Cyberattacks on critical infrastructures, which manage crucial services, jumped 30% worldwide in 2023, according to a recent House Committee on Homeland Security data snapshot.

Health care, government and education have been a few of the most vulnerable public sectors to such threats. The holiday season only amplifies these threats as information technology staff goes on break and people lower their guard.

Whether it be ransomware paralyzing Bucks County’s 911 dispatch system or a denial of services attack hampering the Administrative Office of Pennsylvania Courts, there’s been no shortage of examples of such attacks in the greater Philadelphia region.

“The risk is 100% real. And unfortunately, the risk profile has been going up for over a decade and these sectors — like critical infrastructure, water, energy, electric and public schools — are things that are very vulnerable to cyberattacks because they don’t get enough funding,” said Leeza Garber, a cybersecurity and privacy lawyer and consultant.

Garber, who teaches information privacy law at Drexel University, believes the risks facing critical infrastructure aren’t getting enough attention.

“The cybersecurity risk that the public sector faces, including schools, is basically a perfect storm,” she said. “You have all of these different puzzle pieces, coming together to create an atmosphere of vulnerability and risk.”

Moody’s Ratings increased the cyber risk score for education institutions from “moderate” to “high” in 2024. According to the Cybersecurity and Infrastructure Security Agency, the technological gain at schools since the height of the COVID-19 pandemic has made learning more effective — and heightened the risks of a cyberattack.

It takes just one vulnerable entry point for hackers to force their way in.

“When you bring that back down to a more local level, whether it’s a school or a municipality government, those vulnerabilities are magnified, because not only do they have some of the same issues that these bigger companies have, but they also have legacy systems, they have very small budgets dedicated to cybersecurity and upgrading technology and then there’s a lack of education,” Garber said.