When the Office of Personnel Management (OPM) was hit by hackers, it was yet another example of the government’s security failures. However, I didn’t realize just how weak that security was until a recent study by Veracode.
In its State of Software Security report, Veracode found that every industry is failing miserably at cybersecurity, but no industry is as bad at cybersecurity as our government. The government ranks last among 34 industries in meeting basic security guidelines, falling well short of security efforts among other verticals. As a CNBC article put it:
Most strikingly isn't how poorly the government's applications fared. It's how unlikely they were to be fixed.
Government agencies fix fewer than one-third of all detected problems, according to the report. By comparison, financial services fixed 81 percent of its problems, while manufacturing fixed 65 percent.
According to the study, one of the government’s biggest stumbling blocks when it comes to security is its continued use of outdated programming languages, which are more likely to have vulnerabilities. I have to say, this revelation doesn’t surprise me in the least, as I’ve listened to the rants of those who work with government networks and the outdated software. I wouldn’t be surprised if Windows XP was still the primary operating system for a lot of government offices. I get that updating software and programming languages on the scale that the government would have to deal with is daunting – and would taxpayers be willing to foot the bill for the necessary upgrades? Government entities are hamstrung with what they have, and until there is a massive overhaul of their systems, government is going to continue to be at the bottom of any cybersecurity list.
While the government’s security failures may be most notable because of how poorly they are doing overall, we need to recognize that the health care industry isn’t doing very well, either. When you think about how much information about us as individuals and as organizations these two industries hold, it is alarming to discover how often they are failing to protect all that sensitive data. A release from Veracode stated that 80 percent of health care applications exhibit cryptographic issues such as weak algorithms upon initial assessment, and that the industry remediates less than half of known vulnerabilities.
On the flip side, manufacturing is most likely to fix its security problems, followed by the financial industry.
Well, now we have a clearer picture of why we see so many breaches in government agencies (or in health care, for that matter). What will it take to improve the security efforts in these industries – and more importantly, are we willing to foot the bill with higher prices and taxes? Better security isn’t free, after all, and I don’t believe that anything will change until we are willing to demand it and pay for it.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba