New research from the Cybernews Business Digital Index reveals that 53.7% of U.S. government departments and agencies scored D or worse for their cybersecurity efforts, with 38.8% falling into the “F” category. 75% have been affected by data breaches, almost 54% have had corporate credentials stolen, and 27% have employees reusing compromised passwords.
“Cybersecurity threats to critical infrastructure are no longer just theoretical – they are an active and growing risk. Poor cybersecurity practices create vulnerabilities that attackers can easily exploit, potentially shutting down essential services with minimal effort,” said Vincentas Baubonis, Head of Research at Cybernews.
Failing the cybersecurity exam.
According to the index, which grades businesses and various institutions based on their online security measures, using available data from external sources, 53.7% of U.S. government departments and agencies scored D or worse for their cybersecurity efforts, with 38.8% falling into the F category.
Just 22% of them earned an A rating. 10.2% of analyzed government departments and agencies earned a B rating and showed low risk. Meanwhile, 14.3% with a C grade have moderate risk.
Nevertheless, the U.S. government departments and agencies received an average security score of 75 out of 100. According to the index methodology, the overall calculated value from 70 to 79 is considered high risk. Based on this, it can be predicted that American data is at high risk.
“The reality is that cyberattacks constantly threaten organizations of all sizes. Therefore, every one of them has a responsibility to protect itself and safeguard its customers’ data,” Baubonis says.
Common security issues.
Researchers found that the top three issues across industries are secure sockets layer (SSL/TLS) configuration, data breaches, and system hosting issues.
The Cybernews Business Digital Index shows that the most common security issue is related to SSL/TLS configuration, affecting 93% of analyzed departments and agencies. It is a technology that encrypts data transmitted between a web server and a browser to ensure secure communications.
Suppose a company has issues with its SSL/TLS setup. In that case, it can expose sensitive data to interception, making its systems vulnerable to man-in-the-middle attacks and compromising user trust and data security.
Nearly every U.S. government department and agency (77%) suffers from poor system hosting practices, and 75% have been affected by data breaches. At the time of writing this report, 24% of domains had recent data breaches, the latest detected four days ago.
In addition, around 59% of analyzed departments and agencies have issues with email security, almost 54% have had corporate credentials stolen, and companies with lower security levels are more vulnerable to email spoofing. This threat generally affects around 45% of analyzed domains.
45% struggle with web application security, and 40% facing software patching vulnerabilities. 24% have high-risk and almost 23% critical vulnerabilities, and 27% have employees reusing compromised passwords.
These weaknesses can open up companies to data breaches, which often have far-reaching consequences, such as damage to a reputation, financial losses, legal penalties, and loss of trust.
Geographical breakdown of vulnerabilities
Most government departments and agencies across all U.S. territories, except the Midwest States, were assigned to the F Score level, averaging 45%.
Despite that, Midwest region states show better security practices but still have 28% F-rated companies. In contrast, U.S. territories have significantly lower cybersecurity, with 55% of companies rated F.
Connecticut, South Dakota, and the District of Columbia have the highest overall score, above 90, and are at low risk for data leaks. Meanwhile, Idaho, Massachusetts, the U.S. Virgin Islands, Indiana, and Maine have the lowest overall score (from 54 to 58), and their data is likely at critical risk of being leaked.
The Cybernews research team analyzed 490 U.S. government departments and agencies domains. Detailed data collected from multiple sources, including IOT search engines, IP and Domain name reputation databases, and custom scanners, shows the digital security posture of government departments and agencies.
The report evaluates risk across seven key areas: software patching, web application security, email security, system reputation, SSL Configuration, system hosting, and data breach history. The detailed report’s Methodology is here.
Author
