Municipalities in the Crosshairs: “They Are Easy Prey for Cybercriminals”

Kira Groß-Bölting: Municipalities are easy prey for cybercriminals. Their IT systems are often poorly secured. Ransomware groups act opportunistically and attack where it is easiest. In this respect, cybercriminals are no different from burglars who prefer houses or apartments with weak or no security measures. Empathy or restraint toward public institutions is now rarely seen

Jan Leitzgen: There is a lack of basic security measures: clear processes, emergency plans, and security awareness among employees. When a phishing email arrives or an outdated service is exposed to the internet, attackers have an easy time. In addition, many administrations lack a comprehensive logging and monitoring concept. Events are only logged selectively, and important event IDs are missing. This makes early warning signs much harder to detect. On top of that, reporting channels are often inadequate. Employees are unsure what to do if, for example, they fall for a phishing email.

Kira Groß-Bölting: Many IT teams are understaffed. Municipalities with just one IT manager and one trainee are unfortunately still the norm. With so few personnel, only the essentials of day-to-day operations can be handled. Important topics such as prevention, awareness training, and structured processes are often neglected.

Jan Leitzgen: Classic entry points include weak passwords, unpatched systems, and missing two-factor authentication for VPN access. Another widespread risk: if an IT administrator uses the same password for their personal account and their admin account, and neither is protected by two-factor authentication, attackers can move freely through the network, exfiltrate data, and encrypt systems.

Kira Groß-Bölting: We repeatedly encounter very lax password policies. For example, accounts are automatically unlocked after a certain time even after multiple failed login attempts—often justified by saying it reduces helpdesk tickets. In reality, this is an invitation for attackers. Once inside the system, they spread laterally across the network. Weak passwords then pose no obstacle.

Jan Leitzgen: Without emergency concepts, even assessing the current situation takes a long time. Communication between departments breaks down, and IT teams must simultaneously handle crisis communication, forensics, and system recovery.

Kira Groß-Bölting: Many underestimate existing dependencies. Only during an incident does it become clear how systems are interconnected—from identity and access management to specialized applications. If critical systems have not been evaluated beforehand, prioritization under pressure leads to delays.

Jan Leitzgen: When cybercriminals encrypt data and systems, operations come to a standstill. Citizen offices, ID services, vehicle registration—nothing works. Social benefits are not paid, and communication between departments collapses. The extent to which analog processes can compensate depends on the level of preparation. Without predefined emergency processes, very little can be maintained.

Kira Groß-Bölting: Without emergency plans and an overview of the system landscape, organizations are helpless and lose valuable time. The first hours are especially critical for setting up emergency operations. This requires clear prioritization of essential systems. A lack of communication strategy is particularly critical. Without an emergency plan, many administrations fall into a panic mode we call “headless chicken mode.”

Kira Groß-Bölting: In the first days, IT and crisis teams operate under extreme conditions—12-hour days, including weekends. It typically takes four to six weeks to establish a stable emergency operation. Only then can structured communication resume and key administrative services be restored. Ideally, identity management and network infrastructure are hardened by then, and critical systems are partially operational. Our focus is on rapid recovery and preventing reinfection.

Kira Groß-Bölting: With external support, municipalities usually return to normal operations after six to nine months. By then, core projects have been implemented and emergency operations phased out. However, this is not the final state—it is a significantly more secure foundation that must continue to be developed.

JanLeitzgen: „Normal operation” does not mean everything is secure. It means the exploited vulnerabilities have been closed—usually with limited resources. A long-term increase in IT security requires more budget, more time, and above all more personnel. Unfortunately, this is often lacking. In addition, public procurement processes at the municipal level further slow down improvements.

Jan Leitzgen:First: create visibility. Without monitoring, suspicious activities remain invisible. Who really knows what is happening in their network? Tools like XDR (Extended Detection and Response) or a Security Operations Center (SOC) can help significantly—especially when supported by external service providers.

Second: improve response capability. An emergency plan is crucial. It does not have to be perfect, but it must be realistic: Who does what if someone clicks on a phishing link? Which accounts must be locked immediately? Who informs whom? And most importantly: who is authorized to make decisions?

Third: review passwords and perimeter security. Exposed services must be secured with two-factor authentication. Weak passwords must be eliminated—even if inconvenient. This is not about control, but about digital survival.

Kira Groß-Bölting: Additionally, enforce password policies with clear requirements for length and complexity, and provide special protection for privileged accounts. Routine tasks such as checking emails should not require administrative privileges. Every login should be assigned to a specific individual to ensure traceability—shared accounts undermine this. External access should also include automatic lockout mechanisms after a defined number of failed login attempts. These are cost-effective measures with immediate impact.

Kira Groß-Bölting: Prioritize and outsource. With a reliable service provider and suitable solutions such as Managed Extended Detection and Response, a managed SOC, or incident response retainers, municipalities gain 24/7 detection, forensic expertise, and support during recovery. At the same time, they create internal clarity: What is critical? Which services must run first? These measures should then be translated into a realistic roadmap. It is better to take three solid steps than ten half-finished ones.

Jan Leitzgen: Seek support and start with what is feasible. The goal is not to be perfect tomorrow, but to take the first step. Those who understand their biggest vulnerabilities and have a plan move from reactive crisis management to a confident security culture. And yes, this is possible in the public sector. A good starting point is an infrastructure assessment: inventory systems, understand dependencies, and identify quick wins. This brings structure to “grown” environments and provides the foundation for segmentation, patch prioritization, and clean processes..

Kira Groß-Bölting supports companies, authorities, and organizations during active cyberattacks. She joined G DATA Advanced Analytics GmbH in 2016 and has served as Deputy Team Lead in the G DATA CSIRT since 2022, as well as an Incident Manager. Her focus: managing crises effectively, restoring operational capability, and strengthening cyber resilience sustainably.

Jan Leitzgen is an IT security consultant at G DATA Advanced Analytics GmbH. He joined the company in 2024 after nearly 10 years as an IT administrator in the healthcare sector. His role now focuses on helping organizations optimize their IT security structures to better respond to cyberattacks. Building both technical and organizational foundations is key to enabling effective forensic analysis in such scenarios. He has also been studying Cybersecurity Management part-time since 2023.