Federal IT pros are having more success tackling cybersecurity challenges within their agencies. However, there’s still much work to be done when it comes to solving the security challenges posed by contractors.
According to the most recent SolarWinds Federal Cybersecurity Survey Report, more than half of federal IT pros surveyed say that IT security risks are greater with contractors than with internal agency personnel. Respondents say that “accidental data exposure” and the “lack of understanding of IT security policies and procedures” are the risks most closely associated with agency contractors and/or temporary personnel.
Specifically, nearly half of respondents—48 percent—say that accidentally exposing, deleting, or modifying critical data is the number one common cause associated with careless insider breaches from contractors. “Access to data and resources that are not necessary to do their job” and “using unsecured networks/Wi-Fi” are the next two highest causes of insider breaches from contractors, cited by 46 percent and 42 percent of respondents, respectively.
Solving the contractor-breach challenge
How can a federal IT pro reduce insider-threat risks associated with contractors?
There are a range of tactics agencies can undertake to strengthen and take control of how contractors behave inside and outside agency walls. Let’s take a closer look.
More than half of survey respondents—53 percent—say that ongoing security training is the best way to reduce insider-breach risks associated with contractor personnel. Other tactics that survey respondents cited include:
- Using multifactor authentication (50 percent)
- Training on security policies when onboarding (49 percent)
- Restricting use of external devices (mobile, USB drives, etc.) (48 percent)
- Monitoring how contractors are accessing accounts, data, systems (48 percent)
Why is training so important? Because implementing all the best technology in the world will not automatically stop a phishing attack. In fact, many agencies structure their security budgets so heavily on technology, that the “human firewall” factor often gets less budget than it deserves. The reality is, taking a more holistic approach to IT security by balancing security awareness training and security technologies is far and away the best approach.
Training is also often required by federal compliance rules and regulations such as FISMA (Federal Information Security Modernization Act of 2014), HIPAA (Health Insurance Portability and Accountability Act of 1966), NIST Special Publication 800-53 (Security and Privacy Controls for Federal Information Systems and Organizations), and more.
It’s important to note the importance of balancing training with technology. In other words, things like multi-factor authentication for access control, and ongoing monitoring are important parts of the equation. Be sure to invest in a tool or series of tools that provide these capabilities along with the ability to visualize the entire environment from a centralized location. This will ensure every federal IT pro is prepared for any potential cyber attack, regardless if that attack is socially or technologically engineered.