Most American cities run cybersecurity on the same foundational assumption: "we have an IT guy." The IT guy might be a single full-time employee, a small in-house team, or a managed service provider on monthly retainer. Whatever the structure, the assumption is that someone is handling cybersecurity, and therefore the city is handling cybersecurity.
That assumption is rarely true and never sufficient. The IT guy, however competent, is almost always responsible for keeping email working, getting new hires set up, fixing the printer, supporting the council member's iPad, patching the software the city already runs, and putting out the small fires that take up most of every IT day. Cybersecurity, in any rigorous sense, is a different job. The eight gaps below are the controls that almost every "we have an IT guy" city is missing, the failures that result from each, and a realistic order of operations for closing them.
Section 01The Eight Gaps
Each gap is described in three parts. What it actually is, why it matters specifically for municipalities, and what failure looks like when the gap is exploited.
What it is. Network segmentation means putting operational technology (water, traffic, dispatch, building automation) on a separate network from office IT (email, finance, citizen-facing services). Properly segmented, malware on the office side cannot reach the OT side, and vice versa.
Why it matters. Most municipal networks were built incrementally, not architected. The result is a flat network where the dispatch console, the water treatment SCADA, and the receptionist's PC all share the same broadcast domain. CISA's CI Fortify framework, released May 2026, makes IT/OT segmentation an explicit federal expectation for critical infrastructure operators.
Failure mode. A staff member opens a phishing email on the office side. Ransomware deploys, finds open SMB shares, and encrypts everything reachable. Because the network is flat, "everything reachable" includes the water billing database, the SCADA historian, and the dispatch CAD system. Service stops. The 2024 Columbus, Ohio incident moved laterally in exactly this way.
What it is. MFA requires a second proof of identity (phone, hardware key, authenticator app) in addition to a password. With MFA enforced, a stolen password by itself is not enough to access the account.
Why it matters. Coalition's 2024 data found that 82 percent of denied cyber insurance claims involved organizations without fully implemented MFA. Marsh McLennan's 2025 Cyber Insurance Market Report found 99 percent of cyber insurance applications now include specific MFA questions. MFA is the single highest-leverage control on this list.
Failure mode. An attacker buys credentials on a criminal market for ten dollars. Logs into the city's email or VPN as the city manager. Reads emails, identifies the finance director's payment workflow, sends a wire transfer instruction that looks legitimate because it actually came from the city manager's account. The money is gone before anyone notices the login was unauthorized.
What it is. EDR is a security agent that watches every endpoint (laptop, server, dispatch console) for malicious behavior, not just known malware signatures. When an EDR sees something behaving like ransomware, it blocks the process and isolates the device automatically.
Why it matters. Traditional anti-virus matches files against known signatures. Modern ransomware uses techniques specifically designed to evade signature-based detection. Insurers no longer accept "we have anti-virus" as a substitute for EDR. If your endpoint protection is an anti-virus subscription you renewed five years ago, you do not have endpoint protection by 2026 standards.
Failure mode. Novel ransomware variant arrives via a contractor's USB drive plugged into a city laptop. Anti-virus doesn't recognize the file. The malware runs, escalates privileges, and starts encrypting. By the time anyone notices, the damage is done. EDR would have flagged the unusual encryption behavior within seconds and isolated the device automatically.
What it is. Three DNS-based protocols that prove an email actually came from the domain it claims to come from. SPF says which servers are allowed to send for your domain. DKIM cryptographically signs outbound mail. DMARC tells receiving servers what to do if a message fails the first two checks.
Why it matters. Phishing remains the number-one initial-access vector for municipal breaches. A spoofed email from citymanager@yourcity.gov to your finance director, instructing a wire transfer, is functionally indistinguishable from the real thing if your domain has no DMARC enforcement. With DMARC at reject, the spoofed mail never reaches the inbox.
Failure mode. Attacker spoofs the city attorney's address to the finance director, claiming an urgent legal settlement requires immediate wire transfer to a specified account. Without DMARC, the message arrives looking authentic. The finance director, trying to be responsive, complies. The settlement is fictional. The money is gone. This pattern is one of the most common and most expensive municipal cyber losses, and it does not require any technical breach of the city's systems.
What it is. Backups stored in a way that ransomware cannot reach. "Air-gapped" means physically or logically disconnected from the production network. "Immutable" means written in a way that cannot be modified or deleted, even by an authenticated administrator.
Why it matters. Ransomware groups now actively target backup systems first. They have learned that destroying backups eliminates the victim's main alternative to paying. A backup system that lives on the same Active Directory domain as production, with the same admin credentials, is not a backup system. It is another target.
Failure mode. Backup infrastructure shares Windows domain authentication with production. Attacker compromises a domain admin credential. Logs into the backup server. Deletes or encrypts the backups. Then encrypts production. Recovery is impossible without paying the ransom or rebuilding from scratch. This is the architectural failure that turned multiple municipal incidents into seven and eight figure recovery bills.
What it is. Controlled, logged, time-limited access for the vendors who service municipal systems. Includes named accounts (not shared logins), MFA, session recording where appropriate, and just-in-time activation rather than always-on tunnels.
Why it matters. Vendors are repeatedly the entry point in successful municipal attacks. The Aliquippa, Pennsylvania water authority breach in November 2023 occurred through a Unitronics PLC reachable from the internet using default credentials. The CyberAv3ngers actors did not need to compromise the city's internal network. The vendor's product was the entry point.
