Municipal Cybersecurity: Why Government Has a Human Problem

In recent years, local governments across Europe have become prime targets for cybercriminals. From ransomware attacks crippling municipal services in the Netherlands to data breaches exposing millions of citizen records in Germany and Belgium, the pattern is unmistakable: government organisations are under siege.

And the weakest link isn't the firewall. It's the people behind it.

Why Municipalities Are Prime Targets

Local governments sit on a goldmine of sensitive data. National identification numbers, medical records, tax information, social welfare applications — data that commands premium prices on dark web marketplaces. At the same time, many municipalities struggle with legacy IT infrastructure, limited budgets, and a chronic shortage of cybersecurity expertise.

Research consistently shows that over 60% of cybersecurity incidents in government organisations have a human cause. Not a technical vulnerability, not a zero-day exploit — a person making a mistake.

The Awareness Paradox

Most municipalities have invested in security awareness programmes by now. Staff complete an annual e-learning module, there's the occasional phishing simulation, and management ticks the compliance checkbox. Mission accomplished?

Hardly.

The fundamental problem with traditional awareness programmes is their assumption of a rational human model. "If people know what phishing is, they won't fall for it." But behavioural science tells a very different story.

People don't click phishing links because they're uninformed. They click because they're:

• Under time pressure — a councillor rushing to approve a document before a deadline
• Operating on autopilot — processing hundreds of emails daily without conscious evaluation
• Responding to authority — an email from 'the city manager' demanding immediate action
• Cognitively fatigued — at the end of a long workday, judgment deteriorates significantly

These aren't knowledge gaps. They're behavioural patterns. And you can't fix behavioural patterns with a PowerPoint presentation.

Why Q-Method Behavioural Analysis Works

At Nexus-7, we take a fundamentally different approach. Rather than giving everyone the same training, we first map the actual behavioural risk using our Q-Method behavioural analysis.

This methodology identifies not just what people know about cybersecurity, but how they actually behave in daily practice. Which departments take shortcuts? Where is resistance to security measures strongest? What behavioural patterns make your organisation vulnerable?

For municipalities, this reveals surprising insights:

The Front-Desk Risk

Front-desk staff at municipalities typically have extensive access to personal data. They work under high pressure, constantly switching between systems, handling complex information requests daily. Our analysis consistently shows this group is disproportionately vulnerable to social engineering — not due to lack of knowledge, but due to workload and system complexity.

The Governance Blind Spot

Councillors and city managers often regard cybersecurity as an IT matter. But with NIS2 and national cybersecurity legislation, digital security has become a governance responsibility. Leaders who fail to actively manage cyber risk face personal liability.

The Shadow IT Epidemic

Government employees routinely use unauthorised tools to get their work done. File-sharing services for document exchange, personal email accounts for work communication, messaging apps for sensitive information. Not out of malice, but because official systems are too slow or too complex.

NIS2 and Government Compliance

The NIS2 directive places significant new obligations on government organisations across Europe. National implementations — such as the Dutch Cybersecurity Act — require:

• Risk management — including the human factor
• Incident reporting — within 24 hours for serious incidents
• Supply chain security — oversight of vendors and service providers
• Management accountability — leadership is personally responsible

Many municipalities have their technical measures largely in order. Firewalls, antivirus, backup systems — they're in place. But the human component remains the Achilles heel.

Five Steps You Can Take Today

You don't need to wait for an incident to take action:

1. Map your human risk — Not with a standard questionnaire, but with behavioural analysis that reveals how staff actually handle digital risks in practice.

2. Put cybersecurity on the leadership agenda — Ensure elected officials and senior management understand this isn't an IT issue, but a governance responsibility.

3. Invest in continuous awareness — One-off training doesn't work. Behavioural change requires repetition, relevance, and personalised feedback.

4. Audit your supply chain — Municipalities work with dozens of software vendors. Each one is a potential entry point.

5. Practice your incident response — When did you last run a cyber crisis exercise? Does everyone know what to do when things go wrong?

The Bottom Line

Municipal cybersecurity isn't a technical problem solved by technology. It's a human problem requiring a human approach. The organisations that understand this — that invest in understanding and changing behaviour — are the ones that remain standing when the attack comes.

And the attack will come. The question isn't if, but when.

Nexus-7 helps municipalities and government organisations map and improve their cybersecurity behaviour. Our Q-Method behavioural analysis provides insights where traditional methods fall short.