Public Safety Cybersecurity by the Numbers

Public safety leaders make difficult decisions every day. They are asked to maintain uninterrupted service, meet compliance requirements, manage limited budgets, and justify investments that may not produce visible results until the day they are needed most.

Cybersecurity is one of those investments.

The challenge is that cybersecurity is often discussed in technical language, while public safety leaders need to make operational decisions. They need to understand risk in terms that matter to their world: downtime, continuity, staffing, budget, and ultimately the safety of the communities they serve.

That is why public safety cybersecurity should be looked at by the numbers.

Turning Cyber Risk Into Operational Reality

When leaders evaluate cybersecurity, they are usually trying to answer a few core questions.

How much risk is acceptable? What is the right budget for that level of risk? Should capability be built in-house or outsourced? And what evidence can support those decisions when talking to boards, auditors, county finance officials, or other stakeholders?

Those are not abstract questions. They are governance questions, mission questions, and readiness questions.

The goal is not to make every 9-1-1 leader a cybersecurity expert. The goal is to translate cyber risk into something operationally useful.

The Baseline: 9-1-1 Reliability Before the Hack

Before talking about attacks, it helps to understand the environment public safety agencies are already operating in.

According to the data referenced in the presentation, 80 percent of Emergency Communications Centers reported at least one outage last year, up from 75 percent the year before. Of those, 9 percent explicitly reported that the outage was cyber-related.

That number matters, but it likely understates the issue.

Not every cyber incident immediately looks like a cyber incident. Lag, latency, intermittent failures, or unexplained service disruptions may initially appear to be vendor problems, system instability, or routine technical issues. In reality, some of those events may be caused by malicious activity that is not recognized as such until later.

That means public safety leaders should think of reported cyber disruptions as a floor, not a ceiling.

The Threats Driving the Problem

The cyber risks facing public safety are not hypothetical. They are familiar, recurring, and increasingly operational in nature.

Telephony denial-of-service attacks can impair call handling. Ransomware can lock critical systems and force agencies into manual workarounds. Intrusions can move laterally across networks, steal credentials, or conduct quiet espionage. Supply chain and managed service compromises can create risk even when the PSAP itself is not the original target.

That last point is especially important.

A public safety agency may be well-run internally and still be exposed through a county network, shared services environment, or third-party vendor. In many cases, the PSAP is not where the incident starts. It is where the operational consequences become impossible to ignore.

The Trend Line Is Moving in the Wrong Direction

The presentation highlighted that 9 percent of ECCs reported a cyberattack that disrupted operations in 2025, and that the year-over-year increases since 2020 have at times been dramatic, including spikes as high as 235 percent.

Whether every increase is measured perfectly is almost beside the point. The broader trend is clear. Public safety systems are seeing more disruption, more complexity, and more cyber-related operational risk.

The lesson is not that every center should panic. The lesson is that no center should assume it is insulated.

Case Studies Show the Operational Reality

The transcript referenced incidents that reinforce how cyber events affect public safety in practice.

In one Pennsylvania example, compromise through a county-connected environment disrupted the 9-1-1 network and forced operational workarounds using cards. In another

Massachusetts example, CAD was taken offline, while calls still came in under degraded conditions.

Those details matter because “calls still being answered” can hide the true severity of the problem.

A center may technically remain functional while suffering major degradation in speed, visibility, coordination, and resilience. In public safety, degraded operations are not merely inconvenient. They carry real consequences.

Downtime Is Measured in Days, Not Minutes

One of the strongest arguments in the presentation is that cyber disruption in public safety should not be thought of as a short interruption.

The average CAD disruption cited in the presentation was just over two weeks. Average call-handling disruption was over one week. The transcript also referenced anecdotal cases where outages lasted for months.

That reality changes the conversation.

When leaders hear the word “outage,” they may imagine a brief service interruption. But cyber incidents often produce extended operational degradation, prolonged recovery timelines, and secondary burdens on staff, vendors, and partner agencies.

In other words, the real question is not whether a center can survive a few bad minutes. It is whether it can sustain degraded operations for days or weeks.

The Safety Impact Is Immediate

Cybersecurity in public safety cannot be evaluated only in financial terms.

The presentation pointed to the American Heart Association’s finding that a one-minute increase in ambulance arrival time can change survival odds by 7 to 10 percent.

That statistic underscores a critical point. Even when a cyberattack does not entirely stop 9-1-1 operations, it can still slow them. Manual workarounds, delayed dispatch, reduced system visibility, or degraded interoperability can add seconds. Seconds become minutes. Minutes affect outcomes.

This is why public safety cybersecurity is not just about data protection. It is about life safety.

The Financial Cost Is Also Severe

The transcript cited an average public sector breach cost approaching $3 million.

That figure is important, but the real burden often extends beyond the initial technical response.

A cyber incident can trigger detection and investigation costs, incident response retainers, system rebuilds, reconfiguration, new security investments, public communication burdens, possible legal exposure, employee overtime, and longer-term loss of trust. If sensitive data is exposed, the cost expands further.

For most public safety agencies, even a portion of that total would be deeply disruptive.

The financial argument, then, is not simply that cyber incidents are expensive. It is that they create cascading costs across operations, staffing, reputation, and governance.

Why 24/7 Monitoring Matters

If disruption is costly and time matters, then detection speed becomes one of the most important variables in the equation.

The presentation cited a mean time to identify and contain a breach of 241 days.

For public safety, that timeline is unacceptable.

A 9-1-1 center cannot operate under the assumption that a threat can go unnoticed for months and still be managed safely. That is why continuous monitoring is not a luxury capability. It is a foundational requirement for mission assurance.

