American cities are under siege in cyberspace, and the managed service providers (MSPs) they depend on are their best hope for defense.
Last week, St. Paul, Minnesota, declared a state of emergency after a “deliberate, coordinated digital attack” forced the city to shut down all internet access in municipal buildings, prompting the state’s governor to activate the National Guard’s cyber protection unit—the first time such resources have been deployed for a municipal cyberattack.
Municipal cyberattacks have exploded in frequency, with government entities experiencing a staggering 300 percent increase in ransomware attacks in 2024 compared to the previous year. The average cost of a data breach for government entities has skyrocketed to $9.5 million in 2024, and 60 percent of state and local governments have experienced cyberattacks in the past 12 months.
However, there’s a disconnect in the marketplace. While local government ranks as the most likely industry to outsource cybersecurity to MSPs at 84 percent, higher than even education at 78 percent, many municipal IT departments continue operating on “antiquated hardware and unpatched software,” according to security engineers working with government clients. The challenge for MSPs? Convincing cash-strapped municipalities that cybersecurity is mission-critical infrastructure that determines whether cities can function or fall victim to the next attack.
Why cities are prime targets
“Municipalities are a goldmine for cybercriminals, and too many MSPs are still playing checkers in a chess match,” says Patrice Williams-Lindo, IT expert and CEO of Career Nomad. She points to the dangerous combination of high data value, low defense maturity, and treasure troves of data often sitting in outdated infrastructure. City budget constraints compound the problem, leaving cyber defenses woefully inadequate.
“The cyberattack on St. Paul is unfortunately a textbook example of the kinds of risks cities face right now,” Williams-Lindo tells SmarterMSP.com. “We work with public-sector clients regularly, and the mix of outdated systems, sensitive data, and under-funded IT teams creates a perfect storm for attacks like this one.”
Jordan Blake, Director of Communications & Operations at Shoreline Public Adjusters, a company that helps other companies recover from cyberattacks, agrees that cities present ideal targets for cybercriminals. “Cities typically operate out of a sense of urgency, manage using a hodgepodge of outdated systems, and rely on complex machinery of interrelated services that were never designed with security in mind,” Blake says. Police departments, utilities, public records, payment systems, and emergency communications are all interconnected, often through systems built on legacy infrastructure and shoestring budgets.
“When those two factors combine, we get broad attack surfaces and limited lines of defense,” Blake explains.
Blake emphasizes that data theft isn’t the only threat cities face, as operational paralysis poses an even greater danger. “One ransomware attack can slow emergency response times, disrupt water treatment systems, or take 911 offline. These aren’t simply cyber incidents. They are public safety issues.”
St. Paul’s experience last week illustrated this reality, with city services brought to a standstill during the cyberattack.
MSP best practices for municipal clients
Blake advocates that MSPs should protect cities, towns, and villages with the same rigor applied to any other business client. “That begins with zero-trust architecture and strict access controls. If you don’t have a genuine reason to be in the system, no one should be there, and if they are, they should be compartmentalized.” MSPs working with municipalities should implement backups that cannot be altered or deleted, and that maintain zero connectivity to the regular environment. “It’s a copy of everything that no one can get near, even if they penetrate the primary system.”
A frequently neglected area is response transparency. “When things break, everyone’s eyes are on the city, putting pressure on municipalities from residents and media,” Blake notes. “MSPs need both technical and public-facing incident response plans. Speed is everything, but so is trust.” The greatest danger cities face lies in their attractiveness as targets. “Attackers are out for more than just money—they are looking for chaos. That means MSPs must think like an adversary and prepare for worst-case scenarios, not just check boxes on a regulatory form.”
Thinking like an adversary
Joshua Charles, founder of Frontier Dominion, a market intelligence firm, reinforces this perspective: “Cities are tempting targets for cybercriminals because of the large amounts of sensitive data they manage and a general lack of technical agility relative to private-sector organizations.” To address these risks, Charles recommends MSPs implement real-time threat detection and response systems tailored for public-sector environments. “Regular penetration testing, zero-trust frameworks, and robust backup and disaster recovery protocols should be foundational offerings for municipal clients.”
As cyberattacks on municipalities continue to escalate, MSPs find themselves on the front lines of a battle that extends far beyond traditional IT support. The stakes, such as public safety, essential services, and community trust, demand that MSPs elevate their approach from routine maintenance to strategic defense. For cities struggling with budget constraints and aging infrastructure, partnering with a security-focused MSP isn’t just an operational decision—it’s a matter of survival in an increasingly hostile digital landscape.
Photo: Darryl Brooks / Shutterstock
This post originally appeared on Smarter MSP.