When we think of cybersecurity, the image that often comes to mind is a high-tech arms race. We picture shadowy, state-sponsored masterminds deploying never-before-seen digital weapons against fortress-like corporate networks. The narrative is one of complexity, sophistication and a constant battle against an almost mythical adversary. While these advanced threats are real, they don’t represent the full picture—or even the most common one.
By analysing real-world incident data from the front lines, a different and often simpler reality emerges. The most frequent and damaging attacks don’t always rely on futuristic exploits. Instead, they leverage overlooked fundamentals: unpatched software, stolen credentials and poorly segmented networks. These truths are often counterintuitive and challenge many of the foundational assumptions that guide our security strategies.
This article distils six of the most impactful takeaways from recent cyber threat intelligence. These realities expose the myths we’ve come to believe about how attacks happen and reveal where defenders should really be focusing their time, budgets, and attention.
1. The Myth: Attackers are targeting your LMR (Land Mobile Radio) network specifically.
The Reality: Your LMR network is just another target of opportunity.
The image of a sophisticated adversary meticulously planning an attack against a P25 or TETRA system is more Hollywood than reality. The vast majority of cyberattacks I’ve investigated are opportunistic. Threat actors use automated tools to scan the internet not for “public safety networks,” but for any low-hanging fruit—an unpatched Virtual Private Network (VPN), an exposed remote desktop port (RDP), or a firewall with a default password.
In 2024, opportunistic threat actors were responsible for a staggering 65% of all cyberattacks against public safety so far this year. These attackers use automated scanning tools like Masscan and Nmap to sweep the internet for organisations with known security flaws, such as an unpatched firewall or an exposed remote access service.
They don’t care if that vulnerability leads to a finance server or a radio network management terminal. They’re simply looking for an open door. In many cases, the attacker who gains initial access has no idea they’ve landed in a mission-critical environment until they start exploring. They aren’t looking for a specific name; they are looking for an open door.
In one documented instance, a single automated scan uncovered vulnerabilities in five different public safety organisations, all of which later became victims. This illustrates the indiscriminate, wide-net approach that defines the modern threat landscape. The attack becomes targeted only after the initial opportunistic breach.
2. The Myth: The Public Safety Network core is the primary target.
The Reality: Your most critical systems will be breached through a side door.
It’s natural to assume that an attacker wanting to disrupt a radio network would launch a direct assault on a TETRA network core or subscriber database. But in reality, that almost never happens. These systems are typically well-protected. The real point of failure is the trust relationship they have with less secure, interconnected networks.
Recent intelligence from the Public Safety Threat Alliance (PSTA) reveals that cyber disruptions to computer-aided-dispatch (CAD) or public safety answering points (PSAPs) spiked by 89% in 2024. Crucially, the report notes these incidents were largely ‘driven by opportunistic attacks on enterprise networks’—meaning attackers compromised standard IT environments first, then pivoted into mission-critical CAD systems. The initial breach typically occurs in an adjacent enterprise Information Technology (IT) environment, such as a municipal or law enforcement network, where security may be less stringent. From there, attackers use legitimate, often stolen, credentials to move laterally into the critical systems. Think about it: a helpdesk technician’s PC is compromised through a phishing email. That technician has legitimate remote access to a server that, in turn, can connect to the radio management console. Suddenly, the attacker has a clear path from a low-stakes IT asset to your most critical Operational Technology (OT) communications infrastructure. This highlights a pervasive risk in modern IT architecture: interconnectedness without adequate network segmentation creates a pathway from your weakest link to your most critical assets. This is why a comprehensive security assessment that maps these hidden pathways is a necessary first step for any LMR operator.
3. The Myth: You have to patch every vulnerability.
The Reality: A risk-based approach is the only viable strategy.
With over 26,000 new vulnerabilities disclosed in a single year, the directive to “patch everything” is not just impractical, it’s impossible—especially in an OT environment. LMR systems have stringent uptime requirements, complex dependencies and vendor-specific patching cycles that make the rapid-fire IT patching cadence unfeasible.
But here is the surprising reality: less than 1% of those vulnerabilities are ever actually exploited by threat actors. The vast majority of disclosed flaws never become a real-world weapon. This makes prioritisation the most critical element of any patch management program. The urgency is underscored by the fact that the mean time for hackers to exploit a high-risk vulnerability is just 44 days, while the mean time for organisations to apply the patch is 57 days. An effective security strategy isn’t about the impossible goal of patching everything; it’s about intelligently identifying and rapidly remediating the critical 1% of vulnerabilities that pose a tangible threat.
