Ignoring updates to software and operating systems that prevent exploitation of known security flaws can prove devastating both operationally and financially. Ransomware recovery costs alone more than doubled over the past year for state and local governments, from $1.21 million in 2023 to $2.83 million in 2024 (excluding the cost of any ransom paid). While most ransomware attacks originate from compromised credentials or exploited vulnerabilities, those that begin with the latter can be particularly severe, causing even slower recovery time.

Attacks on unpatched systems managing critical infrastructure and essential citizen services such as water treatment plants, power grids or emergency responses can cause significant disruption. They can also lead to the exposure of sensitive citizen information such as Social Security numbers, financial details and medical records, and even legal fines for failing to maintain proper security standards.

Since the fundamental responsibility of state and local governments is to protect critical infrastructure that preserves public safety and quality of life, patch management hygiene is a vital cyber resilience strategy. However, compatibility issues with existing systems and applications can cause software updates to lead to application errors, degraded performance and system crashes ranging from inconvenient to catastrophic.

Recent incidents include interrupted service for millions of telecom customers, widespread IT outages across a cybersecurity provider's global customer base and even emergency dispatch system outages such as Washington, D.C.'s recent 911 technology failure spotlight the importance of meticulous planning and execution of updates.

EXPLORE: State and local governments have made progress against ransomware.

State and local governments face unique challenges related to patch management, including limited IT staffing resources to effectively manage patching; budget constraints preventing investment in advanced tools; updates across complex legacy systems; and even a lack of understanding regarding the importance of patching, its security implications and how to carry out effective patch management.

Luckily, many options, several of which are outlined below, are available to help IT teams prevent unexpected disruptions to future software deployments.

One of the easiest, most cost-effective ways to mitigate risk is by patching applications and software as soon as patches become available. The Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities Catalog can offer helpful guidance on implementing a patch management schedule to regularly update all systems, applications and platforms to their latest versions.

IT teams should conduct regular vulnerability assessments with frequent scans, focusing on deploying risk-based prioritization of patching. A best practice is to prioritize updates based on severity, potential application impact and any relevant compliance requirements such as HIPAA or those outlined in the National Institute of Standards and Technology's Cybersecurity Framework.