In February of 2022, we published "The State of Cybersecurity in U.S." a detailed report on the cybersecurity posture of the most populated cities in the U.S. Our initial research was performed in August 2021 and examined the web presence of city governments to better understand their cyber risks and the risks of their third and fourth-parties.
The sample included the five most populated cities from each state (excluding inhabited territories and including the ten most populated cities for California, Florida, New York, and Texas, and the District of Columbia). Exactly one year later we assessed the same sample to determine what, if any changes had occurred in their cybersecurity performance.
What's Different Now?
- An additional 6% of the cities evaluated have improved their overall rating to either an A or B rating. As of August 2022, 69% (187) of cities fall into A and B ratings, indicating that their information security programs may be sufficient to protect their data assets
- There are 6% fewer cities receiving an overall rating of C or below. As of August 2022, 31% (84) of cities have C or below ratings, and only one city had an F rating, indicating that there may be security gaps present in systems that could potentially result in data compromise
- The average overall rating improved to 7.7/10 as of August 2022, a sizable improvement from last year’s 7.3/10 average cybersecurity rating for all city governments (corresponding to a B rating).
- As of August 2022, we identified 421 ‘priority 1’ issues, the most critical issues on sensitive systems, representing a 4.9% increase compared to August 2021. Although we saw an overall increase in ‘priority 1’ issues, more than 60% of cities had no ‘priority 1’ issues. Furthermore, five cities accounted for more than a quarter of all ‘priority 1’ issues.
- Over the 12 months, we observed ten publicly disclosed data loss events that affected nine cities, representing a 41% significant decrease from the 17 publicly disclosed incidents from the prior 12 months.
Security Domain Performance
|
Security Domain Ratings |
August 2021 |
August 2022 |
Change |
|
Overall Rating |
7.3 |
7.7 |
+0.3 |
|
Application Security |
5.2 |
5.7 |
+0.5 |
|
Breach Events |
9.4 |
9.6 |
+0.2 |
|
DNS Security |
6.3 |
6.4 |
+0.1 |
|
Email Security |
8.1 |
8.5 |
+0.5 |
|
Network Filtering |
7.7 |
7.6 |
-0.1 |
|
Software Patching |
8.9 |
9.4 |
+0.5 |
|
System Hosting |
7.2 |
7.1 |
-0.1 |
|
System Reputation |
10.0 |
10.0 |
0 |
|
Web Encryption |
6.9 |
7.2 |
+0.2 |
The performance across six of the nine security domains showed improvement. Most importantly, we identified the most significant gain in the Application Security, Email Security, and Software Patching domains.
Overall, we saw a great deal of improvement in the cybersecurity posture of the United States’ largest cities. Specifically, we identified significant improvements in critical areas like Software Patching, one of the most prevalent factors in ransomware and hacking events. Efforts like Cybersecurity and Infrastructure Security Agency’s “Shields Up” initiative have provided valuable guidance for state and local governments. Given the increase in overall scores and improvements across key security domains, we are not surprised by the 41% decrease in publicly disclosed data loss events amongst the sample of cities.
To learn more about our original study of U.S. Cities, download the REPORT.
To learn more about RiskRecon, request a DEMO.
