Data breaches and hacks of US government networks, once novel and shocking, have become a problematic fact of life over the past few years. So it makes sense that a cybersecurity analysis released today placed the government at 16 out of 18 in a ranking of industries, ahead of only telecommunications and education.
Health care, transportation, financial services, retail, and pretty much everything else ranked above it. The report goes beyond the truism of government cybersecurity shortcomings, though, to outline its weakest areas, potentially offering a roadmap to change.
The analysis of 552 local, state, and federal organizations conducted by risk management firm SecurityScorecard found that the government particularly lags on replacing outdated software, patching current software, individual endpoint defense (particularly when it comes to exposed Internet of Things devices), and IP address reputation—meaning that many IP addresses designated for government use or associated with the government through a third party are blacklisted, or show suspicious activity indicating that they may be compromised. A wide range of issues plague government agencies—but they’re largely fixable.
“There’s a lot of low-hanging fruit when it comes to the government sector overall,” says Alex Heid, SecurityScorecard’s chief research officer. “They’ll implement a technology when it’s very new and then it’ll just sit there and age. This creates a mix of emerging technologies, which might be misconfigured, or not everything is known about them yet, with legacy technologies that have known vulnerabilities and exploitable conditions.