Ohio Responds to Ransomware Attack by Implementing New Cybersecurity Measures

2025-08-16

A year after the city of Columbus fell victim to a major ransomware attack, Ohio has mandated that every government agency must implement a cybersecurity program to protect their computer systems. This requirement applies to counties, cities, school districts, and townships.

Origins of the Policy

The policy was introduced as a response to the cyberattack on Columbus’ IT systems that occurred last July. The Rhysida ransomware gang, based in Russia, claimed responsibility for this attack and stated that they had stolen sensitive data from city video cameras and databases containing employee credentials, names, dates of birth, Social Security numbers, bank account details, and records of residents’ interactions with city services.

Rhysida demanded 30 bitcoin as payment. It is unclear whether Columbus fully paid the ransom or not, but the mayor later declared that the data was likely corrupted” and unusable.”

Rises in cyberattacks targeting regional and community municipalities, departments of education, schools, and governments are not new or surprising,” said Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research. These targets have long been easy for cybercriminals to exploit. It’s unfortunate that it took a devastating ransomware attack for government entities to realize the urgency of enhancing their cybersecurity measures.”

A New Zero-Trust Approach

Columbus has since introduced a zero-trust network, which imposes rigorous identity verification for anyone accessing city systems, including all employees. This system requires multiple layers of authentication to ensure that no user or device is automatically trusted.

This initiative marks the first step in Columbus’ comprehensive cybersecurity strategy.

It’s noteworthy that the state has declared its intention to enforce stronger cybersecurity mandates and training requirements for public entities,” said Goldberg. However, these new regulations will likely have limited impact unless they come with actionable and attainable guidelines and roadmaps. Implementing zero-trust is a fundamental step, but it must be backed by cultural changes starting from the top.”