Government organizations ranked third-to-last in a list that compared the overall cybersecurity posture of 17 different public and private sector industries, according to security researchers.
The study, conducted by New York-based SecurityScorecard, graded industries across 10 categories relating to network and software security, amount of exposed information and responsiveness to cyber threats. As a whole, the U.S. government only fared better than telecommunications companies and education. In contrast, the food, entertainment and retail industries topped the list.
More than 550 local, state and federal government groups were analyzed in the report, each of which operate more than 100 public-facing IP addresses. Though researchers found government cybersecurity had significant room for improvement, a number of specific federal organizations scored well. The top government performers were the President’s Council on Fitness, Sports and Nutrition; the National Highway Traffic Safety Administration; the Federal Reserve and the Secret Service.
The relatively small size of these organizations may have contributed to their high marks. While large groups usually have more resources at their disposal to shore up cyber protection, their sheer size creates more potential points of attack and makes it harder to keep cybersecurity systems up to date, according to the report.
“For the public sector, the desire to implement a secure digital ecosystem is there but the bureaucratic nature of government results slow implementation of planned objectives,” SecurityScorecard chief research officer Alex Heid told Nextgov. “These systemic delays contribute to the government sector ending up at the back of the pack when it comes to the information security technology race.”
Some large agencies scored well, such as the IRS, Congressional Budget Office and Federal Trade Commission. But overall, government groups performed the worst in risk categories related to organizational size. Researchers highlighted the extensive use of legacy IT systems as an issue for many big organizations.
“A museum-worthy collection of technology investments through the '80s, '90s, and mid-2000s full of vulnerabilities sit alongside new emerging (and often misconfigured) technology, creating a horrible hodgepodge of cybersecurity risks,” the report said.
The government scored particularly poorly in the IP reputation and endpoint security categories. IP reputation is based on the amount and duration of malware infections on a given address, and endpoint security refers to the overall safety of the devices on a group’s network. Government employees’ habit of using personal devices for work increases the number of potential security holes on the network, decreasing overall cybersecurity.
Researchers gave the public sector high marks in guarding against social engineering, indicating that employees don’t regularly use work credentials to sign up for online services. Government groups also had particularly high scores in categories relating to domain configuration and login security.