Ransomware attacks hitting Garden State police departments, cities and universities. And in Spotswood, a cyber thief stealing $4.8 million last year from the school district and borough — more than $3 million of which still hasn’t been recovered as of mid-February.
Cyberattacks seem to be lurking everywhere in New Jersey these days.
Yet amid an alarming increase in breaches, hundreds of public organizations in the state might be unprotected despite a free membership to a national cybersecurity service that New Jersey began paying for last year.
In November 2025, New Jersey signed on as a statewide member of the Multi-State Information Sharing and Analysis Center. It pays $795,000 for its annual membership, according to Kelly Wyland, a spokeswoman for the Center for Internet Security, the nonprofit that operates MS-ISAC.
MS-ISAC covers 1,354 eligible organizations in the state. But only 177 have signed up, according to Wyland.
Many New Jersey school districts, municipalities and public utilities are likely unaware it’s available to them, she says.
And right now, the additional protection couldn’t be more valuable.
“The threat environment is changing, really, on a daily basis,” said Randy Rose, the vice president of security operations and intelligence at the Center for Internet Security.
“We’re in a heightened threat environment right now, given global tensions, certainly with Iran, but also tensions between Russia and Ukraine have persisted,” he added.
Yet cyberattacks often remain dirty little secrets.
Nearly 60% of IT and security professionals have been told to keep breaches confidential, a 38% increase since 2023, according to Bitdefender, a global cybersecurity firm. Fears of reputational damage, financial loss and regulatory scrutiny fuel a culture of silence.
New Jersey is not immune to that culture. And in the silence, cyberthreats proliferate, experts say.
Gov. Mikie Sherrill’s office did not return a request for comment for this story.
Spotswood business administrator Frederick Carr told NJ.com he was not aware of MS-ISAC. Other municipal and school district officials in Spotswood did not immediately return a request for comment. Neither did officials in Cranford or Camden County, which also have been victims of cyberattacks.
A spokesman for the state Office of Homeland Security and Preparedness said the office “has taken extensive steps to proactively drive awareness and adoption” through the New Jersey Cybersecurity and Communications Integration Cell, “including direct outreach and targeted communications, while reinforcing the value of these critical cybersecurity resources to eligible organizations.”
Many organizations are aware of the services, which are readily available, says Christopher M. Thoresen, the spokesman.
“We will continue to encourage them to take advantage of these essential cybersecurity protections,” he said. “However, the decision to utilize MS-ISAC services ultimately rests with individual organizations, alongside other available options, such as those provided by the NJCCIC.”
A spokeswoman for Hoboken said the city is intentionally not part of MS-ISAC.
“The City is aware of the Multi-State Information Sharing and Analysis Center (MS-ISAC), and our IT staff regularly monitor MS-ISAC advisories and cybersecurity threat information as part of ongoing efforts to maintain strong security practices,” said Marilyn Baer, the spokeswoman. “At this time, the City is not an MS-ISAC member as we currently receive comparable cybersecurity resources and support through the Garden State Municipal Joint Insurance Fund (GSMJIF) and our existing IT consultant.”
Even before the United States entered into war with Iran, cyberattacks were on the rise.
In 2025, the New Jersey Cybersecurity and Communications Integration Cell received 954 cybersecurity incident reports through its reporting portal — a 92% increase from 2024, according to the state’s latest threat assessment.
Hacktivists — people who launch cyberattacks, often to promote ideological causes — target smaller organizations in the United States, not just federal and state governments, according to Rose. So increasingly, municipalities, nonprofits, small businesses and school districts are wearing bullseyes.
“They’re trying to get their message out. They’re trying to flex muscles,” Rose said. “And so unfortunately, state and local governments and other under-resourced organizations are caught in the crosshairs, even though they may have nothing to do with what’s going on in Iran.”
Public organizations that sign up through New Jersey’s statewide membership have access to threat intelligence reports, virtual briefings, security operations and educational opportunities.
“So when there is a cyberevent, they can call us up and we will provide digital forensics, malware analysis and other incident response services remotely,” Rose said.
The membership also offers an early warning service.
Once a vulnerability in an organization is disclosed, MS-ISAC completes scans on public facing infrastructure to determine its exploit potential. And it has an automated scraping service that combs through forums for sales resembling access to organizations’ networks.
MS-ISAC also pushes out regular alerts and advisories, and will notify an organization if its information is showing up in a criminal marketplace, Rose says.
New Jersey isn’t technically new to MS-ISAC.
It joined as a statewide member in 2015. At the time, the membership was available to all state and local governments for free, funded through the federal Department of Homeland Security, Wyland says. During that time, more than 700 individual organizations in the state joined.
But last September, the Department of Homeland Security announced it was ending the cooperative agreement, forcing MS-ISAC to pivot to a paid membership, according to Wyland.
New Jersey then became a paid statewide member last November, allowing the 700 or so individual organizations to rejoin the group for free. But many haven’t signed up.
It’s unclear if the membership would’ve prevented any recent cyberattacks in the state.
Spotswood Public Schools, for example, is a MS-ISAC member, according to Wyland. But the other targets of recent attacks — including the Camden County Police Department and Cranford Public Schools — are not, she said.
“It is hard to say” if the attacks could’ve been prevented, Rose said.
But MS-ISAC’s malicious domain blocking and reporting service, for example, “is incredibly efficient at preventing ransomware,” he added. “We’re able to block things that a human would not be able to get in front of.”
© 2026 Advance Local Media LLC. Distributed by Tribune Content Agency, LLC.
