The third annual cybersecurity survey of federal IT professionals conducted by Market Connections and sponsored by SolarWinds Federal finds that almost half of the respondents find that government efforts to modernize and consolidate its IT infrastructure is increasing the security challenges they face.
Digital Government Institute hosted a cybersecurity conference, “Making Government More Secure,” May 26 at the Ronald Reagan Building. Mav Turner, SolarWinds’ Director, Product Strategy, presented the results of the survey.
Almost half of the 200 federal IT decision makers and influencers who participated in the survey – 48% – said security challenges are increasing because of IT modernization and consolidation programs. In a follow-up question, 48% of respondents attributed the increased security risk to “incomplete transitions and difficulty supporting everything;” 46% said it was because of “complex enterprise management tools;” and 44% said it was due to a “lack of familiarity with the new systems” being put in place.
While budget constraints continue to be the most commonly cited obstacle to improving IT security (29%), Turner pointed out that this is a decrease from the same survey question one year earlier, when 40% of respondents blamed budget woes for security challenges.
The three biggest threat sources identified by respondents are careless/untrained insiders (48%), foreign governments (48%), and the general hacking community (46%). Concerns about insider threats and foreign government intrusions have trended upward over the past three years.
Not surprisingly, threat sources are seen very differently by defense and civilian IT professionals. Defense agency respondents’ first concerns are cybersecurity threats by foreign governments (62%) – a concern listed by just 37% of civilian agencies. Threats from the general hacking community are the greatest concern for civilian agencies (56%), which about a third (35%) of defense agency respondents included on their threat lists. Turner pointed out that industrial spying (16%) has been trending upward, as well.
It’s important to identify the sources of threats these agencies worry about, Turner said, because “how you align your defenses depends on what your threat priorities are.”
Concerns about careless or untrained insiders creating security gaps is borne out by the types of breaches respondents reported: 68% of security breaches were due to human error, they said, while 58% arose from social engineering (phishing). Half the respondents listed malware.
The IT professionals participating in the survey generally said the top reason agencies are more vulnerable are because the attacks are getting more sophisticated (44%), but while both civilian and defense agencies listed this first, 50% of civilian agencies cited this while 37% of defense agency respondents put it first, followed closely by defense agency end users not following set policies (32%).
When it comes to defending against cyber incidents, Turner said, “having basic defenses in place – virus scans, firewalls, etc. – still have value, but you have to accept they’re not enough.”
The use of smart cards/common access cards for authentication was considered the most valuable security product used by federal IT professionals, by far – 52%. The only other security product to break double digits was identity and access management (14%).
Wish you could have been at the DGI conference to hear Mav’s talk in full? We’ve got the next best thing – his slides are available here.