US Public Sector Cyber Defenses Weaken Under Human-Focused Attacks
- 43% of ransomware victims in the US in 2025 were local governments (Verizon DBIR 2025)
- 525 ransomware attacks on US public sector agencies between 2018-2024, costing $1.09 billion in downtime
- 80% of state/local governments have fewer than 5 dedicated cybersecurity staff
Experts emphasize that the public sector's cybersecurity crisis stems from a combination of relentless human-focused attacks, severe resource constraints, and inadequate training, requiring a unified, socio-technical defense strategy to mitigate risks.
US Public Sector Cyber Defenses Buckle Under Human-Focused Attacks
TAMPA BAY, FL β February 17, 2026 β The United States public sector, from federal agencies to local school districts, is facing a cybersecurity crisis driven by relentless, human-focused attacks and chronic resource shortages. A new white paper from cybersecurity firm KnowBe4, released today, paints a stark picture of a sector under siege, where human error remains the most exploited vulnerability, leaving essential public services and sensitive citizen data dangerously exposed.
The report, titled βSecurity the Public Sector at Scale: How Unified Human Risk Management Drives Cyber Resilience,β highlights four primary challenges: unrelenting cyber threats, severe resource constraints, mounting compliance pressures, and the persistent issue of human fallibility. This combination has created a perfect storm, making government and educational institutions prime targets for cybercriminals.
The Human Element: The Front Line and the Weakest Link
While technological defenses evolve, the fundamental weak point in the public sector's armor remains its people. Cyberattacks like ransomware, phishing, and business email compromise are surging precisely because they target human behavior. Threat actors are increasingly using sophisticated, AI-driven tools to craft convincing phishing emails in minutes, a task that once took hours, dramatically increasing the volume and believability of their attacks. IBM's 2025 Cost of a Data Breach Report found that one in six breaches last year involved AI, underscoring the rapid weaponization of this technology.
"Any fault in our technology or error from our staff could impact thousands of city residents," said Hossam Reziqa, chief information officer for the City of Daytona Beach, in a statement included in the announcement. "It is imperative that we are aware of what we have so we can secure our systems." His experience highlights the critical need for continuous training. "KnowBe4 is, hands down, one of the best platforms to train users on emerging threats," he added, emphasizing the value of quality content and engaging training methods.
The challenge lies in cultivating a security-conscious culture across vast and diverse workforces. Without consistent and effective training, employees can unwittingly become accomplices in breaches by clicking malicious links, divulging credentials, or falling for social engineering schemes. This "human firewall" is often the last line of defense, and the report suggests it is frequently neglected.
Local Governments Under Siege
Nowhere is this vulnerability more apparent than at the local level. According to the 2025 Verizon Data Breach Investigations Report (DBIR), local governments bore the brunt of ransomware attacks, accounting for a staggering 43% of all victims in the United States last year. These municipalities are attractive targets for several reasons: they manage vast quantities of sensitive citizen data, often operate on aging IT infrastructure, and are critically under-resourced.
Research shows that between 2018 and 2024, U.S. public sector agencies suffered 525 ransomware attacks, resulting in an estimated $1.09 billion in downtime costs alone. Each incident disrupted operations for an average of nearly a month, crippling essential services like emergency response, utilities, and public records.
The resource disparity is a key factor. A recent survey revealed that nearly 80% of state and local government entities have fewer than five dedicated cybersecurity staff members, with funding cited as their single greatest challenge. This stark reality means many local governments are simply outmatched, struggling to defend against well-funded and highly sophisticated ransomware gangs and even nation-state adversaries.
"The public sector manages vast amounts of sensitive data, operates with limited budgets and resources, and is increasingly in the crosshairs of threat actors ranging from ransomware gangs to nation-state adversaries," stated Bryan Palma, CEO of KnowBe4. "We are proud to support the public sector mission by providing the tools and intelligence necessary to empower their most valuable asset, people, against these threats."
The Growing Compliance and Resource Chasm
Compounding the threat landscape is a rapidly evolving and increasingly complex web of regulatory and compliance mandates. Federal and state governments are raising the bar for cybersecurity, but without commensurate funding, these new rules risk widening the gap between expectation and reality.
The National Institute of Standards and Technology (NIST) released its updated Cybersecurity Framework (CSF) 2.0 in 2025, establishing a new benchmark for risk management that public agencies are expected to adopt. Simultaneously, the Cybersecurity and Infrastructure Security Agency (CISA) is finalizing rules for the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). Once implemented, these rules will legally require covered entities to report significant cyber incidents within 72 hours and any ransom payments within 24 hours, adding significant operational and legal pressure on already strained IT teams.
This pressure is felt globally. The World Economic Forum's "Global Cybersecurity Outlook 2026" identified a lack of cybersecurity expertise as the second-most significant challenge for the public sector. For under-resourced local governments, meeting these stringent new standards while fending off daily attacks presents a monumental task, creating a cycle of compliance debt and heightened vulnerability.
A Strategic Shift to Unified Human Risk Management
In response to these multifaceted challenges, security experts and firms like KnowBe4 are advocating for a more holistic approach known as Unified Human Risk Management. This strategy moves beyond traditional, check-the-box annual security training and instead integrates a suite of tools that manage risk across both human and technological layers.
This modern approach combines continuous security awareness training and phishing simulations with integrated technological safeguards, such as advanced email security that can detect and block threats before they reach an employee's inbox. It also includes real-time coaching tools that provide immediate feedback to users who make risky clicks, reinforcing secure behaviors at the moment of error.
Furthermore, the strategy looks ahead to emerging threats, incorporating the management of "agentic AI risk." As organizations increasingly deploy AI agents to automate tasks, these agents themselves become potential targets or vectors for attack. A unified platform aims to manage the security posture of both human employees and their AI counterparts. By creating an adaptive defense layer that reinforces secure behavior, organizations can build a more resilient security culture capable of withstanding the sophisticated, human-focused attacks that now define the cyber threat landscape.
This strategic shift recognizes that securing the public sector is not merely a technological problem but a complex socio-technical one, requiring a sustained investment in people, processes, and integrated platforms to protect the foundation of public services.