Are cities and municipalities particularly targeted by cybercriminals?
Kira Groß-Bölting: Municipalities are easy prey for cybercriminals. Their IT systems are often poorly secured. Ransomware groups act opportunistically and attack where it is easiest. In this respect, cybercriminals are no different from burglars who prefer houses or apartments with weak or no security measures. Empathy or restraint toward public institutions is now rarely seen
Why do many IT managers detect cyberattacks on cities and municipalities too late?
Jan Leitzgen: There is a lack of basic security measures: clear processes, emergency plans, and security awareness among employees. When a phishing email arrives or an outdated service is exposed to the internet, attackers have an easy time. In addition, many administrations lack a comprehensive logging and monitoring concept. Events are only logged selectively, and important event IDs are missing. This makes early warning signs much harder to detect. On top of that, reporting channels are often inadequate. Employees are unsure what to do if, for example, they fall for a phishing email.
Kira Groß-Bölting: Many IT teams are understaffed. Municipalities with just one IT manager and one trainee are unfortunately still the norm. With so few personnel, only the essentials of day-to-day operations can be handled. Important topics such as prevention, awareness training, and structured processes are often neglected.
What are typical attack patterns?
Jan Leitzgen: Classic entry points include weak passwords, unpatched systems, and missing two-factor authentication for VPN access. Another widespread risk: if an IT administrator uses the same password for their personal account and their admin account, and neither is protected by two-factor authentication, attackers can move freely through the network, exfiltrate data, and encrypt systems.
Kira Groß-Bölting: We repeatedly encounter very lax password policies. For example, accounts are automatically unlocked after a certain time even after multiple failed login attempts—often justified by saying it reduces helpdesk tickets. In reality, this is an invitation for attackers. Once inside the system, they spread laterally across the network. Weak passwords then pose no obstacle.
What pitfalls arise during the response to a successful attack?
Jan Leitzgen: Without emergency concepts, even assessing the current situation takes a long time. Communication between departments breaks down, and IT teams must simultaneously handle crisis communication, forensics, and system recovery.
Kira Groß-Bölting: Many underestimate existing dependencies. Only during an incident does it become clear how systems are interconnected—from identity and access management to specialized applications. If critical systems have not been evaluated beforehand, prioritization under pressure leads to delays.
What concrete impact does this have on administration and citizens?
Jan Leitzgen: When cybercriminals encrypt data and systems, operations come to a standstill. Citizen offices, ID services, vehicle registration—nothing works. Social benefits are not paid, and communication between departments collapses. The extent to which analog processes can compensate depends on the level of preparation. Without predefined emergency processes, very little can be maintained.
Kira Groß-Bölting: Without emergency plans and an overview of the system landscape, organizations are helpless and lose valuable time. The first hours are especially critical for setting up emergency operations. This requires clear prioritization of essential systems. A lack of communication strategy is particularly critical. Without an emergency plan, many administrations fall into a panic mode we call “headless chicken mode.”
How long does it take for a municipality to become operational again?
Kira Groß-Bölting: In the first days, IT and crisis teams operate under extreme conditions—12-hour days, including weekends. It typically takes four to six weeks to establish a stable emergency operation. Only then can structured communication resume and key administrative services be restored. Ideally, identity management and network infrastructure are hardened by then, and critical systems are partially operational. Our focus is on rapid recovery and preventing reinfection.
When is normal operation restored?
Kira Groß-Bölting: With external support, municipalities usually return to normal operations after six to nine months. By then, core projects have been implemented and emergency operations phased out. However, this is not the final state—it is a significantly more secure foundation that must continue to be developed.
JanLeitzgen: „Normal operation” does not mean everything is secure. It means the exploited vulnerabilities have been closed—usually with limited resources. A long-term increase in IT security requires more budget, more time, and above all more personnel. Unfortunately, this is often lacking. In addition, public procurement processes at the municipal level further slow down improvements.
What can municipalities do immediately to improve IT security—even with limited resources?
Jan Leitzgen:First: create visibility. Without monitoring, suspicious activities remain invisible. Who really knows what is happening in their network? Tools like XDR (Extended Detection and Response) or a Security Operations Center (SOC) can help significantly—especially when supported by external service providers.
Second: improve response capability. An emergency plan is crucial. It does not have to be perfect, but it must be realistic: Who does what if someone clicks on a phishing link? Which accounts must be locked immediately? Who informs whom? And most importantly: who is authorized to make decisions?
Third: review passwords and perimeter security. Exposed services must be secured with two-factor authentication. Weak passwords must be eliminated—even if inconvenient. This is not about control, but about digital survival.
Kira Groß-Bölting: Additionally, enforce password policies with clear requirements for length and complexity, and provide special protection for privileged accounts. Routine tasks such as checking emails should not require administrative privileges. Every login should be assigned to a specific individual to ensure traceability—shared accounts undermine this. External access should also include automatic lockout mechanisms after a defined number of failed login attempts. These are cost-effective measures with immediate impact.
What is your advice for municipalities with limited personnel that still want to make progress?
