Under cyber siege: How well are cities protecting themselves?

May 20, 2024 | By Satta Sarmah Hightower

In just the past six months, American cities — from St. Cloud, Florida, to Wichita, Kansas, to Long Beach, California, and others — have been targeted in cyberattacks, jeopardizing vital public services. A recent study, however, shows that many cities have been taking these threats seriously and are working to bolster their cyber resilience.

RiskRecon, a Mastercard company and leading provider of cybersecurity ratings and assessments, has been analyzing how 271 cities across the U.S. have changed their security posture over the past three years. In August 2021, the company evaluated these cities and assigned ratings based on their performance across nine security areas, ranging from application security to web hosting. Since then, RiskRecon has found the average overall security rating has improved from 7.3 to 8.1 on a 10-point scale.

As of January, 221 cities had secured an A or B rating, indicating stronger security in many jurisdictions.

Still, cities shouldn’t let their guard down, says Rigo Van den Broeck, executive vice president of cybersecurity product innovation at Mastercard. “No organization is too big or too small to be targeted. There’s a would-be hacker out there for every organization — no matter the size,” he says.

One of the most dangerous vulnerabilities for cities — and one relatively easy to fix — is updating outdated software, says Mastercard's Rigo Van den Broeck.

In a recent conversation with Mastercard Newsroom, Van den Broeck shares what RiskRecon’s research reveals about the current risk landscape for cities and how to better protect critical systems and data.

The good news is that governments are taking steps to protect themselves. The bad news is that governments and the public infrastructure they protect increasingly are being targeted by bad actors. What is driving this?

Van den Broeck: We’ve all seen the headlines detailing crippling cyberattacks across governments and public infrastructure — there’s no shortage of examples. Across all sectors, digitization has been a constant for many years, but historically, many governments have been slower to adapt. COVID was a game-changer in that offering digital services was no longer optional. It became critical that governments could serve their citizens over the internet. This rapid evolution significantly expanded the attack surface, providing more opportunities for cybercriminals.

It’s essential to understand who is behind the attacks. Hackers often choose their targets based on a few common factors, such as the sensitivity of an organization’s data or how critical it may be that they operate without interruptions. Governments are also prime targets for politically motivated bad actors. When we combine all these factors, it’s not surprising that governments are often targeted.

What are the financial and operational risks for cities that leave themselves open to hackers?

Van den Broeck: Hackers often use stolen data in extortion attempts or sell this information to other criminals, leading to significant losses for breached organizations. IBM’s Cost of a Data Breach Report 2023 indicates the global average cost of a data breach in 2023 was $4.45 million. 

With cities, there’s an even greater financial risk because of the essential services they provide and sensitive data they are entrusted to safeguard. When they experience a cyber incident, the impact is wide-ranging. We’ve seen breaches that deprive emergency personnel of real-time information they need for effective crisis response, for example, or limit access to public computers at one of the world’s busiest library systems. Getting systems up and running again can be costly, and cities may face costs associated with monitoring, litigation and incident response.

And then there is reputational damage, where the loss of public trust can be detrimental, especially when we consider that local governments rank among the most trusted government entities. It’s hard to put a price on that.

How does RiskRecon go about testing the fences, so to speak?

Van den Broeck: RiskRecon continuously assesses the internet presence of more than 19 million organizations, ranging from e-commerce merchants to multinational conglomerates to health care organizations. The assessments go both broad and deep, looking for publicly visible evidence we can use to infer an organization’s cyber hygiene, things such as out-of-date and vulnerable software or internet communications that aren’t appropriately protected. Our research has shown that those with very poor cybersecurity hygiene — rated as D or F — experienced breach events 35 times more frequently than A‑rated organizations.

$4.45 million
Cost of a data breach in 2023, according to IBM

What are the most impactful ways cities have been improving their cybersecurity posture?

Van den Broeck: A number of reports and research, whether from Mastercard or elsewhere in the industry, consistently identify several top contenders for contributing to a breach. Among those are outdated software, which hasn’t been able to receive security updates in some time, and when sensitive services are exposed to the public internet and shouldn’t be. Think databases and remote access tools. 

The good news is that the cities we’ve monitored in recent years are showing higher overall ratings, indicating better cyber hygiene. We’ve seen across-the-board improvement in eight of the nine security domains that we assess, and the gains have been in the right places, including email and domain-name system security, software patching and web encryption.

For cities that scored lower, what are the easiest and most immediate steps they could be taking?

Van den Broeck: RiskRecon advocates for an approach that looks at how severe the issue an organization is facing is and how sensitive the system it’s impacting is. Outdated software has long reigned as one of the most dangerous vulnerabilities for an enterprise, and that’s not expected to change anytime soon. That should be a priority.

Developing strong cyber hygiene takes time, so it’s always important to evaluate ways to mitigate risks throughout your cybersecurity journey. There are resources that can help cities no matter their size. Cybersecurity agencies at various levels of government and computer emergency response teams have expansive missions that aid in securing the internet. Mastercard also proudly supports several organizations that provide no-cost cybersecurity services, including the CyberPeace Institute, the Global Cyber Alliance, and the Shadowserver Foundation.

How do cities that rely on third-party vendors ensure that they’re not making themselves vulnerable?

Van den Broeck: Understanding your third-party risk is critical to organizations, especially considering the complexities of expanding supply chains and the increased incidence of third-party breaches. There’s a phenomenon in cybersecurity where similar organizations use the same types of technologies because they need certain capabilities and decide to rely on the same software, or even when there are a few specialty suppliers that meet the needs of those organizations. The effect of this is a systemic concentration of cyber risk that can have catastrophic consequences if one of these service providers or software suppliers is impacted by a cybersecurity event.

In our recent survey with Cyentia Institute, “The state of third-party risk management,” we found that 23% of respondents indicated their organization had suffered a security breach from a third party. Establishing a robust third-party risk-management program is a necessity today. We are beyond the point where due diligence just occurs at the vendor onboarding phase. Instead, organizations need real-time visibility into their third parties to adequately understand and manage their risks. 

What would you tell cities that think they’re too small to be targeted?

Interestingly, we’ve seen cybersecurity risk introduced unexpectedly with smaller cities and governments because they share many resources to achieve efficiencies. This means that a vulnerability in one system may be enough to take down the services of many municipalities, as we saw in a ransomware attack that hit 23 small Texas towns a few years ago. It’s easy to think that you may not be a target of a cyberattack because a motive may not be readily apparent, but the incidents we continue to see prove otherwise.

Satta Sarmah Hightower, contributor