An interesting study just released by the Pell Center for International Relations and Public Policy at Salve Regina University on the state of cybersecurity readiness in state governments confirmed what our own data has been showing us. And that’s this: State and local governments are woefully behind in securing their networks against outside threats.

The study singled out eight states that it said were handling cybersecurity well: California, Maryland, Michigan, New Jersey, New York, Texas, Virginia, and Washington.

That means that there are 42 states that have some work to do. Here was the key take away from the study.

“The federal government has actively worked to develop standards, policies, and regulations to enhance cybersecurity across the nation, increase its situational awareness, fight cyber crime, lower cyber risks, improve resilience, and promote information sharing. Cybersecurity, however, cannot be tackled at the federal level alone and states cannot wait for the federal government to provide all responses and solutions before taking actions. States have a responsibility to shoulder their part of the burden and must work to secure their critical infrastructure and cyber assets.”

Basic Security Remains a Problem

We couldn’t agree more. We pulled recent data from our CINS database, which stores all alerts tripped by our active Sentinel devices. (In this case, the data includes information since the beginning of July 2015.) We work with a good number of both state and local governments and also educational organizations, from small K-12 districts to large universities. All of these networks deal with public information, so security is critical. For this analysis, we included statistics for both groups together.

What we found was interesting, especially looking at three specific types of alerts we have seen reported by Sentinels: Cryptowall, Kovter and BrowseFox.

• • Cryptowall is the current poster child for ransomware, malware that encrypts files on the victim’s machine and demands a ransom for the encryption key. Ransomware is becoming a hot topic again, and we recently wrote on this blog about how you can protect yourself from it.Since July 1, 5 percent of Sentinel networks from businesses that weren’t in government or education reported a Cryptowall alert. For both government and education networks protected by a Sentinel, that number jumps to over 20 percent. That means a government or education network is four times more likely to be infected with Cryptolocker compared to other entities.
  • Kovter is a well-known botnet that can be used for stealing personal information and implementing ransomware. According to our alerts, Kovter was concentrated almost exclusively in the government and education space, infecting 23 percent of all networks while only affecting one other network from a different industry. These infected machines attempted to utilize hundreds of command and control servers in over 100 different countries.
  • BrowseFox is a common adware program that monitors a user’s browser activity and displays unwanted pop-up advertising. As malware goes, it’s not as dangerous as Cryptowall or Kovter, but it is a perfect example of adware or spyware that is easy to identify and remove. It should be low-hanging fruit for a well-protected network with solid endpoint protection and effective policies in place. That said, about 5 percent of non-government and education networks have reported BrowseFox alerts since July 1. By contrast, 23 percent of government and a whopping 67 percent of education networks reported persistent BrowseFox infections, resulting in over 1.3 million alerts for BrowseFox alone, representing over 99 percent of all BrowseFox alerts blocked on Sentinel-protected networks.

What does all this mean? By almost any measure, government and educational networks are lacking the proper internal controls and protections to keep even the most basic malware, adware, and spyware off of their internal systems.

We have an ebook coming that will address common security misconceptions we see when working with governments and how those governments can battle them. But if these government and educational organizations are having a problem with even the most basic security tasks, then the problem may be in their approach. We believe that there are seven security mindsets that everyone needs to adopt when thinking about how they will secure their networks.

1. I will make it harder to exploit my network through legitimate means.
2. I will layer security across my network.
3. I will create a baseline for my network so I will know what’s normal.
4. I will be able to act on what my data tells me.
5. I will implement threat intelligence.
6. I will stay current on the latest threats and trends.
7. I will adopt the ‘assume breach’ mentality.

We have more on each of those mindsets in blog posts here and in another ebook that’s free for download. But it’s clear from the data, and not just ours, that more needs to be done to keep these government and education networks secure.