When it comes to cybersecurity readiness, US government organizations aren’t doing so hot. In a recent report from SecurityScorecard comparing the security practices of 18 industries, government ranked no. 16.

“In the midst of investigations into a potential 2016 election hacking, regular major malware events, and an overall increase in the number of sophisticated cyberattacks, the report highlights that the government sector is lagging compared to almost every other industry,” the report said.

For the report, SecurityScorecard analyzed 552 local, state, and federal organizations to see how their security practices stacked up across 10 key categories. The only two industries that ranked lower were telecom (no. 17) and education (no. 18). For government, that’s actually an improvement over last year, the report said, when it ranked dead last.

SEE: Defending against cyberwar: How the cybersecurity elite are working to prevent a digital apocalypse (free PDF)

“On an almost daily basis, the institutions that underpin the nation’s election system, military, finances, emergency response, transportation, and many more, are under constant attack from nation-states, criminal organizations, and hacktivists,” Sam Kassoumeh, COO and co-founder at SecurityScorecard, said in a press release. “Government agencies provide mission-critical services that, until they are compromised, most people take for granted.”

The security categories measured included web apps, network security, leaked credentials, hacker chatter about the organization, social engineering, exposed admin portals, DNS health, patching cadence, endpoint security, and malware presence. For government organizations, endpoint security, IP reputation, and patching cadence were the biggest struggles.

For DNS health, exposed admin portals, and social engineering, governments performed above average relative to the industries measured. For aspects like network and app security, credential leaks, patching and more, though, they fell short.

“Often, when a vulnerability is disclosed, usually in conjunction with a patch, cybercriminals will look for organizations where that vulnerability exists, targeting companies with a slow or readily predictable patching cadence,” the report said.

While government organizations, overall, performed poorly, the US Secret Service, the National Highway Traffic Safety Administration, the IRS, and the Federal Reserve all performed rather well individually.

Regardless, attacks continue to grow in severity and complexity, which should be prompting organizations across all industries to improve their security as much as possible.

“With threats ramping up in frequency and sophistication, investing in creating meaningful cybersecurity strategies and cleaner architectures has become paramount for government agencies to achieve the cybersecurity posture,” the release said.

The 3 big takeaways for TechRepublic readers

  1. In a ranking of cybersecurity readiness across 18 major industries, government organizations are listed near the bottom, according to a report from SecurityScorecard.
  2. These organizations performed well on tests of their DNS health, exposed admin portals, and social engineering, but fell short in endpoint security, IP reputation, and patching cadence.
  3. Cyberattacks grow in complexity and severity every day, and organizations across all industries should be constantly re-evaluating their security posture, the report said.