cyber compliance

Cybersecurity Threats Targeting Government Communications

May 18, 2026by Bill Tolson

For years, cybersecurity in the public sector was treated as an IT issue; handed off, revisited at audit time, and largely out of view unless something broke. That approach is no longer enough. Now, cybersecurity underpins service continuity, data protection, and public trust. When systems fail or data is exposed, the impact is immediate and visible. Framing cyber as purely technical misses these operational stakes. Effective strategies start with continuity, resilience, and trust, then build security around them.

Key takeaways

Public-sector cybersecurity is a service of continuity, operational resilience, and public trust issues.
Local governments and K-12 schools remain prime targets because of their high exposure, limited resources, legacy systems, and intense pressure to restore services quickly.
Phishing-resistant MFA, privileged access controls, conditional access, and continuous monitoring are strategic priorities for protecting identity-focused incidents.
Combining cloud consolidation and structured security management can improve visibility, consistent controls, patching posture, recovery, and data governance.

The threat patterns are familiar, but the impact is changing

Public sector organizations continue to face a mix of ransomware, stolen credentials, vulnerability exploitation, and third-party incidents. While the attacks aren’t new, the damage they cause is much greater.

Ransomware

Combines downtime, extortion pressure, and often data theft. During a ransomware attack, agencies may lose access to records, struggle to restore critical services, and face public scrutiny while also trying to protect sensitive information.

Stolen credentials

Through phishing, password reuse, poor privilege controls, or exposed credentials, attackers enter systems, escalate privileges, exfiltrate data, and position themselves for disruption.

Vulnerability exploitation

Internet-facing systems such as VPNs, portals, and edge devices are challenging to recover quickly for public agencies balancing lean staffing, aging infrastructure, and constant operational demands, creating an opportunity for attackers.

See how secure communications support state and local agencies

Public-sector organizations face constant pressure to maintain service continuity while managing risk across departments. Learn how purpose-built solutions help state, local, and education agencies capture, govern, and protect critical communications.

Explore solutions for state, local, and education agencies.

Why local governments and schools remain especially vulnerable

Local governments and K-12 institutions face high exposure potential, limited staffing, aging technology, and intense pressure to restore services quickly.

A city cannot leave constituent services offline for long. A school district cannot simply pause operations for weeks. A public safety agency cannot afford extended disruptions to communications or records access. Attackers know this and use urgency create leverage.

When public sector leaders view cyber risk through an operational lens, they can protect the immediate theft of information and the interruption of the services that communities depend on every day.

Recent incidents show how disruption lands in plain view

The past several years shows a clear, consistent pattern: cyber incidents in government aren’t just technical malfunctions. These events have public consequences.

In July 2024, Columbus, Ohio faced a possible ransomware incident involving a foreign threat actor that attempted to disrupt city IT infrastructure. The actor gained unauthorized access to systems and may have exposed employment records, payroll data, bank account information, \driver’s license information, Social Security numbers, and other identifying data. The city also said emergency systems remained operational during the response.

In Coeur d’Alene, Idaho, a February 2024 ransomware-related incident resulted in malware encryption of certain city devices and the unauthorized acquisition of personal information. The city said it brought in legal counsel and a digital forensics firm, notified law enforcement, and offered support to affected individuals.

The State of Nevada in 2025 reported a statewide cyber event that disrupted systems for about 28 days after an SEO poisoning campaign led a user to download malicious code from a site that appeared to be a trusted resource. Nevada did not pay the ransom, restored statewide services, and recovered most of the impacted data. Its after-action report also noted that payroll stayed on schedule; public safety communications remained online, and citizen-facing systems were restored in phases.

In the education sector, PowerSchool experienced a breach originated through a partner vendor. After the original breach, multiple school districts reportedly faced extortion attempts tied to previously stolen data. That case is a reminder that agencies do not just manage their own cyber weaknesses. They also inherit risk from the platforms they depend on.

These incidents reveal that data exposure isn’t the only concern. Payroll, schools, law enforcement information, and public communication all become vulnerable. When secure communication for public sector agencies is protected and recoverable during any cyber incident, essential services remain available and public trust can be maintained.

Identity is now the primary attack vector

If there is one message public sector leaders should take seriously, it is this: identity security has become central to cyber resilience — and it’s one of the biggest cybersecurity challenges for local governments.

