Earlier this month, DeKalb County, Indiana, officials sent out an urgent memo to its constituents warning them of a data breach that occurred in late August 2025. According to the notice, social security and driver’s license numbers, along with financial information, may have been leaked.
Over the past year, nearly 70% of small government entities have faced data breaches that have cost them over $1 million in damages alone. DeKalb County is just one incident from last year, with other cities like St. Paul, Minnesota; New Britain, Connecticut; and Douglas County, Colorado, experiencing cyberattacks in 2025 that have cost them both money and constituent trust.
With RSAC 2026 taking place this week, it seems fitting to discuss the unique challenges that municipalities face when it comes to cybersecurity and the role of strategic communications and stakeholder engagement in cyber resilience.
Municipalities are Prime Targets for Threat Actors
Given the amount of sensitive data municipalities inherently handle along with their tight budgets, small government entities are a popular target for ransomware groups and individual hackers, as defense mechanisms are often weak and underfunded. Many experts claim that the number of these attacks directed at municipalities will drastically increase with AI-driven attacks on the rise unless municipalities allocate proper time, effort, and budget towards the right cybersecurity defenses.
Cybersecurity defenses are more than just implementing newer, more accurate cyber applications and systems, though; to keep your constituents’ livelihoods safe, it’s all about creating a risk-averse culture internally first. Effectively fostering a healthy and sustainable risk-averse culture, however, means municipalities should move away from mystified cybersecurity practices rooted in judgment towards an employee-first approach that values transparency and openness.
Shifting Blame from Security Talk to Employee Trust
Recent data reveals that a staggering 50% of all phishing emails are targeted at government employees across the U.S. private and public sectors. The numbers are similar when it comes to other forms of cyberattacks, like malware and business-compromised emails. Yet while employees cause these data breaches, it’s a poor cybersecurity culture that opens the door to attacks for staff members to easily walk into without question.
Municipalities should understand that reducing data breaches begins with a safety-first culture that includes proper risk management and compliance practices. Ongoing employee training, regular risk assessments, clear compliance rules and regulations, and consistent documentation for auditing purposes are all crucial to showing and, more importantly, including every staff member in the cybersecurity conversation.
However, it’s not just implementing and including employees in risk management and compliance strategies that will build a strong security culture; it’s also the way small government entities frame why these practices are so important, focusing on employee safety and education. One of the biggest issues municipalities face when it comes to how they address cybersecurity is that they often view employees as tiresome data breach culprits, leading to staff members feeling unsafe and judged when wanting to report potential breaches. If risk management and compliance practices are to be effective and actually educate employees on how to reduce incidents, you should foster a community of open dialogue and an atmosphere of transparency.
This attitude should be further emphasized through actionable tactics for employees as well, like 24/7 reporting services, frequent team meetings on new cybersecurity practices, and Q&A forums that allow for feedback. Ultimately, you have a staff that feels protected, trusted, and open to discussing problems.
Transparency Breeds Transparency
The entire reason behind a sustainable and transparent risk management and compliance strategy is, of course, to keep employees and constituents safe. However, it will also naturally lead to a transparent crisis communications plan, too. If internally your team is driven by accountability and clearly defined protocols, this will make communicating data breaches to citizens streamlined.
Keep in mind that when a crisis does occur, you want to:
- Control the narrative, which requires accurate data on when, why, and how the data breach happened.
- Retain and increase trust from citizens. Show them you addressed the issue right away and did not hold back on communicating it to the affected parties.
- Ensure your internal teams that their safety is paramount. While defining clear mistakes that were made and what to do in the future, do not adopt blameful language that produces shame. Make sure your employees know you care about their well-being, too.
These important crisis communications goals, again, begin their formation when you address your cybersecurity practices internally first, cultivating a reciprocal relationship across all parties that will create long-term trust.
Taking Action Before Incidents Occur
With limited resources and increasing cyberattacks, small government entities require the proper tools and know-how to address safety internally and handle crises externally. This goes beyond cybersecurity applications and third-party vendors, to include understanding how to reframe the conversations around cybersecurity practices and communicating incidents effectively and accurately.
ARTÉMIA Communications is here to help your municipality implement risk management and compliance regulations to help strengthen workplace culture and draft crisis communication plans that are at the ready before a breach occurs. Get in touch today.
FAQs
Why are municipalities frequent targets for cyberattacks?
Municipalities are attractive targets because they often lack the resources and infrastructure of larger organizations while still holding valuable citizen data. Threat actors view local governments as easier entry points, especially when cybersecurity practices and employee training are inconsistent or underfunded.
How can municipalities improve cybersecurity beyond technology?
Effective cybersecurity strategies go beyond tools and software; strategic communications is essential. Municipalities need to build a strong internal security culture that prioritizes employee education, ongoing training, risk management, and clear compliance protocols. Transparency and open communication play a critical role in reducing human error and improving response times.
What role do employees play in municipal cybersecurity?
Employees are both the first line of defense and a common target for cyberattacks such as phishing. A lack of training or fear of reporting mistakes can increase risk. Municipalities that foster a non-punitive, transparent environment encourage employees to report threats early, helping prevent larger breaches.
How does transparency improve cybersecurity outcomes?
Transparency strengthens cybersecurity by encouraging open dialogue, faster reporting of incidents, and better collaboration across teams. When employees understand risks and feel safe reporting issues, municipalities can identify vulnerabilities earlier and respond more effectively.
Why is stakeholder trust important after a data breach?
After a data breach, maintaining public trust is critical. Clear, timely, and honest communication helps municipalities control the narrative, demonstrate accountability, and reassure constituents that corrective actions are being taken to prevent future incidents.
What is the connection between cybersecurity and crisis communications?
Cybersecurity and crisis communications are closely linked. Strong internal cybersecurity practices create the foundation for effective external communication during a breach. When processes are clear, and data is accurate, municipalities can respond quickly, communicate transparently, and maintain stakeholder trust.
