From the Incident Responder's Chair: Cybersecurity Preparedness for Every Municipality

Sunday morning in a Southeastern Oklahoma municipality began like any other, with quiet streets and empty corridors until the first call came in to the city manager. The police department was dark, email was silent, records were unreachable, and only 9-1-1 still had a pulse.

A ransom note had surfaced: The systems needed to restore the backups were encrypted by ransomware.

Within 90 minutes of discovering the loss of all systems, Guernsey was on a call with city officials, outside legal counsel, and IT support, hashing out a plan.

That morning and the following discussions underscored a hard truth Guernsey shares with every municipal client: cybersecurity isn’t just an IT issue. It’s a public safety, governance, and community trust issue.

The Anatomy of What We See (All the Time)

Attackers avoid business hours on purpose. Weekends. Holidays. Payroll week. They aim for panic.

  • What hit this town: Ransomware of critical systems, including those required to rebuild the systems. Missing/insufficient backups. Overnight loss of access to core records.
  • Immediate response: City administration, IT support, and cyber on a single call to stabilize, contain, and triage.
  • Operational fallout: Services kept moving with manual workarounds. It wasn’t ideal, but it kept critical operations running.

This situation wasn’t unique. Large and small cities run critical infrastructure, hold sensitive resident data, and often operate with lean IT. That combination makes municipalities attractive targets.


Why Preparedness Isn’t Optional

From the Incident Response side of the table, four risks show up every time:

  • Operational: Police, fire, utilities, billing, phones—any of it can be interrupted.
  • Legal/Regulatory: Potential notification and compliance obligations if personal data is involved.
  • Financial: Incident response, rebuilds, overtime, and notifications add up fast.
  • Trust: Residents forgive inconvenience; they don’t forgive silence or avoidable mistakes.

Preparedness isn’t about perfection; it’s about speeding up safe operations and shrinking the blast radius when—not if—something happens.


Your Municipal Cyber Roadmap (From an Incident Response Pro)

1) Before an Attack: Build the Bones

  • Independent assessment: Have a third party find the gaps and map a 3-to 5-year roadmap. Don’t grade your own homework.
  • Do the fundamentals well: Offline/segmented backups (and test restores), ensure system logs are securely stored, MFA (Multi-Factor Authentication) everywhere, strong credential hygiene.
  • Invest in layers, not one-offs: Plan annual, incremental improvements that reduce risk and are maintainable.
  • Train your people: Most incidents start with phishing. Conduct awareness training and run phishing simulations. Click rates will fall.

2) During an Attack: Contain, Coordinate, Communicate

  • Containment first: Isolate affected systems. If needed, temporarily sever internet connectivity to stop lateral spread.
  • Pre-assign roles: Ops lead, IT/forensics lead, legal lead, comms lead—know who decides what in the first 72 hours.
  • Clear, calm messaging: Work with legal counsel on messaging for staff (and residents, if services are impacted), on what you know and expect. Avoid legal trigger words like “breach” until facts are confirmed.

3) After an Attack: Restore and Harden

  • Document and learn: Preserve logs and timelines essential for scope, recovery, and compliance.
  • Modernize weak points: Patch everything, ensure proper configurations, retire fragile systems, segment networks, and improve monitoring.
  • Rebuild trust: Share what happened in plain language and—more importantly—what you’re changing.


What Guernsey Tells City Leaders—Every Time

  • This is public safety. A cyber event can impair emergency services as surely as a tornado. Plan and fund accordingly.
  • Partnerships shorten downtime. Having cyber, legal, and risk pros on speed dial changes the first 72 hours.
  • Don’t wait for perfection. Start with MFA, real backups, filtering, patching, logging, and tabletop exercises, and then keep going.


Monday-Morning Moves (Do These Now)

  1. Name your core incident team and store after-hours contacts off-network (e.g., on paper or thumb drives).
  2. Turn on MFA for email and all administrative accounts, finance, HR systems, and remote access.
  3. Verify offline backups and perform regular test restores.
  4. Enable and retain logs across identity, servers, endpoints, and network.
  5. Tighten email filtering (block spoofing, detonate suspicious links, etc.).
  6. Schedule a third-party risk assessment with a 3 to 5-year roadmap.
  7. Run a 60-minute tabletop: “It’s Sunday morning, and everything’s down.”
  8. Draft two holding statements (internal/public) reviewed by legal counsel that avoid the word “breach.”
  9. Inventory sensitive data; encrypt, minimize, and segment where it lives.
  10. Fund a recurring cadence (training, patching, pen-testing, restore drills).


Bottom Line from the Cyber Seat

The cities that fare best aren’t the ones with the fanciest tools; they’re the ones that prepare, practice, and communicate. Make yourself a hard target, plan your first 72 hours, and invest steadily. That’s how you turn a Sunday-morning emergency into a contained incident and keep services, safety, and public trust intact.