5 Essential Elements of a Municipal Cyber Security Plan

5 Essential Elements of a Municipal Cyber Security Plan

Cyberattacks on state and local governments are on the rise. In 2020, more than 100 government agencies, including municipalities, were targeted with ransomware – an increasingly popular attack vector

These incidents are costly and disruptive. One report found that the average downtime associated with such attacks is 9.6 days.The same study also suggests that government officials’ understanding of how to mitigate cyber risk is low.

To help close this knowledge gap, we’ve outlined five elements of a municipal cyber security plan. Properly implemented, it can help local governments better allocate security resources, reduce the risk of a breach, and protect constituent services. 

1. Analyze the attack surface

As a municipality’s digital ecosystem expands, so does its attack surface. Cities must get a handle on risk hidden across digital assets in the cloud, across departments, and the remote workforce. After all, they can’t secure what they can’t see.

One way to tackle this problem is to incorporate attack surface monitoring into the municipal cyber security plan.

By continuously analyzing the digital environment, security teams can quickly validate their cities’ digital footprints. With this insight, they can identify each digital asset, its location, and the corresponding cyber risk. For instance, if the city manager’s office uses an application without IT’s knowledge, security teams can quickly discover that asset and understand its potential for risk.

Importantly, with this ecosystem-wide view, administrators can prioritize remediation of assets that are at disproportionate risk or most critical to the municipality, such as those used by emergency services and utility departments. This ensures that budgets and resources can be focused where they’re most needed.

2. Benchmark municipal security performance against other cities

Another strategy that can help municipalities focus their security efforts is to benchmark security performance in the context of their peers. Understanding the standards of care that other cities are maintaining can help security leaders determine security targets that they should strive to achieve, and where their current security programs may fall short. From there they can create improvement plans, prioritize cyber risk-reduction strategies, and, if needed, advocate for increased security resources.   

3. Implement continuous monitoring for rapid response

Time to discovery is critical in minimizing the impact of cyberattacks. Security responders can get one step ahead of the bad guys by using a continuous monitoring tool like security ratings.

Security ratings are data-driven measurements of ecosystem-wide security performance. Derived from objective, verifiable information, ratings help assess risk and the likelihood of a data breach based on externally observable risk factors – such as open ports, misconfigured software, compromised systems, exposed credentials, and weak security controls.

2023 Gartner RC Image Square

“By 2025, lack of talent or human failure will be responsible for over half of significant cyber incidents.” How can a human-centric design strengthen your cybersecurity program? Get your report to learn from key predictions, market implications, and recommendations.

Findings are presented as a numerical score – much like a credit score – making it easy for everyone to understand how well the municipality can withstand an attack. Because time is of the essence, these insights are captured in near real-time so that security gaps can be rapidly identified and city leaders can make quick and effective decisions about risk reduction.

This approach to continuous monitoring is particularly advantageous to municipalities whose security programs are decentralized or distributed – from city hall to local schools. Instead of a siloed approach to security management and measurement, continuous monitoring with security ratings makes it easy to measure the effectiveness of the entire security program.

4. Scale security monitoring to third parties


As the SolarWinds supply chain attack showed, third parties pose a significant cyber risk to government entities. Although the federal government was the main target of that hack, smaller organizations are just as susceptible to these attacks and must up their game. Simply reviewing a third-party’s cyber security policies and protocols isn’t enough – deeper and continuous cyber security assessment of their security postures is needed.

But with small IT departments and restricted budgets, it’s not always easy for local governments to scale third-party risk management programs across the hundreds of contractors that support municipal services.

Fortunately, security ratings can also be applied to third-party networks. 

Before a prospective supplier is selected, municipalities can use security ratings to get an instantaneous snapshot of each potential vendor’s security posture. During onboarding, acceptable risk thresholds can be established and incorporated into contracts, much like an SLA. If the vendor’s rating falls below that score anytime during the relationship, an alert is generated and the appropriate department can engage the vendor to initiate remediation.

The great thing about using security ratings for third-party cyber risk management is that the capability allows cities to flexibly scale their vendor risk assessments with ease, no matter how large their vendor portfolio.

5. Update policies for employee devices and remote access

With more personnel working outside the traditional network perimeter, municipalities must also factor updated policies and security guidelines for remote and home-based access into their cyber security plans.

Actions include tightening firewall and VPN policies and monitoring the network for unusual activity. Users should be encouraged to embrace easy-to-implement security measures, such as always using secure connections, regularly applying patches, and practicing strong password hygiene. When working from home or on the go, they must also limit who has access to their laptops, mobile devices, and applications.

Mitigate risk with a proactive municipal cyber  security plan

There are other elements to a layered cyber security strategy that we haven’t mentioned here, such as endpoint security, intrusion detection, access control, and secure backups. Each is important, but as cyberattacks get more sophisticated, defense strategies must also evolve.

In today’s high-risk environment, municipal leaders must find ways to discover hidden security issues, continuously monitor risk, and educate users about how they can protect themselves – and their cities – from cyber threats while working remotely. Threat actors are stealthier and more persistent; municipalities must be prepared.