Athens City Council passed Ordinance 110-25 at its Nov. 3 meeting, formally establishing an official cybersecurity policy for the city. The new ordinance follows the passage of House Bill 96, which was signed into law by Gov. Mike DeWine and took effect June 30, 2025.
The city has had cybersecurity policies in the past, but none that were formally legislated, according to Andrew Stone, Athens City Service-Safety Director.
HB 96 mandates “the legislative authority of a political subdivision shall adopt a cybersecurity program that safeguards the political subdivision's data, information technology and information technology resources to ensure availability, confidentiality and integrity.”
It also requires cybersecurity training for all public employees, with the level of detail and frequency determined by their duties. Under the law, the state will provide annual cybersecurity training to local government employees.
Following a cyber scam in November 2024, when a city employee mistakenly sent a $722,000 payment for construction of the fire department headquarters on Stimson Avenue to a fraudulent company, officials are taking the new policy especially seriously.
“It's something that we take seriously, and we will continue to take it seriously,” Stone said. “The number of criminals, and not only criminals, but also hostile state actors that raise money by theft in the cyber domain, is massive. It's a worldwide problem, and nobody is immune.”
City employees in Athens will complete the state-provided training as part of the city’s new cybersecurity efforts.
“The state of Ohio has modules that we can sign up for,” Stone said. “A lot of that's just web-based training that teaches you about how to spot problems and how to spot an attempt to try to steal information, phishing and spear phishing and all the different techniques that criminals use.”
Stone added that the city works with a third-party provider that offers “back-end support” for its IT operations and provides access to the required training modules.
The ordinance was proposed collectively by Athens City Council members. Stone said he and Lukas Huston, the city’s IT System Administrator, drafted the policy before submitting it for council approval.
The new policy aims to ensure the “protection of municipal data, systems and services from unauthorized access, breaches and other cyber threats, while promoting operation continuity and regulatory compliance.”
“Everybody is under cyber attack all the time, every day, every person, every business, but a lot of cases, those are thwarted by just good firewalls and good anti-virus software on the systems,” Stone said. “But in many cases, there are circumstances where somebody might get through, and if that happens, we have to be prepared to respond, and the policy talks about how we'll respond.”
Under Ordinance 110-25, the city must fully implement its cybersecurity policy by Jan. 1, 2026.*The policy will establish stronger cyber hygiene, including multifactor authentication and password update policies. The city will also use Sophos Firewall for “gateway protection,” and Sophos Antivirus on all municipal devices.
“What you have to do is be vigilant, and you have to have good cyber hygiene and good cyber programs and good software up to date, antivirus, and still, people can get in and try to get you,” Stone said. “It's really something you have to have to watch out for, just like you watch out when you're walking down a dark alley. It's a similar type of thing. It's just a different environment.”
