The information contained in this article is not intended as legal advice and may no longer be accurate due to changes in the law. Consult NHMA's legal services or your municipal attorney.
Your Town Has a Name. To a Threat Actor, It Has an IP Address.
Municipal leaders have always carried the responsibility of protecting the systems that keep their communities running. Today, many of those systems—water treatment, emergency communications, payroll, schools, permitting, and public safety—depend on technology that was never designed to withstand modern cyber threats.
Across the country, local governments are increasingly being targeted by ransomware groups and other threat actors because they often lack the staffing, visibility, and resources needed to defend complex technical environments. Through our grant-funded programs, in New Hampshire we have identified that the trend persists.
Overwatch has identified a concerning trend across New Hampshire municipalities: most organizations have limited visibility into and understanding of their own technical environments.
The causes are understandable. High staff turnover, aging infrastructure, limited budgets, and dependence on outside vendors who are equally constrained by time and expertise, at times, create environments where technology grows faster than oversight. In our program assessments, we often find that the municipal leader is fully relying on their IT person or their vendor without gaining enough of an understanding of the moving pieces themselves. Many reveal that they are aware of components of their technical environments that they aren’t even sure are working or what function they serve or who is responsible for maintaining it. It is generally accepted that municipal leaders are not supposed to be technology experts. It’s certainly easiest to trust the people around them. Municipal staff and service providers are working hard to support their communities. But good intentions alone cannot secure critical infrastructure.
Trust isn’t a security strategy. What good is a locked front door if you gave away the key and didn’t know it?
The data we’ve collected reflects the scale of the challenge. Thirty-nine percent of municipalities assessed lacked an adequate firewall. Seventy-four percent had no identity management controls. Sixty-five percent had never conducted cybersecurity awareness training or don’t do so annually. Across towns, schools, and water systems, the average cyber risk score was a D+.
These are not simply technology gaps. They are operational risks that can disrupt public services, compromise sensitive data, and threaten community safety.
The good news is that resilience does not require perfection. Many of the most important improvements are foundational: understanding what systems exist, improving access controls, training staff to recognize phishing attempts, and building partnerships that strengthen local capabilities. There are highly skilled technologists and teams out there that can safely test and document the core elements of your environment, including but not limited to the assessments provided by The Overwatch Foundation.
The municipalities who will be safest are not the ones with the largest budgets, but the ones treating cybersecurity as a leadership and public safety issue—not just an IT problem.