New research by AI-driven commercial insurance products provider Corvus has found that governments are more vulnerable to cyber-attacks than other organizations.
A report on the security of municipal governments and agencies identified three key factors that made governments particularly soft targets. Researchers found that governments had larger attack surfaces, lower usage rates of even the most basic email authentication schemes, and much higher rates of internal hosting than other organizations.
Government attack surfaces, consisting of open ports and applications, were found to be on average 33% larger than those risked by other organizations.
Researchers wrote: “Greater attack surface is harder to defend (due to sheer scale) and presents attackers with more opportunities for a range of different attack types.”
When compared to other organizations, governments were found to be more likely to use enhanced email security software but not as likely to protect themselves with basic email authentication schemes. On average, 15% of governments went for enhanced while 74% stuck with basic, compared to 12% and 80% of other organizations, respectively.
Researchers noted that protecting the security of email “is an important step in preventing phishing exploits (the origin of 91% of all cyberattacks), and the majority of organizations of all types do not take it.”
Governments were found to be 350% more likely to host internally than other organizations, making them much more reliant on their in-house IT teams to keep security measures updated.
Staying on top of security is tough when your software is older than a US presidential candidate. Researchers found that 29% of governments are running older versions of software, which are more likely to harbor vulnerabilities.
“In general, we’d expect municipalities to have better security than average, given their size and scale,” wrote researchers, “but with more attack surface for potential exploits on vulnerable ports, lower usage rates of even the most basic email authentication schemes to protect against phishing, much higher rates of internal hosting (meaning it’s up to the often under-staffed and under-funded IT departments to keep up with security trends), and old software versions in use, governments are a soft target.”