The problem with owners of local IT systems is that they will only implement security measures once they get a taste of an Attack.

Same thing applies for local websites (read govt websites. eg police websites)

I suggest you give them a dose of what they are asking for

P.S. I only suggest this for the greater good