July 19, 2023
Ransomware threat actors are turning away from major federal organizations and focusing on small state and local-level government agencies.
Verizon’s 2023 Data Breach Investigation Report showed a significant uptick in attacks against government agencies. In fact, one out of every five reported security incidents occurred at a government institution.
Unlike in previous years, attackers generally avoided large, federal-level organizations. Now, threat actors have their sights set on much easier targets – state and local government agencies.
At the same time, ransomware operators have developed new, more sophisticated approaches. Double extortion attacks are now becoming the norm, and public administrators are particularly at risk.
Small government agencies don’t always have a comprehensive set of enterprise-level security systems and policies in place. These organizations historically faced fewer attacks than similarly sized peers in other industries (and far fewer than enterprise-sized national government agencies), and rarely command the resources necessary to build and staff an in-house security operations center.
However, as large government organizations adopt stricter, more successful security policies, smaller organizations are increasingly becoming targets of opportunity. Any organization that provides public services are tempting targets for threat actors, and smaller ones with limited security budgets are especially vulnerable.
Local Government Security Audits Show Concerning Trends
According to one independent state auditor, state and municipal-level government agencies often have key vulnerabilities that remain unaddressed for years at a time. The most alarming of these include:
- User access management and authentication issues. Employees at government agencies may share login credentials or grant access to sensitive files and systems without adhering to the principle of least privilege. Some government agencies neglect to de-provision user accounts after employees leave, opening themselves to potential attacks from threat actors compromising obsolete credentials.
- Inconsistent or poorly enforced security policies. Password sharing and reuse remains a persistent problem among people everywhere, and it’s especially pronounced among non-technical employees at small organizations. Even government agencies that have strong security policies may find themselves vulnerable to attack simply because those policies are inadequately understood and underenforced.
- Inadequate security controls. Built-in security controls can dramatically increase the difficulties cybercriminals face when infiltrating target networks. Some local government systems do not lock users out of their accounts after failing multiple login attempts in a short period of time. Others neglect to log inactive users out after a set period of time. These are industry-wide best practices that small government agencies should widely implement and enforce.
- Unsecured disaster recovery solutions. Routine data backups and off-site storage are vital components of ransomware incident response. Ransomware threat actors know this, so they will try to target these security solutions and take them offline before launching their attacks. Small government agencies may not have the time or resources needed to regularly test their disaster recovery readiness against these kinds of attack scenarios.
Address Ransomware Risks at the Root
Between 2018 and 2022, ransomware attacks against government organizations have impacted 230 million people and caused more than $70 billion in damages. This figure doesn’t just include payouts made by unprepared government leaders – it also includes damages associated with disruption to critical government services.
Government institutions can only run effectively when empowered by the public’s trust. Local and state institutions that fall victim to ransomware attacks must fight an uphill battle to regain that trust. At the same time, they must deploy significant resources toward remediating the risks associated with breached public records. It’s worth pointing out that these costs often run much higher than the cost of implementing a robust security posture in the first place.
But it’s true that government agency leaders can’t always rely on in-house capabilities to address ransomware risks. The need to delegate core security operations to reputable managed security providers is greater now than ever before.
Castra provides managed detection and response services to government agencies of all sizes. It specializes in deploying reliable security solutions scaled to meet the needs of state and local institutions with limited budgets.
Discover how Castra can help you transform your security posture by scheduling an expert-led demo.