Kira Groß-Bölting: Prioritize and outsource. With a reliable service provider and suitable solutions such as Managed Extended Detection and Response, a managed SOC, or incident response retainers, municipalities gain 24/7 detection, forensic expertise, and support during recovery. At the same time, they create internal clarity: What is critical? Which services must run first? These measures should then be translated into a realistic roadmap. It is better to take three solid steps than ten half-finished ones.
Jan Leitzgen: Seek support and start with what is feasible. The goal is not to be perfect tomorrow, but to take the first step. Those who understand their biggest vulnerabilities and have a plan move from reactive crisis management to a confident security culture. And yes, this is possible in the public sector. A good starting point is an infrastructure assessment: inventory systems, understand dependencies, and identify quick wins. This brings structure to “grown” environments and provides the foundation for segmentation, patch prioritization, and clean processes..
Kira Groß-Bölting supports companies, authorities, and organizations during active cyberattacks. She joined G DATA Advanced Analytics GmbH in 2016 and has served as Deputy Team Lead in the G DATA CSIRT since 2022, as well as an Incident Manager. Her focus: managing crises effectively, restoring operational capability, and strengthening cyber resilience sustainably.
Jan Leitzgen is an IT security consultant at G DATA Advanced Analytics GmbH. He joined the company in 2024 after nearly 10 years as an IT administrator in the healthcare sector. His role now focuses on helping organizations optimize their IT security structures to better respond to cyberattacks. Building both technical and organizational foundations is key to enabling effective forensic analysis in such scenarios. He has also been studying Cybersecurity Management part-time since 2023.
Facts Only
Municipalities are frequent targets of cybercriminals due to poorly secured IT systems.
Ransomware groups attack opportunistically, preferring easy targets like underprotected public institutions.
Many municipalities lack basic security measures, including clear processes, emergency plans, and employee security awareness.
IT teams in municipalities are often understaffed, with some having only one IT manager and one trainee.
Common attack vectors include weak passwords, unpatched systems, and missing two-factor authentication for VPN access.
Lax password policies, such as automatic account unlocking after failed login attempts, facilitate attacker access.
Without emergency plans, municipalities struggle to assess situations, communicate, and prioritize system recovery during attacks.
Cyberattacks disrupt public services, including citizen offices, ID services, and social benefit payments.
Recovery to stable emergency operations typically takes four to six weeks, with full restoration taking six to nine months.
Immediate security improvements include implementing monitoring tools, enforcing password policies, and outsourcing security functions.
Public procurement processes slow down long-term IT security enhancements in municipalities.
Experts recommend prioritizing infrastructure assessments and segmentation to address vulnerabilities systematically.
Executive Summary
Full Take
The narrative presents a compelling case for the vulnerability of municipalities to cyberattacks, grounded in observable patterns of underinvestment and systemic neglect. The strongest version of this argument highlights the structural challenges—understaffed IT teams, bureaucratic procurement delays, and a lack of basic security hygiene—that make public institutions low-hanging fruit for opportunistic cybercriminals. The experts’ emphasis on practical, incremental improvements (e.g., password policies, monitoring tools) rather than perfection is a pragmatic steelman, acknowledging resource constraints while advocating for actionable change.
However, the framing risks reinforcing a deterministic view of municipal cybersecurity as inherently doomed without addressing deeper systemic issues. For instance, the article does not explore why public procurement processes are slow or whether political will exists to prioritize IT security budgets. The focus on technical fixes—while necessary—may obscure the role of governance and policy in creating these vulnerabilities. Additionally, the narrative leans on authority figures (the two experts) without interrogating potential conflicts of interest (e.g., their affiliation with a cybersecurity firm that stands to benefit from outsourced solutions).
Root causes likely include chronic underfunding of public sector IT, a cultural lag in recognizing cybersecurity as a critical infrastructure issue, and the misalignment between political cycles and long-term security investments. The implications for human agency are stark: citizens bear the brunt of service disruptions, while municipalities face a no-win scenario of either paying ransoms or enduring prolonged downtime. Second-order consequences could include erosion of public trust in digital governance and increased privatization of municipal IT services under the guise of "efficiency."
Bridge questions:
1. How might municipalities leverage intergovernmental cooperation or shared security frameworks to pool resources and expertise?
2. What role should regulatory bodies play in mandating minimum cybersecurity standards for public institutions?
3. Could the framing of cybersecurity as a "public good" rather than a cost center shift political and budgetary priorities?
Counterstrike scan: A coordinated influence campaign might exploit this narrative to push for privatized cybersecurity solutions, framing public sector IT as inherently incompetent to justify outsourcing. However, the article’s focus on practical, vendor-agnostic advice (e.g., password policies, emergency plans) and its acknowledgment of systemic constraints suggest it is not aligned with such a playbook. The experts’ recommendations are broadly consistent with independent best practices, and no overt manipulation patterns are detected.
Patterns detected: none
Sentinel — Human
The text demonstrates the high quality, specific detail, and nuanced synthesis characteristic of human expert reporting, focusing on actionable, contextualized security strategies rather than generic AI output.
