COMMENTARY | City and county managers can no longer see cybersecurity as an IT problem. They can take various practical steps before an incident occurs.
The call came at 6:47 a.m. on a Tuesday. The public works director couldn’t log in. Neither could anyone in finance. By the time the city manager arrived, the message on every screen was clear: the city’s entire network was encrypted, and the attackers wanted $350,000 in Bitcoin.
This wasn’t a major metropolitan area with a dedicated cybersecurity team. It was a community of 12,000 people with an IT department of one. The city had no incident response plan, no cyber insurance and backups that hadn’t been tested in over a year.
Stories like this play out thousands of times each year across America’s small municipalities. While headlines focus on attacks against major cities and Fortune 500 companies, criminal organizations have quietly discovered that small local governments offer something even better: essential services under political pressure to pay, defended by IT teams stretched impossibly thin.
Route Fifty
By Alton Henley
March 27, 2026