This requires a mature, risk-based vulnerability management or security patching program, often guided by a security partner who understands the unique constraints of LMR systems and can help implement compensating controls when patching isn’t an immediate option.
4. The Myth: You’ll detect attackers by looking for malware.
The Reality: Attackers’ favourite tools are probably already on your network.
While custom malware gets the headlines, most skilled adversaries prefer to “live off the land” (LOTL). This technique involves using a system’s own built-in administrative tools to carry out an attack. Why deploy a noisy piece of malware when you can use PowerShell, WMI, or standard remote access tools to blend in with legitimate traffic?
Data shows that over 50% of opportunistic attacker tradecraft involves using built-in features on the target’s operating system. By using legitimate tools like PowerShell for malicious purposes, attackers can effectively blend in with normal administrative activity. This makes them incredibly difficult to detect with traditional security software, which is often configured to look for known malware signatures. The attackers can remain hidden inside the network, mapping systems and escalating privileges, until the final moments when they deploy ransomware or exfiltrate sensitive data. This is where many IT-focused Security Operations Centres (SOCs) fall short. Defending against these attacks requires deep visibility and behavioural analytics that can distinguish legitimate admin activity from malicious abuse—a capability found in mature, 24/7 managed SOCs with specific OT and LMR expertise.
5. The Myth: Denial-of-Service is a highly technical, network-level attack.
The Reality: It’s now a commoditised service that can be bought for less than $100.
For public safety, Denial-of-Service (DoS) is the ultimate threat. Historically, we thought of this as sophisticated radio jamming or complex network floods. But the criminal landscape has evolved. “Swatting,” the act of making false emergency calls to trigger a massive law enforcement response, has been commercialised on the dark web. For as little as $50 or $75, anyone can hire a service to tie up emergency services and create real-world chaos.
This “DoS-as-a-Service” model has lowered the barrier to entry to virtually zero, transforming a once-specialised threat into a common tool for disruption. For organisations managing mission-critical LMR networks, where availability is paramount, this shift is a game-changer. The question is no longer if you are a target for a sophisticated group, but when you will be targeted by someone with a credit card and a grudge.
6. The Myth: AI will create unstoppable new super-hacks.
The Reality: AI is just perfecting old, reliable attack methods.
The rise of Artificial Intelligence has fueled fears of new, unstoppable super-hacks created by machines. While AI is certainly changing the cyber landscape, its primary role in the hands of criminals is not invention but optimisation. Instead of inventing new attack methods, AI “has automated, optimised, and significantly accelerated existing techniques, tactics, and procedures (TTPs).”
The best example is phishing. For years, you could spot a phishing email by its poor grammar and generic messaging. Today, attackers use AI tools like FraudGPT to generate flawless, highly convincing emails at scale. They can craft messages using the specific technical jargon of radio technicians or the internal acronyms of a public safety agency, making them incredibly difficult for even trained employees to spot. AI has automated and perfected social engineering, making your people a more vulnerable target than ever.
Recognising these myths is only the first step. To truly secure mission-critical environments against today’s opportunistic and lateral threats, organisations must take three practical actions:
- Establish 24/7 Visibility: You cannot stop what you cannot see. Implement Endpoint Detection and Response (EDR) tools backed by a specialised Managed Detection and Response (MDR) service. This ensures that even if an attacker slips past the firewall, their behaviour is detected and blocked before they can move laterally into the radio core.
- Know Your Weaknesses: Do not assume your air gap is intact. Commission a regular Cybersecurity Risk Assessment to map your network architecture and identify the “side doors”—such as shared vendor connections or unpatched CAD terminals—that attackers use as bridges between IT and OT.
- Join the Collective Defence: Cybercriminals share tools and tactics; defenders must share intelligence. Joining the Public Safety Threat Alliance (PSTA) allows you to access real-time, sector-specific threat data. This turns the broader community’s insights into your proactive defence, helping you block threats that have already targeted your peers.
Conclusion: From Myths to Mission Readiness
The data from the front lines of cyber defence paints a clear picture. While it’s easy to get caught up in the hype of advanced, nation-state threats and AI-driven super-hacks, the reality is that most successful cyberattacks are far simpler. They prey on unpatched vulnerabilities, weak credentials, flat networks, and human error—the foundational elements of cybersecurity that are too often overlooked. Effective defence is not just about preparing for the most sophisticated threats imaginable, but about mastering the fundamentals to protect against the most common threats happening every day.
This raises a critical question for every security leader and organisation. Given that many of the greatest cyber risks stem not from futuristic super-hacks but from unpatched systems, stolen passwords and interconnected networks, are we focusing our security efforts and budgets in the right places?
