Half of state and local government officials say their office hasn’t done anything to prepare for ransomware over the last year, a new survey says, despite such attacks debilitating cities and counties around the country in 2019.
A Harris-IBM survey of 690 city and county employees interviewed since January found that half of all respondents “have not seen any change in preparedness by their employer” in the last year, and that more than a quarter haven’t received any cybersecurity training whatsoever.
Ransomware, a kind of cyberattack that locks up a user’s computer and demands a payment for a key to decrypt it, has become a steady scourge for local governments in the U.S. With their combination of often weak cybersecurity practices but often vital services, cities have become a particularly ripe target for hackers. When ransomware is successfully deployed on a local government network that doesn’t have its files backed up, it often leaves its target with an ugly choice: pay criminals in the hope they’ll fix the problem, or expect citizens to go without government services.
Even as the overall number of ransomware infections has trended downward in recent years, ransomware infections in state, county, and city governments have increased. At least 113 state and city governments were infected last year, according to a survey by cybersecurity company Emisoft.
This year is shaping up to be no exception. There have been at least 18 identified cases in the U.S. so far in 2020, said Allan Liska, a ransomware expert at cybersecurity firm Recorded Future. “At the end of February 2019 [we] had identified nine state and local government ransomware attacks. eighteen is already double that number,” Liska told Fortune.
One in six respondents of the IBM poll had experienced an attack at their own office. Perhaps most disturbingly, 9% said they had neither an in-house security team or paid for one of their own.
A majority of employees—52%—also felt defending from ransomware is primarily the federal government’s responsibility, highlighting the awkward relationship between the Department of Homeland Security, which offers cybersecurity guidance and services to local governments, but only at those governments’ request.
The director of DHS’s cybersecurity arm, the Cybersecurity Infrastructure Security Agency, has warned that voter registration databases are particularly important to secure from cyberattack, as a ransomware attack on Election Day could cause voter delays.
“Recent history has shown that state and county governments and those who support them are targets,” CISA director Chris Krebs said at the time. Voter registration databases could be an attractive target for these attacks.”
More must-read stories from Fortune:
—Apple corrects for coronavirus to keep next iPhones on track
—Did the ‘techlash’ kill Alphabet’s city of the future?
—How technology is changing how we volunteer
—Oracle and Google will face off in tech’s trial of the century
—A.I. is transforming the job interview—and everything after
Catch up with Data Sheet, Fortune’s daily digest on the business of tech.