You don’t have to look any further than the headlines to know that cybersecurity incidents against federal agencies are on the rise.
But the annual Federal Information Security Management Act report, a scorecard of agencies’ progress on cybersecurity measures, provides a unique opportunity to examine the threats each agency faces.
All told, federal agencies reported nearly 70,000 events in fiscal 2014, 15 percent more than in the previous year, ranging from phishing attempts, malware infections and even low-tech security issues, such as leaving sensitive paper files unattended.
In fact, about a quarter of the incidents reported by large agencies involved the loss of personally identifiable information from hard copies or printed materials -- not digital records.
A quarter of all incidents reported by the large cabinet-level agencies were listed as “noncyber” related.
Nextgov breaks down the biggest cyber threats faced by the following five agencies.
The Agriculture Department reported 771 incidents related to malware and other forms malicious code that managed to slip past antivirus tools and were not immediately quarantined. That’s down from the 1,067 malware incidents reported in 2013 but remained the biggest source of vulnerabilities at the department.
Failing to properly adhere to cyber policies tripped up the Defense Department the most in 2014. The agency reported 2,429 incidents related to mishandling or insecurely storing personally identifiable information or emailing sensitive data without proper encryption.
Similarly, the Department of Homeland Security reported the highest numbers of incidences in the policy violation realm -- 985 total, down slightly from the year prior.
At the Department of Housing and Urban Development, incidents involving lost or stolen equipment, including laptops, mobile devices and backups disks, jumped by nearly half.
The State Department is unique among federal agencies for the challenges it faces from social engineering, which describes attempts to coax users into providing sensitive information that can then be used in sophisticated phishing campaigns. In 2014, State reported 829 such incidents -- up slightly from the year before. The department is clearly aware of the threat. It’s scheduled an employee training session for March 19 on protecting users from socially engineered email attacks.
(Image via Jeff Wasserman / Shutterstock.com)