Cyberattacks against government agencies and public sector services were up 40% in 2023.

In the U.S., the average cost of a data breach continues to rise, reaching $9.5 million last year.

On average, recovering from a ransomware attack costs an organization $1.82 million, excluding any ransom payments.

In the ever-evolving cybersecurity landscape, keeping up with the latest threats can be difficult. For a look beyond the statistics, Tiffany Garcia, managing director and leader within CBIZ Cybersecurity Services, answers five critical questions to assist public sector entities in assessing and mitigating their cyber risk.

Are you a board member looking to limit school board risk? Here’s how public schools can mitigate risk exposure.

1. What are the top threats for public sector organizations?

According to Verizon’s 2023 Data Breach Investigation Report, 76% of the cybersecurity incidents in the public sector resulted from system intrusion, lost or stolen assets, and social engineering.

• System intrusion involves cyberattacks using malware or hacking to gain access to systems and data. The category also includes ransomware attacks that hold an organization’s data for ransom, which is often requested to be paid anonymously using cryptocurrency. Malware and ransomware can exist in a system for extended periods without being identified.
• Lost and stolen assets bring the human element into play. The portability of laptop computers and phones combined with the ability to work from anywhere increases the opportunities for devices to be out of an employee’s control, lost or stolen.
• Social engineering attacks also rely on human interaction. In these types of attacks, the cybercriminal uses psychological manipulation to trick employees into giving up sensitive information or making security errors. Phishing attacks, which target employees via email, continue to evolve. Public sector organizations also now face threats from vishing (voice over the phone), smishing (text message) and quishing (phishing using QR codes).

Most cyberattacks targeting the public sector come from the outside and are financially motivated. Public sector entities are also targets for “hacktivists” and adversarial foreign governments. In 2023, 30% of public sector cyberattacks were espionage-related, up significantly from 18% in 2022.

2. Why is the public sector an appealing target for cybercriminals?

Public sector entities are targeted due to the vast amounts of confidential data they collect and the critical services they provide. While the potential to inflict maximum damage and disruption are primary reasons the public sector is targeted, three other factors play a significant role:

• Many public sector entities operate using outdated technology, software and legacy systems with known vulnerabilities. Public sector systems are also highly interconnected, which can magnify the impact of a cyberattack.
• Because they rely on taxpayer funding and legislative approval processes, public sector entities have smaller cybersecurity budgets than their private sector counterparts. In addition to limited funds for updated hardware, software and other infrastructure needs, budget limitations also restrict cybersecurity staffing and salaries, making recruiting and retaining top talent difficult. These restrictions also make it challenging to ensure IT professionals are trained and on top of evolving industry trends and risks.
• While outsourcing IT services helps organizations obtain expertise, knowledge and efficiencies that are more difficult to achieve if kept in-house, cybersecurity responsibilities and controls are often left to vendors without adequate oversight and monitoring, resulting in security gaps caused by access controls and the integration of services.

3. What is the potential impact of cyberattacks?

The average cost of a data breach, ransomware attack or system shutdown continues to rise. However, the impact on an organization goes far beyond the direct costs associated with operational disruption and lost productivity. Organizations must also factor in costs related to:

• Lost intellectual property or research data
• Legal settlements, legal fees and compliance fines
• Insurance claims and increased premiums
• Reputational damage, such as loss of credibility and discontinued vendor relationships

4. How are emerging technologies impacting cybersecurity in the public sector?

Emerging technologies, such as artificial intelligence (AI), the Internet of Things (IoT) and blockchain, have the potential to enhance cybersecurity in the public sector. These technologies give organizations new tools to protect critical data and infrastructure and improve threat detection. Conversely, they’re also used by threat actors to find and exploit vulnerabilities and attack and explore victims’ networks.

Across the implementation of these technologies, governance and risk management will be critical. Governance and regulations will be iterative, evolving alongside the advancing technologies. For example, in October 2023, President Biden issued an executive order providing guidance for how AI is developed and deployed by federal government agencies. The order was followed by a memorandum from the Office of Budget and Management (OMB) that provided detailed guidance for federal agencies to help strengthen AI governance, manage risk from AI use and promote responsible AI innovation. Additionally, the National Institute of Standards and Technology (NIST) has developed a framework to better manage risks to individuals, organizations and society associated with artificial intelligence (AI), the NIST AI Risk Management Framework (AI RMF).

5. What can public sector organizations do to mitigate their cyber risk?

You can’t eliminate cyber risk, but you can reduce it. Keeping software and hardware up to date, implementing encrypted backups and managing authentication and access controls are necessary foundational practices. However, with fast-evolving risks and standards, taking a strategic, formalized approach to implement, manage and adapt cybersecurity processes is essential. A strategic approach should include regular cybersecurity and data privacy assessments to help identify gaps and risks.

Engaging outside experts can help you analyze security gaps and prioritize cybersecurity investment across four critical areas: threat identification, protection, response and recovery. In addition to mitigating risk, experts can help your organization become more resilient with detailed incident response plans and tabletop exercises.

The public sector industry experts at CBIZ can help you identify cybersecurity gaps, mitigate risk and respond effectively to any cyberattacks. Connect with a member of our team and gain access to more resources here.

This article includes input from Tiffany Garcia, Managing Director, CBIZ Cybersecurity Services. Through Tiffany’s partnership, your company can better avoid potential cyber risks that will continue to be present in emerging technology.

	With a potential recession on the horizon, we know you want resources to help your business master the moment. We've put together our Agility & Excellence Resource Center to bring you strategies and solutions with a finger on the pulse of what's ahead.