Compound Risks: When Security Failures Combine

How multiple security gaps work together to create far worse outcomes than any single failure alone

Why Compound Risks Matter

Security controls are designed to work together. When one control is missing, the risk increases. When two or more are missing, attackers can chain vulnerabilities together—and the damage multiplies. Understanding compound risks helps agencies prioritize fixes that deliver the biggest impact.

1. No SPF + No DMARC = Complete Email Impersonation

SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting & Conformance) work together to prevent email spoofing. SPF tells receiving servers which mail servers are allowed to send email for your domain. DMARC tells those servers what to do when an email fails authentication—and gives you visibility into attempts.

Without both: Anyone can send email claiming to be from your agency—to citizens, vendors, other agencies, or your own staff. There is no technical barrier. Recipients have no way to know the email is fake. Attackers can request payments, steal credentials, or spread malware, all while appearing to come from a trusted government address.

Real example: In December 2025, Smithville, Tennessee lost $425,000 when attackers spoofed a vendor's email address and tricked city officials into wiring payment to a fraudulent account. Proper SPF and DMARC configuration would have blocked the spoofed emails before they reached anyone's inbox.

2. No DNSSEC + No HSTS = DNS Hijacking + Session Theft

DNSSEC (Domain Name System Security Extensions) ensures that when someone looks up your domain, they get the real answer—not a fake one injected by an attacker. HSTS (HTTP Strict Transport Security) forces browsers to always use HTTPS when connecting to your site, preventing downgrade attacks.

Without both: Attackers can redirect your website to a fake copy. When citizens or staff visit what they think is your site, they're actually on a phishing page. They enter credentials, personal information, or payment details—and the attacker captures everything. Because there's no HSTS protection, users see no warning. The fake site can even display a padlock if the attacker uses their own certificate.

3. No MTA-STS + No TLS-RPT = Silent Email Interception

MTA-STS (Mail Transfer Agent Strict Transport Security) requires that email be encrypted in transit between mail servers. TLS-RPT (TLS Reporting) sends you reports when encryption fails or can't be established.

Without both: Emails can be intercepted in transit without anyone knowing. If a receiving server doesn't support encryption, or if an attacker performs a man-in-the-middle attack, the email travels in plain text. Without MTA-STS, there's no requirement to use encryption. Without TLS-RPT, you never receive reports about failed encryption—so you have no visibility into the problem and no way to fix it.

4. Exposed Emails on Website + No DKIM = Targeted Phishing

Government websites often list staff email addresses for citizen contact. Attackers use automated tools to scrape these addresses from public pages. DKIM (DomainKeys Identified Mail) cryptographically signs outgoing email so recipients can verify it actually came from your domain.

Without DKIM: Scraped email addresses become high-value phishing targets. Attackers send emails that appear to come from a known government contact—a department head, a clerk, a commissioner. Recipients have no way to verify the sender is authentic. Without DKIM, even sophisticated email filters can't distinguish legitimate government email from impersonation. Citizens and partners are more likely to click, share information, or follow instructions.

5. No SSL + No HTTPS Redirect = Complete Data Exposure

SSL/TLS certificates encrypt data between a user's browser and your server. An HTTPS redirect ensures that even if someone types "http://" or follows an old link, they're sent to the secure version.

Without both: All form submissions, login credentials, and citizen data are sent in plain text. Anyone on the same network—a coffee shop Wi-Fi, a shared office connection, or a compromised router—can read everything. Names, addresses, Social Security numbers, payment information, and confidential inquiries travel unencrypted. Without an HTTPS redirect, users may think they're on a secure page when they're not, or they may land on HTTP by default and never realize the risk.

6. No Security Headers + No security.txt = No Vulnerability Reporting

Security headers (like X-Frame-Options, Content-Security-Policy, and X-Content-Type-Options) protect against clickjacking, content injection, and other browser-based attacks. A security.txt file provides a standard way for security researchers to find contact information and report vulnerabilities responsibly.

Without both: Clickjacking and content injection attacks become possible—attackers can embed your site in a frame and trick users into clicking something they don't intend, or inject malicious content. At the same time, security researchers who discover vulnerabilities have no clear, standard way to report them. They may give up, disclose publicly, or sell the finding. A simple security.txt file at /.well-known/security.txt can direct researchers to your security contact and vulnerability disclosure policy.

Real-World Government Breaches

These incidents show how compound risks and security gaps lead to serious consequences for government agencies and the people they serve:

Baltimore City ($18 Million)

In 2019, Baltimore's city government was hit by a ransomware attack that crippled essential services. The attack exploited multiple vulnerabilities, including unpatched systems and weak access controls. The city spent an estimated $18 million on recovery—and that doesn't include the cost of disrupted services, lost productivity, or the exposure of sensitive citizen data.

