Ransomware and the Public Sector: Why Hackers Are Seeing a Green Light

The latest IT security report from Corvus shines a light on the extreme vulnerability of municipalities, government agencies and schools. The good news: It also outlines a clear path to improvement.
By: | April 15, 2020

As government entities struggle to respond to the novel coronavirus and resources are stretched to the limit, IT security may not be getting the focus it really needs.

That’s a serious issue for government entities, which were already struggling mightily on IT security, according to the latest State of the Industry Report from Corvus, spotlighting municipal governments and agencies.

With the rise in ransomware attacks on government entities, including municipalities, agencies and school systems, Corvus sought to understand what might be behind the uptick. Their findings are concerning, but highlight multiple opportunities to become less attractive targets.

Governments, typically with a range of public-facing applications, have a 33% larger attack surface on average, than other organizations, according to Corvus. A larger attack surface is harder to defend and gives attackers a greater variety of attack methods.

As opposed to highly targeted efforts, many cyber attacks are the result of so-called ‘spray and pray’ tactics. Hackers scan the IT infrastructure of organizations, exploiting vulnerabilities in an opportunistic manner.

Other attackers may blast phishing attempts to any email addresses they can get their hands on. Both strategies have proven effective in attacking government entities.

Current Security Practices Leave Much Room for Improvement

Enhanced email security software can go a long way toward preventing phishing exploits, which are the origin of 91% of all cyber attacks. Unfortunately most organizations don’t use it.

Government entities do utilize such measures more than general industry, but the figures for both are low. Corvus reports that only 15% of governments use enhanced email security software, compared with 12% of all organizations.

Most entities do use basic email authentication schemes, but government lags behind slightly. Corvus found that 74% of government entities do utilize basic email authentication schemes, compared with 80% on average for all organizations.

Governments are much more likely to manage their own infrastructure, leaving the onus of responsibility on in-house IT teams (which are often under-staffed and under-funded) to keep up with security measures. According to Corvus’ data, governments are 350% more likely to be internally hosted.

Government entities also use cloud-based hosting less frequently — about 7%, compared with 12% for organizations as a whole.

The report adds that 29% of governments are running older versions of software, about in line with general industry. The report’s writers, however, stress that older software contributes to several key vulnerabilities to be present. Thus, software updates are a crucial part of an overall plan to reduce cyber vulnerabilities.

By the Numbers

  • Criminals are getting bolder — there’s been 3x increase in the dollar amount of ransom demands in the past year.
  • There were 12 publicly reported attacks on government entities in January 2020 — comprising 43% of reported attacks.
  • Governments are 350% more likely to be internally hosted, which is known to increase vulnerabilities.
  • Attackers demanded $80,000 in the May 2019 ransomware attack on Baltimore (more than double the average demand).
  • Estimates say it will cost Baltimore $18.2 million for remediation and related efforts in response to the 2019 attack.

As more attacks against government entities are carried out successfully, their attractiveness as targets will only grow. Criminals are placing more attention on government entities and groupings of government entities.

These organizations will only find relief by making substantial changes to improve their IT security across the board. &

Michelle Kerr is Workers’ Compensation Editor and National Conference Chair for Risk & Insurance. She can be reached at [email protected].

More from Risk & Insurance