Discussions about the cybersecurity readiness of government agencies have typically tended to focus on federal entities rather than on their state counterparts. That may be a big mistake.

A new study by the Pell Center for International Relations and Public Policy at Salve Regina University revealed a troubling lack of preparedness to deal with cybersecurity threats among a vast majority of state governments.

All 50 states are investing in broadband communication and moving forward aggressively on promoting wider use of the Internet to stimulate economic growth and to improve service. But not a single one of them managed to meet all the evaluation criteria that Pell used to measure their cyber readiness, says Francesca Spidalieri, senior fellow for cyber leadership and author of the report.

“The study was really meant to bring awareness to the role that state governments, not just the federal government, play in protecting critical infrastructure and the data than has been entrusted to them by their citizens,” Spidalieri says.

Just like the federal government, state governments, too, hold data on millions of citizens and depend heavily on the Internet and communications technologies to deliver services and to maintain critical infrastructure. But few appear to be considering the potential exposure and costs associated with cyber threats, says Spidalieri.

For the study, Pell looked at measures like whether the state had a strategic cybersecurity plan, formal incident response capabilities, data breach notification, and other cybersecurity laws, threat information-sharing mechanisms, and spending on cybersecurity R&D. Pell interviewed state CIOs, chief information security officers, and other state government officials and also reviewed open source data, to arrive at its conclusions.

California, Texas, Maryland, and Washington were among eight states that were identified by the study as being relatively more prepared to deal with current and emerging cyber threats than counterparts. The others are New York, New Jersey, Washington, and Virginia.

Each of these states fared better then others on some of they key measures used to evaluate them. For example, California scored well in areas like incident response, e-crime laws, and cyber R&D. But its performance in areas like regular threat assessments and accountability for cyber preparedness remained a work in progress. Pell assessed Texas as being adequate in areas like having a competent cybersecurity authority, doing regular threat assessments, and following the NIST framework, but found it still has work to do in terms of implementing effective cybersecurity laws. Michigan appeared to be the most prepared, based on its meeting most of the measures it was evaluated against.

A vast majority of states though are unprepared, says Francesca. “Most states don’t even mention the need to secure their IT systems or to address cyber threats,” she said. Some acknowledge the problem but appear to have done little to address it.

The common challenges somewhat unsurprisingly related to a lack of funding for cybersecurity programs, lack of executive engagement, the growing sophistication of threats, and a shortage of cybersecurity professionals. “It’s a grim picture and my report meant to shed some light on the states that are leading the way,” she said.

Meanwhile, a second report also released this week served up another reminder of the challenges that federal agencies continue to face on the cybersecurity front. The report by MeriTalk and Palo Alto Networks found that 44 percent of federal endpoints are vulnerable to cyber threats while 30 percent of federal network connected devices have been infected with some type of malware.

As with state governments, barely half of all federal agencies have taken specific steps to secure endpoints while some 20 percent of endpoint security audits do not include all network-connected devices.