Ditch the Digital Ostrich: How Zero Trust is Saving Municipalities (and Their Wallets) from Cyber Chaos

As we head into Thanksgiving, let’s talk turkey about something that’s probably keeping more than a few municipal CIOs up at night: cyber security, its thorny relationship with insurance, and how a little thing called Zero Trust is quickly becoming the hero we didn’t know we needed.

Today I delivered a webinar on this topic (see it here, or below).

Municipal governments, bless their collective hearts, are a unique breed in the digital landscape. You’ve got everything from dog licences to 911 dispatch, GIS systems, and ancient Visual Basic apps humming along with Microsoft Access in the background – a veritable digital menagerie. But here’s the kicker: the ratio of “systems to staff supporting them” is often astronomical. We’re talking 50 different apps and maybe one poor soul trying to keep the digital lights on. It’s enough to make a seasoned techie want to just close their eyes and be an ostrich, hoping the ransomware doesn’t notice them.

The Insurance Game: No Longer a Cakewalk

For years, cyber insurance was like that one friend who always picked up the tab. You’d buy a policy, and if things went sideways, they’d cover it. But then, as cyber shenanigans evolved into full-blown cybercrime, especially ransomware, insurers started paying out more than they were raking in. And make no mistake, your insurance company isn’t running a charity. They’re for-profit entities, and they decided it was time for some “corrective measures.”

Around 2019-2021, the landscape shifted faster than a politician changing stances. Insurers started “firing” municipalities, or at least making premiums so astronomical they rivalled the GDP of a small European country. The weapon of choice? A questionnaire, particularly three key questions:

1. Do you have multi-factor authentication on all users and critical resources? This is the big one. Answer wrong, or even vaguely, and you’re potentially uninsurable or facing premiums that would make your finance director weep.
2. Do you have offsite, tested backups?
3. Do you provide active cybersecurity training for your staff?

The City of Hamilton, Ontario, became a cautionary tale in this new era. After a high-profile breach, their insurance carriers reportedly declined coverage, citing a disagreement over whether multi-factor was truly rolled out across all systems. This isn’t about whether you have multi-factor on your Office 365, but whether that old MEL PBX or the VNC-controlled water treatment plant also has it. Suddenly, your list of exceptions becomes a list of very expensive problems.

The VPN Problem: A Digital Trojan Horse

So, how do municipalities typically handle remote access for their veritable army of employees and contractors (remember, 60 per cent of your workforce often isn’t directly employed by the municipality)? Often, it’s the venerable, yet increasingly problematic, VPN.

A VPN, in essence, is just a “long Ethernet cable.” It gives anyone connected an IP address on your network, allowing them to ping everything. And while it “just works like being there” for some, it’s an absolute nightmare for security and insurance. Why?

• No multi-factor on everything: VPNs rarely integrate seamlessly with universal multi-factor, especially for external parties.
• Shared accounts galore: People often use generic or shared VPN accounts, eliminating any audit trail. You can’t put multi-factor on something lots of people “have” or “know.”
• The “Colonial Pipeline” effect: Remember the Colonial Pipeline hack in the US? That entire fiasco, which took down gasoline supply for a G7 country, started with a compromised VPN password, without multi-factor authentication. It wasn’t some Bond villain-level attack, just a forgotten, unprotected VPN.
• Bidirectional Risk: When you connect a third party via VPN, their network’s risk becomes your network’s risk, and vice-versa. Malware on their machine can waltz right into yours. You suddenly have to worry about their brother-in-law’s kid installing games on a VPN-connected home PC. That’s a “no peeing section in a pool” kind of security, and it just doesn’t work.

Enter Zero Trust: The Digital Nirvana

This is where Zero Trust swoops in like a superhero in a sensible blazer. Forget the old “castle and moat” security model. Zero Trust, as defined by NIST, operates on the principle of “never trust, always verify.” It boils down to three simple questions for every access request:

1. Who are you? (Identity) Every user, internal or external, needs a unique, authenticated identity. No shadow accounts, no shared passwords.
2. What are you allowed to do? (Authorisation) Access is granted based on the principle of least privilege – only to the specific resources absolutely necessary, and only for that moment.
3. How do you get there? (Access) This is where Agilicus shines. We propose an identity-aware proxy that’s predominantly web-based. To the end user, it’s just another website. No clunky VPN client installations, no subnet overlaps, no broken video calls because the VPN is routing everything through your office in Saskatoon.

This approach addresses all the pain points:

• Universal multi-factor: Agilicus brings multi-factor to all users and all systems, regardless of how ancient or modern they are. That old OS400 app? multi-factor-enabled. Your new Office 365? multi-factor-enabled. You can confidently answer “yes” to your insurer’s questions.
• No local software: Users access resources through a browser, meaning no software to install or back up on their end.
• Granular Control & Audit: You get precise control over who accesses what, with detailed audit trails for every action. This limits the “blast radius” if a breach does occur.
• Passkeys for simplicity: We’re big proponents of passkeys, offering simple, secure Bluetooth low energy authentication. Say goodbye to insecure SMS-based multi-factor.
• Single Sign-On (SSO) for everyone: Internal staff, external contractors, the person managing the ice rink’s HVAC – everyone uses their own trusted identity provider. When Joe leaves his company, his access to your municipal systems is automatically revoked. No more accounts lingering for years after someone has moved on to bigger (or at least different) fish.

From “Price to Market” to “Price to Risk”

I once had a very illuminating conversation with a product manager at Chub, who informed me they priced cyber insurance to “market,” not “risk.” Essentially, they charged what they thought you could afford, regardless of your actual security posture. “Screw you, bye-bye,” was the gist of it.

But the world has changed. Those three questions from insurers are now a litmus test. Fail them, and you’re either uninsurable or paying a king’s ransom. By implementing Zero Trust, you’re not just improving your security; you’re systematically controlling your risk, which will, eventually, lead to more favourable insurance premiums. It’s about demonstrating real, verifiable defence in depth.

Getting Started: Easier Than You Think

You might be thinking this sounds like a multi-year project involving a team of consultants drinking all your cafeteria coffee. Not so. Most Agilicus customers get their first user and application up and running in a couple of hours. It’s about focusing on securing those “digitally disenfranchised” external workers first, or perhaps critical systems like water plants, or even your own internal team. No network reconfiguration, no application rewrites, and no user retraining – because everyone knows how to use a browser.

So, as insurance renewal season rolls around for many municipalities, now’s the time to ditch the digital ostrich routine. Recognise that VPNs aren’t the answer for everything, that single sign-on and multi-factor are for everybody (not just team A), and that defence in depth is your best friend.

Don’t let your municipality become another cautionary tale. Agilicus has your back. Peace out.