Top Cyber Threats Facing Local Governments in 2026

There's no shortage of general cybersecurity warnings aimed at local governments. What's actually useful is real data — what's hitting cities, counties, and townships, and how often.

So here's what we found. Over the past year (March 2025 – March 2026), Blumira analyzed threat findings across all local government customers — cities, towns, counties, villages, fire districts, and more. 60% had confirmed major threat or suspicious activity findings. In total: 14,347 findings across 185 distinct detection types.

Here's what stood out:

1. The biggest problem: stolen credentials

The largest category — roughly 1,862 findings across 36% of organizations — was suspicious authentication activity. Impossible travel logins, sign-ins from countries the agency has never seen, Azure risky sign-in flags, and password spraying. Credential attacks are cheap and scalable, and they work especially well against organizations that haven't fully rolled out MFA.

2. Almost every org had persistence findings

97% of organizations had findings in the persistence and account manipulation category — new MFA devices added to accounts, suspicious inbox rules, users added to privileged groups. When attackers get in, staying in is the immediate priority. That this showed up across nearly every org in the dataset suggests it's a systemic issue, not a targeted one.

3. Unauthorized remote access tools are everywhere

38% of organizations had findings tied to remote access tools — TeamViewer, Splashtop, GoToMyPC, LogMeIn, ScreenConnect, RustDesk — generating over 1,300 findings combined. These tools aren't inherently malicious, which is what makes them useful to attackers. They blend in, they're easy to deploy, and they give persistent access without raising obvious alarms.

4. Visibility unmasks malware threats

Over a third of organizations had confirmed malware findings from EDR tools like Defender, CrowdStrike, and SentinelOne — over 1,100 findings total. These are real detections, not heuristic guesses. The catch: agencies without EDR feeding into centralized monitoring won't see any of this. The malware doesn't disappear — the visibility does.

5. Attackers are covering their tracks

30% of organizations had security evasion findings: 217 instances of Windows Event Log clearing and 121 instances of Defender real-time protection being disabled. Clearing logs is a direct attempt to erase the audit trail CJIS requires you to keep. Without a SIEM capturing logs externally in real time, an attacker who clears local logs has effectively cleaned up after themselves.

6. A spike before the election

October 2025 was the highest-activity month in the dataset — 1,757 total findings, including 617 classified as Threat-level. Activity dropped sharply in November. Local government infrastructure handles voter systems, public portals, and internal communications that are higher-value targets heading into elections. The timing is consistent with known threat actor behavior.

What this means going into the rest of 2026

None of these attack types are novel. Password spraying, unauthorized remote tools, MFA device additions, and log clearing have well-understood detection methods. They're working against local governments because many agencies simply don't have the visibility to catch them.

The scale is the real story: 12 months, 185 detection types, 14,347 findings across organizations of all sizes. This isn't a few targeted incidents. It's persistent, ongoing activity.

If your agency doesn't have centralized, real-time log monitoring, the question isn't whether this is happening in your environment (because it almost certainly is), it's whether you'd know.