Failure mode. SCADA vendor maintains a permanent VPN tunnel into the city's OT network for remote support. Vendor's laptop is compromised through an unrelated phishing attack. Attacker now has the same access into the city's OT network that the vendor has, with no city systems compromised at all. This is also the failure mode the federal government has been warning about specifically since 2023.
What it is. Someone (or some system) actively watching the network for signs of compromise around the clock. Could be in-house staff, a managed SOC, or a platform with automated alerting and on-call response.
Why it matters. The IBM Cost of a Data Breach Report has consistently found average detection times measured in months, not days. Most attacks happen on weekends and holidays specifically because that is when the IT guy is not watching. Without 24/7 monitoring, attackers have hours or days inside the network undetected, which is why the average successful attack causes exponentially more damage than it should.
Failure mode. Attacker establishes persistence on Friday at 6 p.m. Spends the weekend mapping the network, identifying high-value targets, exfiltrating data. Deploys ransomware Sunday night when nobody is on call. Monday morning the IT guy arrives to find half the city encrypted. The attacker had three days inside, undetected. With 24/7 monitoring, the initial compromise on Friday triggers an alert, and the attack is contained before any damage occurs.
What it is. A written plan with named decision-makers, roles, contact information, vendor numbers, and pre-decided answers for the questions that always come up in the first hours of an incident. Tested annually with tabletop exercises.
Why it matters. The first 24 hours of an incident determine the next 24 months. Decisions made during the chaos of an active attack, without a plan, are usually worse than decisions made calmly in advance. Insurers now routinely ask whether a written IR plan exists, whether it has been exercised, and whether the participants by title can be named. "We will figure it out if it happens" is no longer an acceptable answer.
Failure mode. Friday 6 p.m. attack. IT guy calls the city manager. City manager calls the mayor. Mayor calls a friend who used to work in IT. Three hours later, nobody has called the FBI, nobody has notified the cyber insurance carrier (which often voids coverage if not notified within 24 to 72 hours), and someone has powered off a server, destroying forensic evidence. This is the modal first response for cities without playbooks. The cost is measured in millions of dollars and weeks of additional downtime.
Section 02How These Gaps Compound
The eight gaps are not independent. Closing one without the others produces partial results, sometimes none at all.
24/7 monitoring without an incident response playbook means you see the attack but cannot respond. MFA without EDR means an attacker who gets past authentication still has free movement once inside. Backup architecture without segmentation means your backups can be reached by the same ransomware that destroys production. Vendor controls without monitoring means you log vendor activity that nobody reviews.
Section 03How OneCyberShield Maps to These Gaps
The four-pillar OneCyberShield product stack was designed around exactly these gaps, with the goal of giving municipal IT teams an integrated set of tools rather than eight separate vendor relationships to manage.
Network Defense addresses Gaps 1 and 6. Next-generation firewall appliances and intrusion-prevention systems deliver IT/OT segmentation. Vendor remote-access controls bring the third-party tunnels under documented, logged, just-in-time policy.
Endpoint Protection addresses Gap 3 directly and supports Gap 4. Lightweight EDR agents on every endpoint provide behavioral detection and automated containment. Email authentication is a configuration project the platform supports with monitoring, but the configuration itself is a one-time municipal IT task we help script.
Immutable Backup & Recovery addresses Gap 5. Air-gapped storage hardware and immutable architecture ensure backups remain available even when the production environment is compromised. Recovery testing is built into the deployment.
The Threat Intelligence & SOC Platform addresses Gap 7 and supports Gap 8. Real-time monitoring with automated alerting and playbook integration gives municipal IT teams visibility around the clock. Audit-ready logging supports the documentation required by Gap 8 and by cyber insurance carriers.
Section 04The Self-Assessment
Walk through each gap. For each, ask one question: Can I produce documented evidence we have this? Documented evidence means a report, a screenshot, a configuration export, or an audit log with the city's name on it.
"We have it but I would need to ask the IT guy" is not documented evidence. That answer means you do not have it for insurance, audit, or CI Fortify alignment purposes. The exercise of trying to produce the evidence reveals more about your security posture than most municipalities have ever assessed about themselves.
Section 05Where to Start
Cities that try to close all eight gaps simultaneously usually close none. A realistic order of operations:
MFA on every account.
Cheapest, fastest, biggest single risk reduction. Most cities can complete a thorough MFA rollout in 60 to 90 days. Insurers will treat this work alone as a meaningful change in your posture.
EDR on every endpoint.
Deployable in days once procurement is complete. Replaces the legacy anti-virus subscription. Tier-one insurance requirement.
Backup architecture review.
Often a quick win. Sometimes requires re-architecting. Either way, the existence of viable, isolated backups is the single most important determinant of whether a ransomware incident becomes a survivable inconvenience or a catastrophe.
The remaining five gaps (segmentation, email authentication, vendor controls, 24/7 monitoring, IR playbook) are harder, slower, and require more planning. They are also where State and Local Cybersecurity Grant Program (SLCGP) funding maps best. We cover SLCGP strategy in Briefing 008.
For the financial case behind these investments, see Briefing 006: What a Ransomware Attack Actually Costs a U.S. City. For the federal policy backdrop, see Briefing 005: CISA's CI Fortify Initiative.