A survey suggests risks have risen substantially over the last five years, but cyber professionals still feel agencies are doing a good job in IT security.
Careless and untrained insiders and foreign governments are the largest sources of security threats for federal agencies, according to the fifth annual Federal Cybersecurity Survey, released Tuesday by IT management software firm SolarWinds.
The survey, conducted by Market Connections, polled 200 federal IT decision-makers and influencers between December 2018 and January 2019 regarding eight security threats: careless/untrained insiders, foreign governments, general hacking community, hacktivists, malicious insiders, terrorists, for-profit crime and industrial spies.
Six of the eight threat sources were at all-time highs this year, with the majority of respondents listing careless/untrained insiders (56 percent) and foreign governments (52 percent) as their greatest source of security threats. Multiple responses were allowed for this question.
Jim Hansen, SolarWinds vice president of products, security and cloud, told Nextgov that insider threats—both careless and malicious—are becoming a constant battle for federal workers, mostly due to a lack of employee training and awareness.
“Malicious behavior is something that can create a significant amount of harm for the agency itself, but the careless insider is really the more dangerous one,” Hansen said. “What we find is these folks don’t necessarily think about security from day to day, and yet the organization has given them all kinds of access to resources.”
Hansen said part of the reason for this rise is that in recent years, there have been increases in the number of devices that employees have access to and the volume of network activity. Yet according to the survey, the top cause associated with careless insider breaches from federal employees and government contractors was accidentally exposing, deleting or modifying critical data.
“Everyone goes through some kind of basic training, but it’s never enough,” Hansen said. “And at the end of the day, even people who are security conscious or security aware sometimes make mistakes too.”
Some survey respondents suggested shoddy security practices should lead to repercussions.
“We need more consequences for programmers and others who constantly resist, break or evade best IT security practice,” one team leader from the Health and Human Services Department said in a comment.
About half of the survey participants said IT risks were higher with contracted personnel than feds. One respondent who works in logistics for the Navy reflected on this issue in a comment, stating: “We went cloud crazy and are also overly reliant on contractors. The former directly, and immediately, shuts down over 90 percent of our business operations when there is no internet connectivity. The latter are government-paid insider threats whose sole mission is partial solutions, and expanding long-term business, and withholding key info, services, or other from the naive and ignorant government client in order to secure future funding.”
Hansen said while the government could possibly do more to help mitigate these issues, “agencies do feel like they are fighting this, and they also still have a bit of it under control.”
Many participants said that federal regulations and mandates contributed to their agencies’ ability to manage risk as part of its overall security posture. Respondents most frequently noted the National Institute for Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity (60 percent) and the Federal Information Security Management Act (55 percent) as strong contributors to the agencies’ ability to manage risk.
“The results of this year’s survey are encouraging, but there’s certainly more work to do,” Mav Turner, SolarWinds vice president of product strategy, said in a statement. “Overall, agencies appear to be on the right track, with the right tools and policies in place—a trend we hope will continue.”
The organizations and agencies represented spanned across the federal government and military, including NASA, Transportation Department, Security and Exchange Commission, Defense Department and others.