Your organization deployed multi-factor authentication. Password attacks dropped to zero. Credential stuffing became irrelevant. You won the authentication war.

Then the attackers adapted.

Cybercriminals realized they don’t need to break down your front door when they can steal your house key after you’ve already unlocked it and walked inside. This approach bypasses MFA entirely because the authentication already happened—legitimately.

You’ll see it in your logs as successful sign-ins from legitimate user accounts. No failed password attempts. No MFA bypass alerts. Just normal-looking authentication events that aren’t normal at all.

When Hackers Get Through: Your Municipal Risk Management Reality

Your job isn’t fighting hackers. It’s protecting your community’s ability to function when hackers win.

Recent incidents across Canada prove a harsh reality: sophisticated attackers eventually breach even well-defended organizations. The City of Hamilton faced an $18.5 million ransom demand. BC’s government networks suffered “sophisticated cybersecurity incidents” from state-sponsored actors. These weren’t IT failures—they were organizational crises that tested every aspect of municipal leadership.

Introduction

Modern security frameworks recognize five interdependent components that form a complete digital ecosystem: Users who interact with systems, Devices that provide access points, Networks that connect components, Applications that perform functions, and Data that holds value.

What happens when a new species enters this carefully balanced ecosystem? AI Agents—with their ability to act autonomously, access sensitive resources, and make consequential decisions—create ripple effects throughout our existing security paradigms.

Unlike adding another device type or data classification, integrating AI Agents into our security thinking requires a fundamental reconsideration of how we define protection boundaries. These entities exist simultaneously across multiple domains, blurring the lines between user and application, between data processor and decision-maker.

How it all began

As I mentioned here, I’ve tried many different productivity tools for keeping myself organized at work but I’ve settled on Obsidian.
It was going to be a demo for a co-worker.
I started very simple, a note for each day, using the Daily Note plugin - no template, just a blank space where I put the various projects names and a line or two about status. I probably had the Calendar plugin installed - because it makes it easier to work with the Daily Note and I like having the calendar on the screen.
I probably had two notes named after clients - so I could use wiki links - and one or two notes for Projects. I gave the demo, explained how easy it was to work with and the potential benefits - I made a new daily note during our demo and added more data, I showed some basic markdown, all the typical demo things. Later I did the same demo for one of our Service Delivery Managers.
When I was going through it the second time I realized I should probably use it for myself.

As I mentioned here, I use Obsidian to prepare for tests.
I have a simple process for preparing:

1. Exam Prep note
2. Find study material sources
3. Create Topic Notes
   1. Gather data into Topic Notes
      1. Make content my own
4. Turn Topic Notes into slides
5. Review slides
6. Take practice tests
7. Add content to address weaknesses
   1. New notes specific to a part of the content/category
8. Repeat steps 4, 5 & 6
9. Take exam
10. Consistency

This process has worked for me - I’ve passed 100% of the tests I taken using this method, on my first attempt.