Ransomware and Small Kentucky Governments: What a Clerk's Office Should Ask Its IT Vendor
Small public offices are prime ransomware targets. Here are the seven questions every Kentucky clerk, treasurer, or judge-executive should ask their IT vendor — and the answers that should worry you.
County and city governments across the country have learned about ransomware the expensive way: systems locked, offices closed, services interrupted, and recovery bills that dwarf what prevention would have cost. It is not a big-city problem. Attackers run automated campaigns that knock on every door on the internet, and a small office with public records and no one minding the systems is exactly the door they hope opens.
If you run a clerk's office, a treasurer's office, a utility district, or a city hall anywhere in south-central Kentucky, you don't need to become a security expert. You need to ask your IT vendor — whoever that is, even if it's us — seven plain questions, and you need straight answers.
1. "If our files were encrypted tonight, how would we recover — and how do you know?"
The only acceptable answer involves backups that are separated from the systems they protect and that have been restore-tested recently. Ransomware crews look for backups first, because destroying them is what turns a bad day into a payout. If your vendor can't tell you the date of the last successful test restore, you don't have backups — you have hope.
2. "Which of our accounts don't have multi-factor authentication?"
Multi-factor authentication (MFA) — the code from your phone after the password — stops the most common attack there is: a stolen or guessed password. The answer you want is "none — every account has it." Every exception your vendor names is a door that only needs one leaked password to open. Email accounts matter most, because email is where password resets for everything else land.
3. "How would we know if something was already wrong?"
Attackers often sit quietly inside systems for weeks before locking anything. Somebody — a person or monitoring software, ideally both — should be watching for the warning signs: strange sign-ins, new accounts nobody created, security tools switched off. If nobody is watching, the first symptom you notice will be the ransom note.
4. "What happens when an employee leaves?"
Ask when the last departed employee's accounts were disabled. Same day? Good. "Let me check"? Not good. Old accounts with live passwords are a favorite way in, and small offices — where everyone knows everyone — are the most likely to leave them open.
5. "Can our email be spoofed?"
If your office's domain isn't protected by three public DNS records — SPF, DKIM, and DMARC — criminals can send email that looks like it came from you: fake invoices to vendors, fake instructions to staff, fake notices to citizens. Checking takes fifteen seconds and touches nothing in your systems. Our free security posture report grades those exact records and explains each one in plain English — it's built for exactly this question.
6. "What would this cost us if it happened anyway?"
An honest vendor talks about incident response before the incident: who you'd call, what gets restored first, how long the office might run on paper, and what cyber-insurance requires. If the plan is "that won't happen to us," that isn't a plan.
7. "Will you put all of this in writing?"
Public offices answer to fiscal courts, councils, auditors, and citizens. A vendor serving government should hand you documentation without being asked twice: what's in place, what's not, what it costs to close the gaps. In writing is how accountability works — and it's how the next administration knows what it inherited.
The uncomfortable part
Every question above has a version that's uncomfortable for the vendor, and that's the point. Good vendors welcome these questions, because they've already done the work. If asking them strains the relationship, that tells you something too.
The defenses that stop most ransomware aren't exotic or expensive: MFA everywhere, patched systems, protected endpoints, staff who can spot a phish, tested backups, and someone accountable for all of it. Unglamorous, proven, and a fraction of the cost of one bad week. That's the work we've done for offices around the lake since 2001 — and it's what our cybersecurity and managed IT services exist to do.
Start with the free check. Run your office's domain through our security posture report — passive, public-record checks only, graded in plain English, emailed to you as a document you can hand to your board. If the grades come back rough, a consultation costs nothing.