Columbus, Ohio

Columbus experienced a significant ransomware incident that disrupted city operations and exposed vulnerabilities in its IT infrastructure. The attack highlighted how interconnected systems and insufficient security controls can allow attackers to move laterally and encrypt critical data.

Clark County School District (200,000 Students)

One of the nation's largest school districts suffered a breach that exposed data for approximately 200,000 students. The incident demonstrated how education agencies—often under-resourced for cybersecurity—can become targets, and how a single breach can affect an entire community's children.

Oldsmar, Florida Water Plant

In 2021, an attacker gained remote access to a water treatment facility's control system and attempted to increase the level of sodium hydroxide (lye) in the water supply to dangerous levels. The facility used shared passwords and had no multi-factor authentication. This incident showed how operational technology and weak access controls can create physical safety risks—not just data exposure.

Arab, Alabama ($430,000+, 2026)

In early 2026, the City of Arab, Alabama lost over $430,000 to a phishing and business email compromise (BEC) attack. Attackers impersonated a vendor and redirected city payments to fraudulent accounts. Arab had been warned by YesGov in both December 2024 and January 2025 that their domain lacked basic email security protections—no enforced DMARC, no DKIM, weak SPF—and that they were at high risk. The city took no corrective action. At the time of the breach, Arab's domain still carried an F rating on YesGov's security assessment. The loss was entirely preventable with standard email authentication controls that cost under $250/year to implement and maintain.

Nevada State Systems ($1.5 Million, 2025)

In August 2025, Nevada's state systems were compromised in a ransomware attack that began in May when an employee inadvertently downloaded malicious software. The breach cost the state $1.5 million in recovery efforts. Weak email security controls allowed the malicious payload to reach the employee in the first place.

Attleboro, Massachusetts (2025)

In November 2025, Attleboro, Massachusetts faced a sophisticated cyberattack that disrupted multiple IT systems, including city and police phone lines and email services, forcing staff to revert to manual operations. The city's lack of proper email authentication and DNS security left them vulnerable to the initial attack vector.

How Attackers Chain Vulnerabilities: Step by Step

Attack Chain: Email Spoofing to Financial Fraud

Step 1: Attacker checks the target agency's DNS and finds no SPF record and no DMARC policy.

Step 2: Attacker sends an email that appears to come from the agency's domain to a vendor, requesting a payment change.

Step 3: Because there's no DKIM signing, the vendor's email system cannot verify the email is authentic.

Step 4: Without DMARC enforcement, the spoofed email is delivered to the vendor's inbox with no warnings.

Step 5: The vendor changes payment details and sends the next invoice payment to the attacker's bank account.

Result: The agency loses hundreds of thousands of dollars. This is exactly what happened to Smithville, TN ($425,000).

Attack Chain: DNS Hijacking to Credential Theft

Step 1: Attacker discovers the agency has no DNSSEC protection on their domain.

Step 2: Attacker poisons the DNS cache at a nearby ISP, redirecting the agency's domain to a fake website.

Step 3: Because the agency has no HSTS policy, the browser does not enforce HTTPS on the first visit.

Step 4: Citizens visit the fake site and enter their credentials, SSNs, or payment information.

Step 5: The attacker now has real citizen credentials and personal data from a "trusted" government website.

Result: Mass identity theft affecting thousands of citizens, plus legal liability for the agency.

Insurance Denial: The Hidden Cost of Non-Compliance

Your Cyber Insurance May Not Cover You

Cyber insurance policies increasingly require agencies to demonstrate specific security controls are in place. If your agency experiences a breach and cannot prove that basic email authentication (SPF, DKIM, DMARC), DNSSEC, and HTTPS were properly configured, your insurance claim can be denied.

Insurance underwriters now routinely check:

  • Email authentication: SPF, DKIM, and DMARC with enforcement policy
  • Website security: Valid SSL/TLS, HTTPS enforcement, HSTS
  • DNS security: DNSSEC enabled
  • Security documentation: Regular testing, monitoring, and incident response plans

Without these controls documented and verifiable, agencies face uncovered losses on top of the breach itself. Baltimore's $18 million ransomware recovery was not fully covered by insurance because the city could not demonstrate adequate preventive measures were in place.

The Total Cost of Government Cybersecurity Failures

Known Losses from Recent Government Breaches

  • Arab, AL (2026): $430,000+ lost to BEC/phishing despite prior YesGov warnings
  • Smithville, TN (2025): $425,000 lost to email spoofing fraud
  • Nevada State (2025): $1.5 million in ransomware recovery
  • Attleboro, MA (2025): City and police systems offline, forced to manual operations
  • Columbus, OH (2024): Ransomware exposed thousands of citizens' SSNs and personal data
  • Baltimore, MD (2019): $18 million in ransomware recovery costs
  • Clark County Schools, NV (2023): 200,000+ students' data leaked
  • Oldsmar, FL (2021): Water supply nearly poisoned via remote access
  • LA Unified School District (2022): Ransomware disrupted systems for millions of students

Total documented losses exceed $25 million from just these cases alone. The actual total across all U.S. government agencies is far higher.

