110 U.S. Cities Lack Proper Cybersecurity Protections

This guest blog was contributed by Kelly White, CEO of RiskRecon, a Mastercard company.

In June 2021, the U.S. Subcommittee on Emerging Threats and Spending Oversight (ETSO) reported that the total cost of publicly known ransomware attacks on State and local governments in 2020 was nearly $1 billion. Despite this, ransomware attacks on U.S. cities and local governments are escalating. CISA reported that as of March 9, 2022, Conti ransomware attacks against U.S. and international organizations have risen to more than 1,000.


At the same time, organizations and agencies face a growing demand for digital connectivity driven mainly by the COVID-19 pandemic, which accelerated the public’s reliance on digital connectivity. As a result, security and risk professionals are under mounting pressure to minimize third-party cyber risk while increasing digital connectivity.

Adding to this complexity is a growing reliance on outsourced services for critical business processes–from both public and private sectors. Now more than ever, cities and local governments are outsourcing and leveraging third- and fourth-party relationships for activities, from website design and web hosting to parking ticket fine collection and utility payments.


A recent study by Mastercard’s RiskRecon division and Cyentia Institute shows that 110 U.S. cities lack proper cybersecurity protections, creating a ripple effect that impacts many organizations. More investment in technology and cybersecurity professionals is desperately needed to improve the cyber resilience of local governments.


Some key takeaways from The State of Cybersecurity in U.S. Cities report:


  • US cities and local governments lack proper cybersecurity posture. While 59% of cities have information security programs potentially sufficient to protect their data assets, 41% (110 cities) received a cybersecurity rating that indicates potential security gaps present in systems that could result in compromised data.

  • Cities and local governments are struggling with third- and fourth-party risk. With the COVID-19 pandemic accelerating the public’s reliance on digital connectivity, more investment in technology and people is needed to improve the cyber resilience of local governments.

  • Finance and insurance lead industries in cybersecurity performance. Finance and insurance industries received an average cybersecurity rating above 8.0/10, followed by the public sector (7.7 rating), city government (7.3 rating), and education (7.0 rating).

  • Strong correlation between cybersecurity rating and the prevalence of critical security issues. Of the U.S. cities evaluated, RiskRecon identified more than 31,855 cybersecurity issues, of which 403 are “priority 1”—meaning critical severity issues on high-value assets. Furthermore, 41% of cities with a ‘C’ rating or below account for 80% of all “priority 1” issues identified. Good cybersecurity hygiene matters. A recent study by RiskRecon shows that organizations with poor cybersecurity hygiene in their Internet-facing systems have roughly a 40X higher rate of destructive ransomware events than companies with clean cybersecurity hygiene.

  • Focus on Application Security and Web Encryption. Application Security domain account for more than half (1,7281) of all identified cybersecurity issues, followed by Web Encryption (8,057) and System Hosting (2,865).

Local governments provide many critical services used every day. Exploits of cyber vulnerabilities in the public sector can cause far-reaching impacts and interruptions to communities. Government organizations are unique because they hold vast amounts of sensitive and confidential data. Stolen data--including personally identifiable information on citizens, documents related to public safety and courts, and communications on sensitive matters--is often used in attempts for extortion and ultimately offered for sale to other criminals.


As the number of digital connections between residents and their city governments grows exponentially, monitoring this ecosystem can be overwhelming. Investments in modernized tools that alleviate traditionally manual supply chain risk assessment processes can help these cities identify and act on risk more quickly.


Modern technologies enable city governments to monitor their IT stack continuously. Continuous monitoring is crucial as much can happen between assessments. For example, vendor data breaches could unknowingly compromise data, risking penalties from regulators due to delayed customer breach notification, or critical vulnerabilities in third-party environments could go unaddressed, exposing dependent operations and data to compromise.


Download the report to learn more about the “Cybersecurity State of U.S. Cities."


###