6 Reasons Why the Public Sector is a Prime Target for Cyberattacks

The public sector has grown increasingly vulnerable to cyber-attacks. The Government Accountability Office (GAO) reported that federal agencies had over 30,000 security incidents in 2022, which could have resulted in serious harm to human safety, the economy, or national security. To address the persistent risk of cyber attacks, the U.S. government issued a National Cybersecurity Strategy, emphasizing a partnership between public and private sectors to strengthen digital infrastructure.

But, why has the public sector become such an attractive target for cyber attacks? What challenges does this industry face in defending itself against malicious actors? 

This post will dive into the most common cyber threats the public sector faces and how cyber attacks against this industry have trickle-down effects on individuals.

Why is the Public Sector a Prime Target for Cyberattacks?

Historically, the public sector has been stifled by limited budgets and smaller staffs, making it slow to implement new security controls. As a result, many public sector entities run old, outdated IT systems. GAO data shows that of the 1,610 recommendations the agency made in 2010 to address cybersecurity issues, 567 remained unimplemented as of May 2024.

But what makes the public sector so enticing for threat actors? Several factors make public sector organizations ideal targets for cyberattacks:

• Essential services: Public sector entities often manage essential services, such as healthcare, energy, transportation, communication, and more. Any disruption due to a cybersecurity threat could have widespread consequences.
• Vast amounts of data: Public sector organizations hold a wealth of sensitive information, from social security numbers to tax information.
• Limited resources: Public sector organizations frequently operate with limited budgets, small staff, and outdated budgets.
• Large attack surface: With extensive networks and an increasing number of connected devices, public sector organizations have large attack surfaces with a wide array of access points for malicious actors to gain a foothold.
• Critical infrastructure: By targeting the public sector, threat actors can impact critical infrastructure, disrupting essential services and potentially impacting the economy or even national security.

Cyber attacks can greatly impact public trust and result in decreased confidence in local, state, and federal entities. When public sector organizations understand the factors that put them at risk of a cyber attack, they can make better cybersecurity decisions, safeguard their networks, and retain public trust.

1. The Public Sector Is a Favorite Target for Organized Crime and State-Sponsored Actors

Much of the cybercrime economy involves threat actors exploiting targets of opportunity, usually businesses with weak security controls or known critical vulnerabilities. In direct contrast, the public sector is often targeted by organized crime and state-sponsored threat actors. According to Microsoft, 40% of all attacks against U.S. critical infrastructure were nation-state-motivated.

In May 2023, Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA) warned that a state-sponsored advanced threat actor known as Volt Typhoon was targeting U.S. critical infrastructure. In 2024, CISA confirmed Volt Typhoon compromised the IT environments and multiple critical infrastructure organizations across several sectors.

Cyber threats against critical infrastructure are a persistent risk, and the convergence of IT, Internet of Things (IoT), and Operational Technology (OT) environments has increased the complexity and vulnerability of previously isolated industries and networks.

2. IoT and OT Devices Create New Security Risks

IoT devices offer countless benefits to public sector organizations. They can help facilitate constant and precise monitoring of critical infrastructure across multiple sectors. However, these devices often have weak security controls, and without a robust IoT management solution, they can inadvertently expand an organization’s attack surface.

According to 2024 data, 70% of public sector respondents reported that their organization experienced a security incident involving a mobile or IoT device. Even organizations that have not experienced a security incident struggle to manage their IoT devices thanks to device sprawl. As IoT devices become increasingly common across all industries, they can rapidly proliferate, creating a chaotic and unmanageable network.

To fully overcome this challenge, public sector organizations need to have a complete and accurate picture of their entire IoT device fleet so that they can manage and secure devices against cyber threats.

3. The Ongoing Ransomware Epidemic

Often referred to as an “epidemic” by industry experts and media alike, ransomware attacks have compromised countless organizations of all sizes. In addition to the high-profile attacks against Colonial Pipeline and SolarWinds, several notable ransomware attacks have impacted the public sector.

In 2019, Baltimore City fell victim to a ransomware attack that crippled city services, including email, payment portals, and real estate transactions, for several weeks. In March 2024, the Kansas City Area Transportation Authority was hit by a ransomware attack that disrupted communications and service operations, highlighting the growing trend of attacks against transit and smart cities.

Law enforcement efforts to dispute ransomware gangs have had some success. However, the decentralized nature of ransomware gangs makes a true takedown difficult, leading to increased calls for a ban on ransom payments and increased federal scrutiny of the problem.

4. Unpatched Critical Vulnerabilities

The vulnerability landscape is sprawling. Over 28,000 common vulnerabilities and exposure (CVEs) were published in 2023, nearly 3,000 more than in 2022. Critical vulnerabilities are a risk for all organizations, but they can pose a unique challenge for the public sector, which often has limited resources to address new vulnerabilities.

For example, On January 10, 2024, Ivanti publicly disclosed two zero-day vulnerabilities impacting Ivanti Connect Secure VPN appliances. Roughly three weeks later, CISA directed all federal agencies to disconnect Ivanti devices within 48 hours due to persistent risks.

Securing IoT devices with critical vulnerabilities can be especially challenging as traditional vulnerability scanners often use active network scanning that can take IoT devices offline. Instead, public sector organizations should understand the totality of their IoT device fleet and prioritize vulnerability management based on the context of each device.

5. Distributed Denial of Service (DDoS) Attacks

DDoS attacks are a mainstay of the cybercrime economy. These attacks are relatively easy to execute, and in recent years, Distributed Denial-of-Service  (DDoS as a Service) has emerged.

One of the most notable DDoS attacks against a public sector entity took place in 2015 when Ukraine’s power grid was targeted by a sophisticated cyberattack that led to widespread power outages affecting over 230,000 residents. The attack is believed to be the first known successful cyberattack on a power grid and was attributed to Russian state-sponsored hackers.

6. Other Cyber Threats

The public sector contends with a multitude of other cyber threats. Social engineering attacks capitalize on human error to manipulate employees into divulging confidential information:

• Phishing attacks employ a false sense of urgency to trick users into taking immediate action, often overlooking subtle misspellings in email addresses or suspicious links. Phishing is an easy way to gain access to a treasure trove of sensitive information or can be used to pivot to other cyber attacks.
• Business Email Compromise (BEC) attacks usually begin with a phishing email. Attackers will impersonate trusted colleagues or vendors, usually to trick employees into remitting false payments.

The high level of trust among public sector employees can make it challenging to detect sophisticated social engineering scams, highlighting the need for robust security controls and user training.

How Asimily Protects the Public Sector

Public sector organizations must take steps to prevent cyber attacks and ensure reliable access to the essential services we rely on in our daily lives. In an age where digital threats evolve rapidly, safeguarding sensitive data and critical infrastructure is key to maintaining public trust. As the number of connected devices increases each year, so do the entry points for bad actors looking to compromise public sector organizations.

Asimily is a trusted partner for public sector organizations. We offer a comprehensive platform purpose-built for smart cities, diverse device fleets, large territories, and municipal demands such as public safety and open data availability. By protecting IoT and OT devices, which cannot be protected through standard means of protection, Asimily helps lower the attack surface for public sector organizations.

Asimily’s inventory and vulnerability detection capabilities ensure you can identify critical assets and resolve business-critical weaknesses across your entire attack surface. In the event of a cyberattack, our platform, with its rapid response features, quickly captures packets to aid incident responders. With Asimily, security teams can keep a handle on their IoT attack surface and ensure they are as safe as possible, providing a sense of reassurance and security.

To learn more about Asimily, download our whitepaper, IoT Device Security in 2024: The High Cost of Doing Nothing, or contact us today.