How to Improve Cybersecurity for Municipalities: A Practical Guide for Small Teams

Cybersecurity
Written By Zoe Gittins
Workers Looking at Cybersecurity Alerts

It’s a normal day at a small municipality in central British Columbia—until its ERP system suddenly goes down.

What starts as a disruption quickly escalates: staff lose access to critical systems, public services are disrupted, and residents start looking for answers. Containment efforts follow, perhaps funded by taxpayer dollars. Systems take months to recover, and rebuilding trust with the community becomes a multi-year undertaking. 

For smaller Canadian communities, this isn’t a remote possibility, but a likely event. According to the Canadian Centre for Cyber Security, threat activity against municipal governments is on the rise, with over 100 known cases between 2020 and 2024 alone.

Most IT managers and administrative professionals are aware of the risks—but when you’re responsible for keeping day-to-day operations running with a small team and a fixed budget, cybersecurity for municipalities becomes one more priority competing for time and attention.

“Most of the municipal clients I’ve worked with generally know what good security looks like,” says Steve Gaucher, Security Consultant at IX Solutions. “They just don’t have enough resources to figure out the exact steps to get there.”

The “Too Small” Myth

Local governments are a classic case of “data rich, asset poor.” They manage an abundance of sensitive records—think tax documents, citizen data, and infrastructure schematics—as well as essential services like water and emergency response. However, they’re often doing so on aging infrastructure with limited IT capacity and, usually, no dedicated security roles. 

That combination makes them easier to exploit, particularly for opportunistic attacks like ransomware. “Attackers probably aren’t targeting you specifically, but if they get a bite, they’ll absolutely turn their attention on you,” Gaucher points out. “They’re just looking for that initial foothold, for you to get caught in a big net they cast.”

Here’s a closer look at why small municipalities are big targets:

Structural Constraints Slow Security Maturity

Data residency laws, like the Freedom of Information and Protection of Privacy Act (FOIPPA), have slowed public sector cloud adoption, giving those organizations less time than private businesses to build expertise. Lower turnover in municipalities compounds this, limiting the influx of security and cloud talent that competitive private-sector hiring tends to bring in.

Legacy Applications

Many municipalities use legacy software that’s purpose-built for local governments. These systems do the job operationally, but according to Gaucher, they can lag behind modern security standards: “Often, the software doesn’t support features like multi-factor authentication (MFA), forcing you to compromise on key controls.”

Because these tools are so specialized, viable replacements are limited. Effective security then becomes a matter of layering in additional safeguards to reduce risk where the applications themselves can’t.

Small Budgets, High Scrutiny

A 2024 MISA Ontario report found that over half of municipalities dedicate less than 5% of their IT budget to cybersecurity. Meanwhile, CDW Canada's findings show that standard spend for businesses is now about 4x that. 

With multiple priorities and tight oversight, increasing cybersecurity funding is a challenge. IT teams often need to justify every expense to council, making it difficult to secure additional resources even when the need is there.

4 Best Cybersecurity Practices for Municipalities

Controls like endpoint protection, patching, access policies, and network segmentation represent some of the best cybersecurity practices for municipalities to adopt. However, getting every security layer to an enterprise standard isn’t always realistic for smaller organizations with modest time, money, and in-house skills.

It’s a position that Gaucher understands from both sides as a former municipal security professional and now as a consultant at IX Solutions: “You must prioritize. If I had to pick, these are the strategies most municipalities should focus on tackling, given their existing resources.”

1. MFA

Most cyber attacks (95%) start with human error, usually through phishing. Local governments are more likely to be compromised through stolen credentials via a phishing email than an intricate network attack. That’s why MFA is one of the most effective controls to get right in cybersecurity for municipalities. In fact, no proper MFA was the root cause of a major ransomware attack on the City of Hamilton in 2024, and the reason why insurers ultimately denied the city’s claim.

That said, MFA in and of itself isn’t a silver bullet. While any authentication is better than none, phish-resistant methods offer stronger protection and should be used wherever possible. Gaucher notes this is an area where third-party municipal cybersecurity services can make a big difference: “Because phish-resistant MFA is a relatively new technology, leveraging the support of a partner with expertise in this area is recommended for smaller municipalities without dedicated security resources.”

2. Security Awareness Training

Beyond MFA, staff themselves are the first line of defence against phishing and other identity-based attacks. Cybersecurity training for municipalities reduces the chance of compromise by helping employees recognize red flags, adapt to evolving tactics, and build a more security-conscious culture overall.

Gaucher argues that the strategy is commonly undervalued: “It’s often last on the list, but security awareness training would actually be one of my top priorities because you can prevent the user group from getting phished in the first place.” It’s also one of the easiest practices to implement. Reputable vendors, like Huntress, have off-the-shelf programs with built-in training, scheduling, and testing features, making it straightforward to launch.

3. Backup and Recovery Systems

Ransomware attacks, like the one in Hamilton, don’t just jeopardize data but can also paralyze critical services and drive up costs through ransom payments. A strong backup and recovery plan could be what allows you to recover systems and avoid ransom payouts altogether.

“This seems to be a stumbling block in municipalities that have been ransomware’d,” says Gaucher. “They didn’t have the right backup infrastructure, so they needed the attacker’s help, essentially, to get back into their systems.”

He recommends making sure that your municipality has immutable, off-prem backup storage so assets can be easily restored once the initial incursion is contained. The 3-2-1 rule (three data copies and two storage types, with one offsite) is a best practice here, as well as regularly testing backups to make sure they work.

4. Incident Response Plan

A clear, functional incident response plan (IRP) is a low-cost way to stay prepared and reduce a potential incident’s impact. If your budget allows, bringing in municipal cybersecurity services to facilitate tabletop exercises can help validate the IRP and highlight any blind spots.

It doesn’t need to be overly technical, either. The most important thing is to make sure that your municipality has an IRP, keeps it up to date, and tests it regularly. Think of it as a standard operating procedure—something that’s concise and easy to interpret. 

The document should cover:

  • Where municipal assets live

  • How backup systems work

  • What steps need to be checked off during an incident

  • Who is responsible for them

3 tips for Microsoft Secure Score

Making the Case to Council

Municipal IT leaders are often in the position of justifying security investments to elected officials who are balancing budgets and public expectations. How those conversations are framed can make a real difference.

A few practical approaches help:

  • Use real-world examples: Incidents in other communities make the risk tangible to decision makers. Details on how attacks happened and what the impact looked like are often publicly available and easy to find.

  • Translate risks into impact: Keep the language simple and grounded in measurable outcomes like recovery costs, service disruptions, regulatory violations, and loss of public trust.

  • Challenge the “too small” mindset: Describe how incidents actually play out from the attacker’s perspective to dispel the myth that smaller communities aren’t at risk. 

Progress Over Perfection

When it comes to cybersecurity for municipalities, you don’t need to do everything at once—but you do need to start somewhere. Focusing on a handful of high-impact controls, building a clear case for security funding, and getting expert third-party support where it matters most can all significantly reduce risk over time. 

Remember, the goal shouldn’t be perfection, but incremental improvements that are realistic for your team to achieve. As Gaucher puts it: “You’re never going to eliminate risk entirely. But if you can focus on the fundamentals and build from there, you’re going to be head and shoulders above where you started—and probably, above most other organizations too.”

If you’re unsure how your municipality’s current security measures stack up, IX Solutions can help evaluate your environment and map out a path forward. Contact the IX Solutions team.

Zoe Gittins
Next

Cybersecurity for School Districts: 5 Practical Strategies for Lean IT Teams