I was once told Iowa is one of those “forgotten states”. The type of state where you tell someone, and they say, “Ohio?, Idaho?, or I don’t know where that is.”
School districts and city governments. Des Moines Public Schools canceled classes for days in 2023 after ransomware disrupted every district network.1 The City of Cedar Falls had 3,534 residents’ Social Security numbers compromised in a 2024 attack.2
Iowa often goes under the radar, but I can tell you one thing: threat actors have not forgotten about Iowa.
Small organizations are the softer target
Here’s what I’ve noticed as an Information Security Analyst for a municipality, from my time at the University of Iowa Hospitals as an IT Consultant, and from speaking with peers: when attackers have a choice, they don’t always go for the biggest name. They go for the easiest door.
For small organizations, rural school districts, county offices, small city halls, and nonprofits in Iowa, the door is often wide open.
One person covering everything. Most small organizations have a single or a few IT personnel handling helpdesk tickets, network maintenance, vendor management and security. Security monitoring usually isn’t at the top of the list, so it often doesn’t happen because there’s no time or tooling. When something slips through, no one notices.
Systems that haven’t been touched in years. Legacy software stays on the network long past its supported life. Patches don’t get applied because applying them takes downtime nobody wants to schedule. An unpatched system is an open invitation.
No plan for when it happens. According to Sophos, the mean recovery cost of a ransomware attack for state and local government organizations hit $2.83 million in 2024.3 Most small Iowa organizations don’t have a fraction of that in reserve, which is exactly what makes paying the ransom feel like the only option.
The gap is fixable, and most of the tools are free
The frustrating part isn’t the threat. It’s that most of the tools that close these gaps already exist; they’re built by the government and are usually free to any public sector willing to use them.
Nobody’s pointing small Iowa organizations toward them. That’s what this is for.
Over the next few weeks, I’m breaking down seven free resources, including assessment tools, training platforms, and threat intelligence feeds, that any city hall, school district, nonprofit, or local utility can start using right now. No vendor pitches. No paywalls.
At the end of the series, everything gets compiled into a free downloadable PDF.
I hope you follow along!
I believe in using every tool available to put your best foot forward. The thoughts and experiences on this page are my own; I use AI to help ensure the grammar is accurate.
BleepingComputer. (2023). Iowa’s largest school district confirms ransomware attack, data theft. https://www.bleepingcomputer.com/news/security/iowas-largest-school-district-confirms-ransomware-attack-data-theft/ ↩︎
Comparitech. (2025). Cedar Falls, IA notifies 3,534 residents of data breach that compromised SSNs. https://www.comparitech.com/news/cedar-falls-ia-notifies-3534-residents-of-data-breach-that-compromised-ssns/ ↩︎
Sophos. (2024). The State of Ransomware in State and Local Government 2024. https://news.sophos.com/en-us/2024/08/14/the-state-of-ransomware-in-state-and-local-government-2024/ ↩︎