Stolen credentials, weak authentication, excessive privileges, and poorly monitored accounts continue to be a way in for bad actors. And because so many credential-theft campaigns begin with a convincing message in someone’s inbox, email security practices for government agencies aren’t just features. They’re identity controls that belong near the top of the priority list. This is why secure messaging and text archiving for government agencies have become essential for visibility, compliance, and incident response.

That makes phishing-resistant multi-factor authentication, privileged access controls, conditional access, and continuous monitoring essential safeguards. When identity security is weak, every other system layered on top of it becomes easier to compromise.

Prevention still matters, but resilience matters just as much

Public agencies still need better prevention systems in place. But prevention without resilience isn’t enough.

Government leaders need cybersecurity to plan for continuity and recovery when defenses are bypassed. The best programs treat resilience as a design requirement, not a post-incident scramble.

It’s safe to assume that some attacks will succeed. Resilience is planning for what happens next.

Can payroll still run if major systems go down? Can emergency communications continue? Can public records be recovered quickly? Can schools or public safety operations maintain a minimum viable service? Can leaders make fast, informed decisions under pressure?

The agencies that fare best during cyber incidents are the ones who are prepared to operate through failure.

Why cloud data consolidation can strengthen the public sector

One of the most practical ways to improve cyber resilience is to reduce fragmentation. Many public agencies still manage data across a high-risk patchwork of aging on-premises servers, file shares, department-specific tools, and disconnected applications.

That kind of sprawl creates inconsistent controls, weak visibility, duplicate data stores, uneven backup practices, and too many places where sensitive information can be lost, exposed, or poorly governed.

Thoughtful data consolidation into well-managed cloud environments can help address those problems.

Consolidation improves visibility. When agencies know where their data resides, who has access to it, and which systems are critical, security teams are better positioned to secure it.
Consolidation can strengthen identity-based security. Modern cloud platforms are usually better suited to centralized identity controls such as multi-factor authentication, conditional access, role-based permissions, and session monitoring.
Consolidation can simplify patching and reduce dependence on unsupported infrastructure. Moving data and workloads into modern cloud environments can reduce reliance on brittle hardware and aging local systems that are difficult to maintain securely.
Consolidation can improve backup, recovery, and continuity. In a fragmented environment, restoring data after an incident can be slow and messy. A more unified cloud-based approach can make recovery faster, more consistent, and easier to test.
Cloud consolidation can support better governance, making it easier to classify information, enforce retention rules, limit unnecessary copies, and strengthen oversight across departments.

This does not mean moving everything to the cloud should be the only strategy. Cloud adoption delivers cyber benefits only when paired with disciplined architecture, strong identity controls, contract scrutiny, and ongoing oversight. Poor cloud governance can create problems of its own.

Still, the direction is clear. In a threat environment where data fragmentation is a liability, a more consolidated, well-governed cloud environment can reduce cyber complexity while improving resilience.

Vendor risk is now mission risk

Third-party risk has moved up the priority list for operational risk management. Public agencies rely on vendors for infrastructure, systems, and communications. When those dependencies also include dispatch coordination, alerts, internal incident response channels, the stakes are even higher. If one of those providers is compromised, it directly affects the agency and the public it serves. That means agency leadership teams need a clear understanding of which third parties are operationally essential, what data and access those third parties hold, and how quickly they can recognize and report a breach. Contract language matters. Logging matters. Cooperation during incident response matters. Continuity planning matters.

What agencies should do now

Reactive policies and procedures aren’t strategies. Public agencies need focused planning and action to get ahead of cybersecurity challenges. Industry best practices include:

Start with identity by expanding phishing-resistant MFA, tightening privileged access management, and monitoring for exposed or misused credentials.
Treat system resilience as a leadership issue with plans for minimum viable operations for public safety, communications, payroll, records, and citizen services during a prolonged cyber outage.
Elevate vendor oversight for provider clarity, operational dependency, and ensure contracts support cybersecurity response.
Reduce unnecessary complexity by consolidating data and systems into well-governed cloud environments.
Rehearse decision-making with exercises that include key stakeholders to address ransomware, extortion, restoration priorities, law enforcement coordination, and public messaging.

The real issue is public trust

What sets public-sector cyber risk apart is not only the technology but also the focus from management.