Taxpayer Liability: You Are Paying for This

Every dollar lost to a government cyberattack is a dollar that came from your taxes. When Arab, AL loses $430,000 to a phishing attack, that money comes out of the city budget—money that was supposed to fund roads, schools, public safety, and services. When Baltimore spends $18 million recovering from ransomware, those are taxpayer dollars diverted from every other priority.

Government IT departments that fail to implement basic, free or low-cost security controls like SPF, DKIM, DMARC, and DNSSEC are not just creating technical risk—they are creating financial liability for every resident in their jurisdiction. These are not exotic, expensive security measures. They are standard configurations that cost nothing to implement and are required by federal guidelines (BOD 18-01, M-21-07).

When officials are warned about security gaps and choose not to act—as happened with Arab, AL—the resulting losses are not accidents. They are the foreseeable consequence of negligence. Citizens have every right to demand accountability from officials who allow preventable breaches to occur with public funds.

What You Can Do

Compound risks are preventable. Each control you add reduces the attack surface and makes it harder for attackers to chain vulnerabilities together. The first step is knowing where your agency stands.

YesGov provides complete compliance management starting at $250/year, including .gov domain acquisition, email security (SPF, DKIM, DMARC, MTA-STS), website security, DNSSEC, monitoring, and all required documentation for insurance compliance.

Check Your Agency Now Get Protected View Honor Roll
DNSSEC (Domain Name System Security Extensions) →

Learning Guides

Compound Risks: When Security Failures Combine

How multiple security failures combine to create worse outcomes. Learn about compound risks in government cybersecurity: email impersonation, DNS hijacking, silent interception, and more.

DNSSEC (Domain Name System Security Extensions)

DNSSEC (DNS Security Extensions): Complete guide to protecting your domain from DNS spoofing, cache poisoning, and man-in-the-middle attacks. Learn how DNSSEC works, why it

SSL/TLS Certificate

SSL/TLS Certificate Guide: Complete guide to encrypting data in transit, protecting against man-in-the-middle attacks, and meeting CISA compliance requirements for government websites.

HTTPS Redirect & HSTS (HTTP Strict Transport Security)

HTTPS Redirect & HSTS: Complete guide to enforcing encrypted connections, preventing downgrade attacks, and meeting CISA requirements for government websites.

TLS Configuration (Versions, Ciphers, Hardening)

TLS Configuration: Complete guide to secure TLS versions, cipher suites, and hardening for government websites.

Certificate Validation & CAA (Certificate Authority Authorization)

Certificate Validation & CAA: Complete guide to SSL/TLS certificate validation, trust chains, and Certificate Authority Authorization (CAA) records.

SPF (Sender Policy Framework)

SPF (Sender Policy Framework): Complete guide to preventing email spoofing, ensuring email deliverability, and meeting CISA compliance requirements for government email security.

DKIM (DomainKeys Identified Mail)

DKIM (DomainKeys Identified Mail): Complete guide to cryptographically signing emails, verifying email authenticity, and preventing phishing attacks for government email security.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC (Domain-based Message Authentication): Complete guide to enforcing email authentication policies, preventing email spoofing, and meeting CISA compliance requirements.

MTA-STS (Mail Transfer Agent Strict Transport Security)

MTA-STS (Mail Transfer Agent Strict Transport Security): Complete guide to enforcing secure TLS connections for email transmission, preventing man-in-the-middle attacks.

TLS-RPT (TLS Reporting)

TLS-RPT (TLS Reporting): Complete guide to monitoring TLS connection failures for email transmission, identifying misconfigurations, and ensuring email security.

HTTP Security Headers & security.txt

HTTP Security Headers: Complete guide to X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and security.txt for protecting against web vulnerabilities.

IPv6 Support (DNS + Web Reachability)

IPv6 Support: Complete guide to IPv6 DNS and web reachability, ensuring accessibility for IPv6-only networks and future-proofing government infrastructure.

RPKI (Resource Public Key Infrastructure)

RPKI (Resource Public Key Infrastructure): Complete guide to BGP route security, preventing route hijacking, and protecting IP address space.

IP Reputation, RBLs & PTR Records

IP Reputation & RBL Checks: Complete guide to monitoring IP addresses on abuse databases, blacklists, and proper reverse DNS (PTR) configuration.

Website Scanning

Website Scanning: Complete guide to detecting exposed email addresses, broken links, and other website hygiene issues that pose security or compliance risks.

WordPress Detection

WordPress Detection & Security: Complete guide to detecting WordPress versions, identifying security vulnerabilities, and patching basics for government websites.

HSTS (HTTP Strict Transport Security)

HSTS (HTTP Strict Transport Security): Complete guide to forcing HTTPS connections, preventing downgrade attacks, and meeting CISA compliance requirements.