Editor's note: This article was originally published in American City & County, which has merged with Smart Cities Dive to bring you expanded coverage of city innovation and local government. For the latest in smart city news, explore Smart Cities Dive or sign up for our newsletter.

Increasingly across the United States, malicious actors are targeting technology infrastructure to commit crimes. A few months into 2025, we have seen a continued surge of city and county governments falling victim to serious cybersecurity incidents. In minor cases, criminals leverage unauthorized email access to redirect an employee’s paycheck. Catastrophic ransomware attacks, perpetuated by established criminal enterprises, can grind all operations to a complete halt, sometimes impacting critical health and safety systems like 911 dispatch centers.

While no two incidents are the same, city and county governments often face similar challenges during and after cyberattacks. However, it's important to remember that while it is impossible to thoroughly prevent or prepare for all cybersecurity incidents, thoughtful consideration of the most common challenges and proactive measures could help your local government more easily navigate or avoid serious cybersecurity mayhem. By taking proactive steps, you can empower your local government to be more in control of its cybersecurity. 

Humans are the weakest link
It's important to recognize that the biggest challenge for cities and counties in cybersecurity is consistent across industries. Even with the best preventative technology in the world, any system can be exploited due to human end users. Phishing attacks are a prime example of this issue. Despite regular training and awareness efforts, thousands of organizations have employees who fall victim to social engineering each year, compromising their credentials from a successful phishing attempt. It's a reminder that human error is an inevitable part of the cybersecurity landscape.

Beefing up security always helps, but it won’t completely solve the problem. Multi-factor authentication (MFA) and training prevent most phishing incidents. That said, distracted or overwhelmed employees often succumb to MFA fatigue and approve unprompted sign-on attempts.

Sometimes, the process can save the day when both the technology and the employee fail to prevent a cybersecurity breach. This is especially important in the context of wiring protocols. Procurement is often a target for cybercriminals because it can yield lucrative results. Once money has left an organization’s bank account, tracking down or clawing back can be impossible. Protocols requiring secondary, non-email confirmation of wiring instructions have prevented massive wire fraud heists.

Government employees are geographically spread out
A second common challenge for city and county governments is the geographic spread of employees. Many local governments operate out of different departmental buildings, and today, all have at least some employees working outside the office. This is not a gripe about working from home but a call to action regarding the mobile responsibilities of city and county employees. Whether they are GIS specialists or law enforcement, local government employees are often on the move. 

Unfortunately, geographic spread poses two difficulties in the cybersecurity context. If employees need to work on the go, they often require a way to access governmental technology systems remotely. Typically, a virtual private network (VPN) facilitates that access. However, the same avenues legitimately used for remote employee access can, and often are, abused by malicious actors. VPNs are one of the most common root points of compromise that result in cities and counties becoming the victims of catastrophic ransomware events. Enforcing MFA for VPN access is an essential cybersecurity step for any local government.

Geographic sprawl can also cause headaches for IT teams during an incident if assets requiring remediation are housed at different physical locations. Driving time to and from various facilities is valuable time lost when combatting a serious cybersecurity threat or incident. To some extent, this challenge might be unavoidable but hosting any on-premises servers in one or two core locations could mitigate the challenges of restoring systems for a geographically large county.

Play nice with your neighbors
Another challenge unique to cities and counties is how often they rely on connections to or shared technology resources with outside entities. For example, many counties share the use of Munis or other payroll software with their associated school system or other local public entities. From a financial stewardship standpoint, this might make perfect sense. However, it becomes a headache for cybersecurity and legal purposes. When two organizations link their technology infrastructure, a ransomware attack on one could infect the other. To that end, a local government should want assurances concerning the cybersecurity practices of any connected entities. When there is an incident, the connection needs to be severed.

However, communicating about an ongoing incident with other public entities can also create concerns. If a county and school system need to discuss remediation actions following a ransomware event to reestablish Munis access, any materials created could be subject to a Freedom of Information Act (FOIA) request on either organization. Information concerning incident remediation is highly sensitive and should not be made public if possible. Negotiating a memorandum of understanding concerning the confidentiality of cybersecurity collaboration with entities sharing connections to a city or county’s networks can allow for more open communications if or when a serious incident occurs by mitigating the risk of disclosure via FOIA.

In a time when cyber threats are more sophisticated and frequent, city and county governments cannot afford to be reactive when it comes to cybersecurity. A well-prepared municipality safeguards not only its data but also the trust of the residents who rely on the continuity of essential services. Cybersecurity preparedness is no longer optional; it is a fundamental responsibility.

About the Author