When a government system fails, it affects residents, students, families, public employees, and communities. It can delay benefits, disrupt learning, interfere with courts, complicate emergency response, and weaken confidence in public institutions. These challenges extend across all levels of government, where agencies must align cybersecurity with mission continuity. For organizations operating at the national level, tailored approaches for federal government cybersecurity environments help address complex regulatory and operational demands.

That is why cybersecurity in the public sector must be treated as a service continuity issue, and why it is important for the government in the first place.

Over the last 24 months, the evidence has been consistent. Attackers continue to exploit common weaknesses such as stolen credentials, exposed systems, and trusted third parties. What has changed is the impact. The consequences are increasingly felt in the services the public expects the government to provide every day.

The most practical path forward is not chasing tools for their own sake. Leadership should stay anchored on identity, resilience, vendor oversight, and modernization, including smart data consolidation into secure, well-governed cloud environments. Done well, that approach protects more than data. It protects continuity, credibility, and public trust in institutions.

Frequently asked questions

If assume breach is the mindset, how do we avoid normalizing failure?

Assume breach acknowledges that even strong controls can be bypassed. The way to avoid normalizing failure is to pair resilience targets with prevention targets and test through tabletop exercises and recovery drills (not just written in a plan). This helps; the organization learn faster, reduce downtime, and raise expectations for both security and service delivery.

What’s the biggest hidden dependency that makes outages worse during a cyber incident?

Most agencies discover too late that their ability to recover depends on a small set of enabling services — especially identity and the systems that support it. A practical way to reduce this risk is to map these dependencies ahead of time, decide what the minimum viable versions must be, implement break-glass access with tight controls, maintain clean recovery paths (including offline/immutable backups), and establish an alternate communications method that does not rely on the primary domain or email environment.

How can agencies pursue cloud consolidation without creating a larger blast radius?

Cloud consolidation should come with guardrails and recovery design baked in, so the cloud platform becomes a more controlled and secure environment. Agencies should design for containment from day one.

What are the biggest cybersecurity challenges for government agencies?

The biggest challenges tend to be a mix of constraints and complexity: limited staffing and budgets, legacy systems that are hard to patch or replace, fragmented tools and data across departments, and high exposure to phishing and credential theft. Agencies also carry outsized operational pressure because they cannot keep public services offline for long, which makes ransomware and extortion more effective. Finally, third-party and cloud dependencies expand the attack surface, so vendor oversight, logging, and recovery planning become just as important as traditional perimeter defenses.

How does spear phishing target government employees?

Spear phishing is typically tailored to the recipient’s role and context. In government, messages often impersonate HR/payroll, procurement, public safety partners, legal notices, FOIA/public records requests, or IT “account verification,” and they may reference real projects or public information to appear legitimate. The goal is usually to steal credentials (especially email and single sign-on accounts) or deliver malware that enables follow-on access, lateral movement, and data theft.

Are there cybersecurity regulations for government agencies?

Yes. Requirements vary by jurisdiction and agency type, but many organizations must follow a combination of federal, state, and sector-specific rules and frameworks. Because obligations differ across city, county, state, education, and public safety environments, the practical approach is to confirm which mandates apply, map them to controls (identity, logging, incident response, backup/recovery, vendor risk), and document evidence so compliance supports resilience instead of becoming a check-the-box exercise.

FEATURED CHECKLIST

Public sector technology decisions rarely fail because of bad intentions

Get Now

Share this post!

Author
Recent Posts

Bill Tolson

President at Tolson Communications LLC

Bill Tolson is President of Tolson Communications LLC, an advisory and consulting firm. He has 25-plus years in the archiving, information governance, data privacy, data security, and eDiscovery industries. Bill has held executive leadership positions in a wide range of high technology organizations, from consulting firms and technology startups to multinationals. Companies include Contoural, Hewlett Packard, StorageTek, Iomega, Hitachi Data Systems, Recommind, Actiance and Archive360 where he was the Vice President of Global Compliance and eDiscovery for seven years.

Bill is a frequent speaker at legal and information governance industry events and has authored four eBooks including Email Archiving for Dummies, Cloud Archiving for Dummies, The Bartenders Guide to eDiscovery and the Know IT All's Guide to eDiscovery. Bill has also authored 60 plus industry articles and hundreds of blogs as well as hosting 37 podcasts with industry pundits, subject matter experts, state legislators, and attorneys.

Smarsh Blog

Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.

Ready to enable compliant productivity?

Join the 6,500+ customers using Smarsh to drive their business forward.

watch it work

More Resources