The Center for Internet Security, the Upstate New York nonprofit that runs information sharing and analysis operations to support government agencies, found in a study announced Tuesday that cyberattacks on state and local governments increased from 2022 to 2023. That’s according to the results from its 2022 Nationwide Cybersecurity Review, a survey of more than 3,600 state, local, tribal and territorial government organizations on cybersecurity preparedness.
The report focuses on the first eight months of 2022 and 2023, when participating government organizations claim they saw noticeable growth in several types of cyberattack. The center found that malware attacks increased by 148%, while ransomware incidents were 51% more prominent during the first eight months of 2023 than they were during the same period a year earlier.
Non-malware cyberattacks, in which hackers use the tools that already exist on a device or within software to take over a system instead of creating a custom tool that could be flagged as malware, increased by 37%. The report also documented a 313% rise in endpoint security services incidents, such as data breaches, unauthorized access and insider threats.
The biggest weakness in many state and local government organizations’ cybersecurity programs, according to the report, is simply that they’re still being created.
“An organization may have a process in place to address vulnerabilities, and there may be response or recovery plans in place, but these various activities may not have been formalized or tested consistently,” the center’s Multi-State Information Sharing and Analysis Center team, which conducted the survey, documents in the survey results.
Organizations without established cybersecurity plans cited “insufficient funding, an increasing sophistication of cyber threats, a lack of documented processes, emerging technologies, and limited access to cybersecurity professionals” among the challenges they face — the same top five concerns that have plagued government entities for the past eight years, according to the report.
While the CIS report highlights state and local governments’ cybersecurity weaknesses, it also found areas where survey participants strengthened cyber protections, including identity management, cybersecurity awareness training and implementing mitigation and recovery strategies in the event of an attack.