Blog-GovPilot Government Management Software

Why Cyberattacks Surge at Year-End: How Local Governments Can Prepare

Written by Lee Ann Dmochowski | October 14, 2025

As the calendar year draws to a close, local governments face the seasonal surge of phishing, ransomware, and DDoS attacks. Municipal and county employees are planing for the holidays, and cybercriminals are planning too. They're scanning for unpatched systems, dormant accounts, and anything they can exploit.

The steps you take now can prevent weeks of disruption later.

The Pattern of Attack

Year after year, cyberattacks spike during the final quarter:

  • Cloudflare reported a 1,885% quarter-over-quarter rise in large-scale DDoS attacks during the 2024 holiday season.
  • CISA and the FBI warn of heightened ransomware risk around holidays when response times are slower.
  • Darktrace observed a 692% jump in Black Friday-themed phishing and a 327% increase in Christmas-themed lures in late November 2024.

That's because during holidays, vacations can disperse management and reduce IT coverage. But a single compromised account can knock out payment systems or permit portals and compromise communications and payroll systems.

It's important to remove as many data security gaps as you can in advance.

Why Local Governments Need Cybersecurity

Cybercriminals target counties and municipalities for three concrete reasons. First, they can redirect payroll, submit fake invoices, manipulate vendor payments, and access personal information. A breach of your finance, accounts payable, or property information systems makes it easy for attackers to have direct access to money or information markets on the dark web.  

Second, they know that when municipalities can't deliver services, access court records, or process payments, the disruption creates enormous pressure to pay ransoms quickly. Service outages are visible and urgent in ways that attacks on private companies may not be. 

Third, utilities, traffic control systems, and public safety networks run on digital infrastructure that municipalities control. Breaching these systems doesn't just disrupt city services; it can threaten public safety and give attackers more leverage for extortion.

Five Priority Steps to Prevent Cyberattacks During the Holidays

1.    Build Your Incident Response Plan

Create a written plan that identifies critical systems, defines who has off-hours decision authority, and includes decision-making rules. For example: "If one non-critical system is compromised, the incident commander may act. If multiple critical systems are affected, contact the city manager, town manager, or county administrator."

Assign a primary incident commander and a backup. Run a 2-3 hour tabletop exercise in early November with IT, finance, communications, legal, and leadership. Walk through a realistic scenario: ransomware spreads to your permitting system. Who calls whom? Who talks to media? Which systems get isolated first?

Document gaps and address them before a real incident.

2.    Deploy Continuous Monitoring

Most ransomware goes undetected for days. Continuous monitoring catches attacks early.

  • Option A: Use free services from your state's SLCGP program. Every state participates in CISA's State and Local Cybersecurity Grant Program. Visit cisa.gov/slcgp or contact your state IT director for free incident response assistance, vulnerability assessments, training, and grant funding.
  • Option B: Partner with neighboring municipalities to share services, split an It managed services contract, and reduce costs. This approach works well for smaller towns and counties that lack the budget or staffing for dedicated security monitoring. Many regions have existing informal networks you can leverage. Ask your state IT director or county association if a shared monitoring arrangement already exists in your area.
  • Option C: Hire a Managed Security Service Provider (MSSP) for round-the-clock monitoring. Get quotes from three vendors. Ask about response times, municipal references, and whether incident response is included. Look for a 1-hour response time for high security alerts.

3.    Vet Software Vendors

Require role-based access controls (RBAC) for all software and SOC 2 Type II compliance from all cloud software vendors. Role-based access controls constrain the information any user account can access, which also limits what a hacker can beach. SOC 2 Type II compliance means an independent auditor has verified that your software provider's security controls are well-designed and operate consistently over time. Also ask:

  • What's your breach notification timeline?
  • Where is our data stored?
  • Do you have cyber liability insurance?
  • How are backups verified and where are they stored?

If a vendor can't meet your preferred standards, document the gap and implement compensating controls like network segmentation. This limits which systems that vendor can access, so a breach there doesn't spread to your entire network.

4.    Patch Critical Systems

Dedicate a focused sprint in early December to patch operating systems, databases, email systems, and file-sharing apps. Schedule during low-traffic periods and notify residents. Test patches in a non-production environment first. Have a rollback plan.

Document what you patch and what you defer. Log everything. If you're under-resourced, consider hiring a contractor for a few days. It's less expensive than a breach.

5.    Train Staff on Holiday Phishing

Generic security training often doesn't work. The best practice is to show staff real examples: fake delivery notices, bogus invoices, credential-reset scams. Keep sessions short (10-15 minutes) and role-specific.

Follow up with a phishing test email. Many email providers include built-in phishing simulation tools, or affordable third-party services offer free trials. Track who clicks and who reports it. Use results to target additional training.

Off-Hours Decision Authority

Before holidays, establish clear authority for decisions when leadership is unavailable. Document:

  • When the incident commander can act independently
  • When they must contact the city manager, town manager, or county administrator
  • Who approves ransom payment (if at all)
  • Who notifies residents and law enforcement

Test this during your tabletop exercise.

Resident Communication

Prepare message templates now for common scenarios. When a crisis occurs, you can adapt these templates quickly rather than starting from scratch.

Suggested Fourth Quarter Action Plan

November 1-15
Schedule your tabletop exercise and identify critical systems. If scheduling conflicts arise, you can conduct the exercise in early December.
November 15-30
Finalize your incident response plan. Run the exercise. Deploy phishing training.
December 1-10
Complete patch management. Test backups. Ensure backup incident commanders are trained.
December 10-20

Assess monitoring options and evaluate vendor security compliance.

If you can only do one thing, create your incident response plan. It's the foundation for everything else.

Further Reading

•    CISA State and Local Cybersecurity Grant Program: https://www.cisa.gov/slcgp
•    Ransomware Advisory: https://www.cisa.gov/news-events/alerts/2023/11/16/joint-advisory-holiday-ransomware-risk
•    FBI Ransomware Guidance: https://www.fbi.gov/investigate/cyber

Sources
•    CISA & FBI (2023). Ransomware Trends and Holiday Cybersecurity Advisory.
•    Cloudflare (2025). DDoS Threat Report: Q4 2024.
•    Darktrace (2024). Phishing Attacks Surge in Buildup to Black Friday.
View full post