Outdated systems, budget constraints and old habits are three big reasons why federal agencies struggle with cybersecurity.
How big is this struggle? According to a new study from Vormetric, 90 percent of IT professionals in federal agencies admit they are worried that their networks are vulnerable to cyber threats, and more than 60 percent say their agency did suffer a breach, with 20 percent adding that the breach happened in the past year.
Obviously, there are many reasons why federal agencies need to step up their security (says the person who received a letter from the Office of Personnel Management warning that my personal information may have been compromised). Within this survey, the biggest driver appears to be following legal regulations, as eWeek pointed out:
As the report mentions, compliance is still the leading reason for securing sensitive data in the U.S. federal vertical (55 percent) and the top reason for data security spending (57 percent)—higher than the global average of 46 percent but in line with the percentage (54 percent) of the United States in general.
However, improving security isn’t going to happen without increased budgets to install new security systems and hire new security professionals (areas that the study showed as problems). But this section of the report particularly jumped out at me: Federal agencies tend to stick with what worked in the past – or at least, stay with what they’ve always done. Therefore, they’ll put the money into endpoint security, which we’ve seen has become cumbersome, while paying little attention to at-rest data. As the report said:
Over time, we are hopeful that the security industry will come around to the fact that perimeter defenses offer little help defending against multi-stage attacks, and that approaches that have proven to be effective at protecting data after attackers have bypassed perimeter defenses – such as file and application encryption and access controls – will gain more attention.
A study from the Office of Management and Budget shows how these security struggles are coming back to haunt federal government. As SC Magazine explained:
The report found that government attackers successfully executed 77,000 cyber incidents, including network breaches or data infiltration during fiscal year (FY) 2015. This is a 10 percent increase from FY 2014.
The report also echoed some of the Vormetric findings in regards to budgets and personnel – both areas are lacking.
I expect to see more reports repeating similar information, and yet, in this political season, cybersecurity rarely, if ever, comes up in debates, speeches, or from interviewers. What will it take for the federal government to take cybersecurity more seriously and address today’s problems and tomorrow’s threats?
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba.