Why small municipalities have become cybercriminals' favorite prey

Tunvarat Pruksachat via Getty Images

Featured eBooks
Artificial Intelligence and Efficiency
Changing Workforce
Future of Tech Infrastructure
Insights & Reports
Closing the Service Gap in State and Local Government
Presented By Salesforce
Download Now
Build vs. Buy Choosing the Best Path for Government Technology
Presented By PayIt
Download Now
By Alton Henley

By Alton Henley

|

COMMENTARY | City and county managers can no longer see cybersecurity as an IT problem. They can take various practical steps before an incident occurs.

The call came at 6:47 a.m. on a Tuesday. The public works director couldn't log in. Neither could anyone in finance. By the time the city manager arrived, the message on every screen was clear: the city's entire network was encrypted, and the attackers wanted $350,000 in Bitcoin.

This wasn't a major metropolitan area with a dedicated cybersecurity team. It was a community of 12,000 people with an IT department of one. The city had no incident response plan, no cyber insurance and backups that hadn't been tested in over a year.

Stories like this play out thousands of times each year across America's small municipalities. While headlines focus on attacks against major cities and Fortune 500 companies, criminal organizations have quietly discovered that small local governments offer something even better: essential services under political pressure to pay, defended by IT teams stretched impossibly thin.

The Math That Works Against Us

The United States has roughly 35,000 local governments. The vast majority serve populations under 50,000, and most have IT departments of one to three people, if they have dedicated IT staff at all.

Ransomware operators have done the math. Attacking a large enterprise means facing security operations centers and incident response teams. Attacking a small municipality means facing a single IT generalist who spent the morning fixing a printer jam.

The pressure dynamics favor attackers too. When a municipality gets hit, residents lose access to essential services: water billing systems go dark, permit applications stall, court records become inaccessible. The calculus shifts toward paying, simply to make the crisis stop

Anatomy of an Incident

Initial access usually comes through one of three doors: a phishing email that tricks an employee into revealing credentials, a compromised vendor connection, or an exposed system that hasn't received recent security updates.

Once inside, attackers spend days or weeks exploring the network, identifying valuable systems, locating backups and escalating their privileges. In flat networks with limited monitoring, this activity goes undetected. By the time the ransomware detonates, attackers have already positioned themselves to cause maximum damage.

The decision of whether to pay is agonizing. Paying rewards criminal behavior and offers no guarantee of recovery. But not paying means potentially months of recovery work and costs that often exceed the ransom amount many times over. There's no good option, only less-bad ones.

A Realistic Defensive Framework

Enterprise security advice typically assumes resources that small municipalities don't have. A more realistic approach is what I call the "pick three" framework: focus intensively on three priorities that deliver the highest return for limited investment.

Priority One: Multi-Factor Authentication Everywhere You Can

Multi-factor authentication requires users to prove their identity with something beyond a password, typically a code from a phone app. This single measure defeats the vast majority of credential-based attacks.

Start with email and remote access systems. Most cloud email providers include MFA at no additional cost; it just needs to be enabled. Expect resistance from staff who find it inconvenient. Frame it as non-negotiable, like wearing seatbelts.

Priority Two: Backups That Actually Work

Many municipalities believe they have functioning backups until an incident reveals otherwise. Common failures include backups that haven't run successfully in months, backup systems connected to the same network as production systems (and therefore encrypted alongside them), and backups that no one has ever tested restoring from.

Effective backup strategy requires regular testing, isolation from the primary network, and sufficient retention to recover from attacks that went undetected for weeks. Schedule quarterly restoration tests and treat failures as urgent issues.

Priority Three: One Relationship Before the Crisis

When an incident occurs, having an established relationship with someone who can help is invaluable. That might be with the Multi-State Information Sharing and Analysis Center, a state-level cybersecurity office, or an incident response firm.

MS-ISAC deserves particular mention because its services are free to local governments and include 24/7 incident response support. If your municipality isn't already a member, joining should be this week's task.

The Manager's Role

City and county managers often assume cybersecurity is a technical problem that should be delegated to IT. This assumption is dangerous. Cybersecurity is fundamentally a risk management challenge requiring executive attention that only managers can provide.

IT staff can identify what needs to be done. They cannot, on their own, compel behavioral changes from other departments, allocate budget, or set policy about acceptable risk levels. 

Practical steps managers can take include adding cybersecurity as a regular agenda item, requiring annual briefings on security posture, including security requirements in vendor contracts, and establishing clear incident response authority before an incident occurs.

Looking Ahead

The threat environment for small municipalities will likely worsen before it improves. But individual municipalities can significantly improve their odds. The "pick three" framework addresses the gaps that attackers most commonly exploit. None requires massive budgets or specialized expertise. All require sustained attention and organizational will.

The municipality that received the ransom demand at 6:47 a.m. eventually recovered without paying. 

It took eleven weeks and cost far more than the ransom in overtime, consulting fees, and degraded services. The manager who led that recovery always emphasizes the same point: everything they did after the attack would have been easier, faster, and cheaper if they had done a few things differently before it.

Alton Henley is Dean of Business and Hospitality at Montgomery College with expertise in digital transformation for small municipalities. He serves on the advisory board of KC7, a nonprofit providing free cybersecurity training. Contact: alton.henley@montgomerycollege.edu

NEXT STORY: New Texas Cyber Command looks to ‘bind the state together’

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.