The transcript also noted that CJIS policy changes made 24/7 network monitoring an auditable requirement as of October 2024, including both continuous monitoring and automated monitoring capabilities.

That raises an important governance question for public safety leaders. If local IT, county IT, or a city IT function is assumed to be handling cybersecurity, is that actually true in a way that satisfies both operational need and compliance expectations?

Too often, that assumption is never fully tested until an audit or an incident forces the issue.

IT and Cybersecurity Are Not the Same Thing

One of the more practical points in the presentation is that information technology and cybersecurity are related, but they are not interchangeable.

IT teams are typically focused on maintaining systems, keeping networks operational, deploying equipment, supporting users, and ensuring availability. Cybersecurity functions, by contrast, are designed to identify abnormal behavior, monitor for threats, detect adversary activity, and actively defend the environment.

That does not mean IT teams are failing. It means they are often being asked to solve a different problem than the one cybersecurity is built to address.

For 9-1-1 leaders, this distinction matters because assuming “IT has it covered” can create a dangerous blind spot.

Build In-House or Outsource?

Once leaders accept that cybersecurity capability is necessary, the next major question is how to obtain it.

Building an in-house 24/7 monitoring capability offers obvious benefits. It can be tailored to the organization, integrated organically into operations, and built around local priorities. For agencies with sufficient resources, that can be a strong option. The presentation estimated that a true in-house capability likely requires five to six analysts to maintain 24/7 coverage, along with tooling, tuning, and software. Total annual cost was estimated in the range of $400,000 to $600,000 or more. For many public safety agencies, that cost alone makes the decision difficult.

Outsourcing typically uses asset-based pricing and, while costs can scale with the number of devices and systems on the network, the presentation argued that it is usually far less expensive than building the same capability internally.

That does not mean outsourcing is automatically the right answer. It means leaders should treat the decision as a strategic one, based on budget, control, mission needs, compliance requirements, and available expertise.

In some cases, the most effective model may be hybrid: local ownership combined with outside monitoring and specialized support.

What Is the Cost of Doing Nothing?

One of the clearest planning tools from the presentation was a simple risk calculation.

If the minimum annual disruption probability is 9 percent, and the average public sector breach cost is close to $3 million, then an organization is effectively carrying an annualized risk exposure of roughly $260,000.

No statistical model is perfect, and the presentation itself acknowledged that this is an order-of-magnitude planning figure rather than a precise forecast. But it is useful.

It gives leaders a way to translate cyber risk into a number that can be compared against proposed investments. It also helps move the conversation away from vague fear and toward quantified decision-making.

For many PSAPs, even absorbing a fraction of a major cyber event would be operationally devastating. That reality should be part of the budget discussion.

Making the Right Decision for Your Organization

There is no one-size-fits-all answer for public safety cybersecurity.

Some agencies may be large enough to support internal capability. Others may benefit from a consortium approach or shared regional capability. Many will find that a vendor-supported model is the only practical path to 24/7 coverage, specialized threat detection, and compliance support.

What matters is that the decision is made deliberately.

Leaders should ask whether their current model provides true continuous monitoring, whether compliance requirements are actually being met, whether service-level agreements support mission needs, and whether vendor relationships have been examined with the same scrutiny applied to other critical dependencies.

Cybersecurity is too central to continuity of operations to be handled by assumption.

The Bottom Line

Public safety leaders do not need hype. They need clarity.

The numbers make the case.

Outages are common. Cyber-related disruptions are rising. Downtime can last days or weeks. Delays in emergency response can affect survival. Breaches create major financial burdens. Detection delays are incompatible with 9-1-1 operations. Continuous monitoring is now a compliance and operational issue, not an optional enhancement.

That means cybersecurity should be treated the same way public safety treats every other mission-critical capability: as something that must be justified, resourced, exercised, and sustained.

Public safety cybersecurity is not simply about defending computers. It is about preserving continuity, protecting trust, and ensuring that when the public calls for help, the system is ready to answer.

Sources

1. Pulse of 911 Report published Jun 23, 2025 – https://www.prnewswire.com/news-releases/third-annual-pulse-of-9-1-1-report-finds-burnout-cyber-vulnerabilities-and-outdated-technology-threaten-emergency-service-readiness-302488188.html 

2. IBM Cost of a Data Breach Report 2025 - https://www.bakerdonelson.com/webfiles/Publications/20250822_Cost-of-a-Data-Breach-Report-2025.pdf 

3. Sophos State of Ransomware 2025 - https://cyberlab.co.uk/wp-content/uploads/2025/07/sophos-state-of-ransomware-2025.pdf 

4. ThreatLabz 2025 Ransomware Report published Jul 29,2025 - https://www.zscaler.com/blogs/security-research/ransomware-surges-extortion-escalates-threatlabz-2025-ransomware-report 

5. The State of Ransomware published Q3 2025 - https://research.checkpoint.com/2025/the-state-of-ransomware-q3-2025/ 

About the Author

Devin served in the US Army as an officer in multiple roles over 14 years. He was responsible for the training and well-being of elements of varying size, scope, and mission over the years as an Infantryman, Field Artillery Officer, and Cyber-Electronic Warfare Officer. Between 2014 and 2021, he deployed to multiple combat and operational theaters and was awarded the Air Medal with Combat Device, Bronze Star, and Purple Heart medals for actions in Afghanistan. Since leaving the military, Devin has served as a leader of OTM Cyber, bringing his experience to bear in securing 9-1-1 critical networks across the nation. Under his leadership, OTM Cyber has grown to secure networks serving over 30 million Americans.