicate whether we are doing a good job or making a difference in terms of cybersecurity, because if I am doing my job, there will not be a story,” Wells said emphatically. “If we are able to help one town improve their cybersecurity posture to the point that they do not have a catastrophic failure in one of their systems and result in some sort of a monetary damage to the municipality… then that would be the price that you would put on it.”

Interested in learning more about our Cybersecurity Service Line? Reach out to Erik Wells for more details.