The U.S. public sector faces unique challenges as it is tasked with safeguarding the most sensitive data of citizens, all while maintaining the critical infrastructure that keeps society functioning. Unfortunately, government and educational institutions are no longer just peripheral targets, they are on the frontline of cyberattacks.
A recent report from KnowBe4, "Securing the Public Sector at Scale: How Unified Human Risk Management Drives Cyber Resilience," sheds light on a sobering reality: despite advances in technical defenses, the public sector is facing a "perfect storm" of unrelenting threats, chronic resource shortages, and a rapidly shifting regulatory landscape. To survive this era of hyper-connectivity, the public sector must pivot from a technology-only defense to a strategy centered on Human Risk Management (HRM).
The Four Pillars of the Public Sector Crisis
The KnowBe4 report identifies four primary challenges that are currently crippling the cybersecurity capabilities of government and education entities:
- Unrelenting Threat Activity: Ransomware, phishing, and Business Email Compromise (BEC) are not just persisting; they are surging. In 2025 alone, local governments accounted for a staggering 43% of ransomware victims. These are not random attacks; they are precise, human-focused strikes designed to exploit the very individuals responsible for public service.
- Chronic Resource Constraints: While threat actors are increasingly well-funded, often backed by nation-states, public sector IT teams are frequently forced to operate with "shoestring" budgets and skeleton crews. This gap between attacker capability and defender resources creates a dangerous window of opportunity for cybercriminals.
- Rising Compliance Pressures: Regulatory oversight is expanding at a dizzying pace. Navigating the complex web of state and federal mandates requires significant administrative overhead, often diverting precious time away from active threat hunting and defense.
- The Human Element: Despite the implementation of sophisticated firewalls and AI-driven security tools, human error remains the single largest vulnerability. Whether it is a weak password, a clicked link in a social engineering email, or a misplaced credential, the "human factor" is the most frequent point of entry for breaches.
Why the Public Sector is the "Perfect Target"
The public sector manages vast amounts of sensitive data (social security numbers, health records, and financial information) making it a gold mine for ransomware gangs and nation-state adversaries. It also operates with limited budgets and resources, and is increasingly in the crosshairs of cybercriminals.
When a private company is hit by a cyberattack, the damage is often financial or reputational. When a city or school district is hit, the consequences are visceral. It can mean the shutdown of emergency services, the exposure of student records, or the inability of a municipality to process payroll and utility payments. In the public sector, cybersecurity is not just an IT issue; it is a matter of public safety.
Shifting the Strategy: From Awareness to Resilience
Security awareness training has historically been viewed as a checkbox for compliance, a once-a-year video or presentation that employees watched with little interest. KnowBe4’s findings suggest that this legacy perspective is no longer sufficient to combat modern threats. Instead, organizations must move toward a Human Risk Management approach.
This approach recognizes that humans are not just a liability to be managed, but an active defense layer in an organization’s overarching security posture. By using platforms that integrate real-time coaching, AI-driven defense agents, and gamified content, public sector leaders can help to foster a strong security culture.
The Road Ahead
As we move further into 2026, the integration of AI into both business operations and cyberattacks will only intensify. Threat actors are already using agentic AI to automate phishing campaigns and credential harvesting at a scale previously unimaginable.
The public sector cannot outspend its adversaries, nor can it simply "patch" its way to safety. The way forward lies in building a resilient workforce. By empowering employees to make smarter security decisions, government and educational institutions can transform their greatest vulnerability into their strongest shield.
The message from the KnowBe4 report is clear: The threats are unrelenting, but they are not insurmountable. Through unified human risk management and a commitment to security culture, the public sector can secure its mission and protect the citizens it serves.
Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't one and done. Continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!
